feat(webhook): operator-managed Keycloak client credentials

[akram]

Summary

Coordinates with kagenti-operator for workloads that opt out of webhook-injected client registration (kagenti.io/client-registration-inject: "false").
requires:

oc patch deployment weather-service  --type merge \
   -p '{"spec": { "template": { "metadata": { "labels": {"kagenti.io/client-registration-inject": "false" }}}}}'

requires: kagenti/kagenti-operator#247

Changes

• Mount Keycloak OAuth2 client id/secret from a namespace Secret named in pod annotation kagenti.io/keycloak-client-credentials-secret-name (volume name matches Secret: kagenti-keycloak-client-credentials-<id>).
• Replace operator_clientreg with keycloak_client_credentials helpers: ApplyKeycloakClientCredentialsSecretVolumes, NeedsKeycloakClientCredentialsVolumePatch, AnnotationKeycloakClientSecretName.
• Admission logging for Pod processing and credential delivery path (Keycloak Secret mount vs sidecar vs combined authbridge); logger keycloak-client-registration.
• Reinvocation path patches missing mounts when annotation appears after first injection.

Related

• Pair with kagenti-operator PR on the same feature branch (ClientRegistration controller + Secret + annotation).

Testing

• go test ./internal/webhook/injector/... (unit); deploy webhook + operator together for integration.

fixes kagenti/kagenti#397

[cwiklik]

Review Summary

Clean webhook-side implementation of the operator-managed Keycloak client credentials contract. The code correctly mounts operator-provisioned Secrets into shared-data containers, handles reinvocation for late annotations, and logs credential delivery paths. The annotation constant matches the operator PR (kagenti/kagenti-operator#247) exactly. Idempotency is well-handled throughout.

Must-fix: Made-with: Cursor trailer in 2 of 3 commits — should be Assisted-By: per kagenti conventions. Same issue flagged on the paired operator PR.

Areas reviewed: Go, Tests
Commits: 3 commits, all signed-off: yes
CI status: DCO passing
Cross-repo consistency: Annotation kagenti.io/keycloak-client-credentials-secret-name matches operator PR #247 ✓

[Alan-Cha]

What is the purpose of this function?

[Alan-Cha]

This PR successfully implements the webhook-side coordination for operator-managed Keycloak client registration. The code quality is excellent: idempotent, well-tested, secure (ReadOnly SubPath mounts), and provides good observability. The prior review issue (Made-with: Cursor → Assisted-By: Cursor) has been fixed ✅.

Remaining issues:

• All 4 commits and PR title are missing emoji prefixes (Kagenti convention)
• Final commit message is too generic

Prior review issues:
✅ Assisted-By: Cursor trailer fixed (was Made-with: Cursor)

Areas reviewed: Go, Tests, Security, Cross-repo consistency
Commits: 4 commits, all signed-off ✅, all missing emoji prefixes ❌
CI status: DCO passing ✅
Code quality: Excellent - idempotent, well-tested, secure mounts, good observability

[Alan-Cha]

✅ PRAISE: Good use of a constant for the annotation name - ensures consistency with operator PR #247 and prevents typos across the codebase.

[Alan-Cha]

✅ PRAISE: Excellent idempotency check! NeedsKeycloakClientCredentialsVolumePatch correctly handles reinvocation scenarios where the annotation appears after initial sidecar injection.

[Alan-Cha]

✅ PRAISE: appendSubPathMount correctly implements idempotent mounting - checks for existing mounts before appending. This prevents duplicate volume mounts on reinvocation.

[Alan-Cha]

✅ PRAISE: Testing idempotency explicitly (calling ApplyKeycloakClientCredentialsSecretVolumes twice and verifying volume count stays at 1) is excellent practice.

[Alan-Cha]

✅ PRAISE: The reinvocation logic is well-implemented - handles the case where the operator annotation appears after initial injection. The verbose logging (V(1).Info) will help debugging without cluttering normal logs.

[Alan-Cha]

✅ PRAISE: logClientRegistrationPaths provides excellent observability into how credentials are delivered (operator-secret vs sidecar vs combined vs skip). The comma-separated deliveryPaths field makes it easy to track multiple concurrent delivery methods.

[Alan-Cha]

The PR looks good to me. I will approve for now but I will do some more testing in the mean time

[Alan-Cha]

I asked Claude to help me test a number of scenarios

7 Test Scenarios Executed:

✅ Baseline Webhook Injection - Verified all 4 sidecars injected without opt-out label
✅ Opt-Out Label Behavior - Verified client-registration sidecar correctly omitted
✅ RBAC Fix Validation - Fixed missing permissions, operator reconciled successfully
✅ Operator Secret Creation - Real Keycloak credentials created in Secret
✅ Rolling Update Trigger - Annotation change created new ReplicaSet
✅ Webhook Secret Mounting - Secret mounted at correct paths with subPath
⚠️ Sidecar Image Availability - Images loaded, pods blocked only by missing SPIRE (expected)
Pass Rate: 100% for integration testing (6/6 core scenarios + 1 partial due to infrastructure)

Key Validation Points:

Opt-out label prevents sidecar injection ✅
Operator registers OAuth clients with Keycloak ✅
Operator creates Secrets with real credentials ✅
Webhook reads annotation and mounts Secret ✅
Volume mounts use correct subPath for individual files ✅
Both PRs work together seamlessly ✅