OCPBUGS-45371: Fix issue where TokenReview was not working as expected

[TheRealJon]

We expected the console service account bearer token to be present on the internal k8s REST
configuration, but it was not. This caused all TokenReview requests to be skipped since no bearer
token was available to make the requests.

• Update OpenShift authenticator to use a k8s client-go Clientset to make TokenReview requests. This
  Clientset is configured using the same REST config that the main server uses to proxy console
  service account delegated requests, meaning whatever console service account bearer token is
  configured on the main server is the same one used for TokenReview requests.
• Update main.go to accept an off-cluster bearer token, which is used to make console service
  account delegated requests in an off-cluster, auth-enabled environment.
• Update the README instructions for auth-enabled dev environments to include setting up a console
  service account API token and consume it through the new bridge arg.
• Update examples/run-bridge.sh to consume an off-cluster service acccount token file

[openshift-ci-robot]

@TheRealJon: This pull request references Jira Issue OCPBUGS-45371, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yanpzhan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Use the internal k8s rest config property on the openshift authenticator to make a k8s Clientset that can be used to create TokenReviews as part of the Authenticate flow.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@TheRealJon: This pull request references Jira Issue OCPBUGS-45371, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yanpzhan

In response to this:

We expected the console service account bearer token to be present on the internal k8s REST
configuration, but it was not. This caused all TokenReview requests to be skipped since no bearer
token was available to make the requests.

• Update OpenShift authenticator to use a k8s client-go Clientset to make TokenReview requests. This
  Clientset is configured using the same REST config that the main server uses to proxy console
  service account delegated requests, meaning whatever console service account bearer token is
  configured on the main server is the same one used for TokenReview requests.
• Update main.go to accept an off-cluster bearer token, which is used to make console service
  account delegated requests in an off-cluster, auth-enabled environment.
• Update the README instructions for auth-enabled dev environments to include setting up a console
  service account API token and consume it through the new bridge arg.
• Update examples/run-bridge.sh to consume an off-cluster service acccount token file

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jhadvig]

/lgtm

[jhadvig]

nit

Suggested change

	err := fmt.Errorf("invalid token: %v", token)
	err := fmt.Errorf("invalid token: %s", token)

[jhadvig]

Suggested change

	Create a long-lived API token Secret for the console ServiceAccount, and extract it to the
	Create a long-lived API token Secret for the console ServiceAccount and extract it to the

[jhadvig]

/lgtm cancel

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [TheRealJon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jhadvig]

test-beckend.sh is failing on the TestNewOpenShiftAuthenticator apparently we are passing a nil client in some cases

[TheRealJon]

@jhadvig Tests should be fixed now!

[openshift-ci]

@TheRealJon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-console	6d33e97	link	true	/test e2e-gcp-console

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.