Add an IDP resource and controller to automate upstream IDP configuration #148
Description
Current Situation:
At the moment we use a helm chart, flux and crossplane in order to automate the setup of our upstream IDP (keycloak). This causes a lot of trouble, synchronization issues etc. which we want to get rid of.
In order to achieve that, we need to introduce a new, provider agnostic resource that allows a controller to configure an upstream IDP. This resource should not be provider specific, but rather allow the configuration of standard OIDC settings, that every OIDC Provider exposes and allows configuration for. This makes the choice of an IDP an implementation detail rather than a hard dependency.
To mirror the current state we have, we need to expose at least the following configuration options:
- Unique name of an issuer for the upstream IDP to support multi-tenancy (
metadata.nameor any other field that ensures uniqueness across all IDP resources) - Configuration of a client in a given issuer context with the following configuration options:
- Base the available options on the OIDC RFC
- client type
- clientId (also ensure uniqueness inside an IDP)
- a way to configure valid redirect urls for login, logout, etc. example
- lets see if we need more fields and how they look
Also a very useful reference is the RFC for dynamic client registration in OIDC
Example:
apiVersion: authentication.platform-mesh.io/v1alpha1
kind: IdentityProviderConfiguration
metadata:
name: <unique name of the issuer>
spec:
clients:
- <look at the fields available in the [dynamic client registration rfc](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)>
writeClientSecretRef: <corev1.SecretRef>