Feature: Include groups extra-scope to kubeconfig of `ManagedControlPlanes`

[GenosseOtt]

Feature Request for

openMCP provisioned ManagedControlPlanes

Understand the problem

When using Group subject in authorization section, e.g.

authorization:
    roleBindings:
      - role: admin
        subjects:
          - kind: Group
            name: dwc:mcp-access

it will require the scope groups also included in the authroization request to the identity provider. However the kubeconfig generated on the crate cluster looks like this

users:
- name: dwc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=<some value>
      - --oidc-client-id=<some value>
      - --oidc-use-pkce
      - --grant-type=auto
      - --oidc-extra-scope=offline_access
      - --oidc-extra-scope=email
      - --oidc-extra-scope=profile
      command: kubectl
      env: null
      provideClusterInfo: false

and it will only work if editing the kubeconfig and manually adding - --oidc-extra-scope=groups

Technical Steps

• To be proposed by Engineer

Context

Using any IDP and groups for authentication to the MCP

Proposal Acceptance Criteria

• Kubeconfig should work out of the box for configuration chosen in the MCP CR.

[reshnm]

Already possible and documented: https://pages.github.tools.sap/cloud-orchestration/docs/managed-control-planes/access/authentication#user-provided-identity-providers

[reshnm]

There are some issues with the examples in the docs: https://github.tools.sap/cloud-orchestration/cloud-orchestration.github.tools.sap/pull/911

[In-Ko]

According to the original feature-request, this is done (see discussion in https://github.tools.sap/openmcp/support/issues/259). Would close this now.