feat(operator): operator-managed Keycloak client registration

[akram]

Summary

Registers Keycloak OAuth clients for agent/tool workloads that set kagenti.io/client-registration-inject: "false", creates a Secret with client-id.txt / client-secret.txt, and annotates the pod template so the kagenti-webhook mounts credentials into shared-data.

requires:

oc patch deployment weather-service  --type merge \
   -p '{"spec": { "template": { "metadata": { "labels": {"kagenti.io/client-registration-inject": "false" }}}}}'

requires: kagenti/kagenti-extensions#262

Changes

• ClientRegistrationReconciler for Deployment/StatefulSet; Keycloak admin client (internal/keycloak).
• Deterministic Secret name: kagenti-keycloak-client-credentials-<hash>; annotation kagenti.io/keycloak-client-credentials-secret-name.
• Feature flag --enable-operator-client-registration; APIReader for authbridge-config / keycloak-admin-secret; RBAC for Secrets.
• Docs: docs/operator-managed-client-registration.md.

Related

• Requires matching kagenti-extensions / kagenti-webhook PR (mount + reinvocation).

Testing

• Controller unit tests; deploy operator + webhook together on a cluster with Keycloak and namespace secrets.

fixes kagenti/kagenti#397

[cwiklik]

Review Summary

Well-designed Keycloak client registration controller with sound architecture: Secret-before-annotation ordering, owner references for GC, feature-gated, and uncached API reads for namespace config. Thorough documentation.

Key concerns: (1) indentation bug in the StatefulSet path, (2) Made-with: Cursor trailer violates commit conventions, (3) defaulting the feature to true is aggressive for a new controller. The Keycloak client is create-only (no update path).

Areas reviewed: Go, Helm/K8s RBAC, Makefile, Docs
Commits: 3 commits, all signed-off: yes
CI status: DCO passing

[cwiklik]

suggestion: DefaultHTTPClient() uses http.DefaultTransport which verifies TLS (good), but there's no way to inject a custom CA bundle for in-cluster Keycloak with a private CA. Consider accepting a transport option or *tls.Config for production clusters with internal CAs.

[akram]

fixed: added *tls.Config

[cwiklik]

suggestion: The admin token is obtained fresh via PasswordGrantToken on every reconcile. For workloads reconciling frequently, this generates one Keycloak token request per reconcile. Consider caching the token (with expiry check) to reduce Keycloak load.

[cwiklik]

nit: readClusterFeatureGates iterates cm.Data and returns after parsing the first non-empty YAML document. If the ConfigMap has multiple data keys, only the first is considered. A brief comment clarifying this assumption would help readability.

[akram]

fixed: comment added

[cwiklik]

suggestion: This grants cluster-wide secrets read access (get/list/watch). The controller only needs secrets in agent namespaces. Consider whether a more restrictive RBAC binding is warranted (ClusterRole + per-namespace RoleBindings), or document why cluster-wide is needed.

[cwiklik]

👍 Good use of controllerutil.CreateOrUpdate with SetControllerReference — ensures GC when the parent Deployment/StatefulSet is deleted. The Secret-before-annotation ordering is also well done.

[Alan-Cha]

Review Summary

This PR adds operator-managed Keycloak client registration as an alternative to sidecar-based registration. The implementation is well-designed with proper controller patterns, comprehensive tests (including envtest-style reconciler tests and mock Keycloak server), token caching, drift reconciliation, and thorough documentation.

The latest commit (7d9d86f) successfully addressed most of the previous review feedback: feature flag now defaults to false (opt-in), token caching is implemented, TLS config support added, indentation bug fixed, and test coverage expanded significantly.

One must-fix issue remains: Documentation inconsistency about the feature flag default value.

Areas reviewed: Go (controller, Keycloak admin client, tests), Makefile, RBAC, Documentation, Commit conventions

Commits: 4 commits, all DCO signed ✅

CI status: DCO passing ✅

---

Must-Fix Issues

Documentation default value mismatch (docs/operator-managed-client-registration.md, line ~77 in new file):

Line states the default is true, but cmd/main.go:112 sets the flag default to false. The docs should match the code:

-| Operator | `--enable-operator-client-registration` (default **true**) | Master switch for the ClientRegistration controller. |
+| Operator | `--enable-operator-client-registration` (default **false**) | Master switch for the ClientRegistration controller. |

---

Praise

Excellent reconciler patterns (clientregistration_controller.go):

• ✅ CreateOrUpdate with owner references ensures proper GC
• ✅ Secret-before-annotation ordering prevents pods from referencing missing Secrets
• ✅ Clean reconciler structure following controller-runtime best practices

Well-implemented drift reconciliation (internal/keycloak/admin.go):

• ✅ GET client, compare managed fields, merge desired state, PUT only when drifted
• ✅ Properly handles Keycloak's JSON shape quirks (string arrays in attributes)

Strong test coverage (clientregistration_controller_test.go):

• ✅ Reconciler integration tests with fake clients and mock Keycloak server
• ✅ Covers feature gates disabled, missing dependencies (requeue), and happy path
• ✅ Addresses previous review's testing concern

---

Suggestions

Token cache tuning (cmd/main.go): Token cache is instantiated with a hardcoded tokenCacheSkew. Consider exposing this as a flag if operators need to tune it for their Keycloak instance characteristics.

Commit 3 convention: Subject lacks emoji prefix: operator: Keycloak client credentials Secret naming and annotation. Should be feat(operator): or refactor(operator): per Kagenti conventions. Not blocking since commits can be squashed on merge.

---

Once the documentation is corrected, this PR is ready to merge. The implementation quality is high, test coverage is comprehensive, and all previous review concerns have been addressed.