feat: add keycloak token exchange

[Cali0707]

This PR adds the code changes required to get the keycloak token exchange to work, as well as fixes the cluster keycloak config to work correctly

To use this you will need two openshift clusters, and then follow these steps:

1. Run make acm-install with your current context set to the cluster that will be your hub cluster
2. Run make keycloak-acm-setup-hub - this will take 20-30min as it needs to restart the api server
3. Create a kubeconfig that will connect to what will be your managed cluster
4. Run make keycloak-acm-register-managed-cluster CLUSTER_NAME=<your-choice-of-name> MANAGED_KUBECONFIG=<path-to-managed-kubeconfig>
5. Run make keycloak-acm-generate-toml
6. Run make build
7. Run ./kubernetes-mcp-server --port 8080 --config _output/acm-kubeconfig.toml

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Cali0707]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Cali0707]

/hold

Will upstream as much as possible first, resync, then revisit this

[sabre1041]

First set of comments

[sabre1041]

External Authentication is now GA on OpenShift 4.20. It is very important that this feature set is only enabled on versions that truely require it. Recommend a check that determines if it is currently installed or not

oc get featuregate cluster -o json | jq -r '.status.featureGates[0].enabled[] | select(.name == "ExternalOIDC") | length > 0'

[sabre1041]

While not specific to this file, just a heads up that there is no need to explicitly install MCE. It is installed automatically when ACM is installed.

[sabre1041]

My cluster became inaccessible after attempting to enable external OIDC. I see some challenges in the current implementation as it does not properly set the client ID's for either the console or the CLI as well as the secret associated with the console client

[sabre1041]

Is there a reason why we are not using the Red Hat Build of Keycloak Operator instead? We do still need to manage PostgreSQL as well as some of the ingress concerns. I can share some examples if it would be desired

[Cali0707]

I'm not fully sure - I think Matthias added this originally. My understanding is that since this is a dev env setup only, the simpler deployment was used here as we didn't need all of the production ready setup for the keycloak instance.

Do you think we should switch to the Red Hat Build of Keycloak Operator here?

[openshift-ci]

@Cali0707: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	be5a5aa	link	true	/test images
ci/prow/lint	be5a5aa	link	true	/test lint
ci/prow/test	be5a5aa	link	true	/test test
ci/prow/security	be5a5aa	link	false	/test security
ci/prow/fips-image-scan-openshift-mcp-server	be5a5aa	link	true	/test fips-image-scan-openshift-mcp-server

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.