[feature] allow own authentication config to be used

[quartje]

Problem Description

Running Omni on prem means that you have to use the Omni API proxy to access the clusters. That also means that it is not possible to bring your own identity settings.
What functionality would break when we overwrite the current authentication settings?
I can imagine it would break the omni kubernetes API proxy functionality, but would other stuff break as well?

Specifically we would try to overwrite this kube-apiserver configuration setting:
--authorization-config=/system/config/kubernetes/kube-apiserver/authorization-config.yaml

The reason behind it is twofold:

1. We use OIDC tokens to authenticate from backstage to the kubernetes API. These are identity bound tokens, with minimal privileges
2. With Omni, the kubernetes API is proxied through Omni, making it a single point of failure.

Solution

No response

Alternative Solutions

No response

Notes

No response

[rothgar]

Omni authentication is backed by existing SAML or OIDC authentication. Are there other identity settings you need to bring for external cluster access?

[quartje]

The current implementation lacks two features we use (apart from the single point of failure):

1. Reuse SAML group information in Kubernetes. Which is possible using lot's of glue which I've documented here (docs: add information on how to reuse SAML group information in Kubernetes docs#206)
2. I am not able to add another OIDC client, like a webfrontend. The only client now is kubectl