Extend Kyma Provisioning Parameters to allow multiple OIDC definitions

[kwiatekus]

Description

Adjust set of input parameters of Kyma Service Instance Provisioning so that user can provide multiple OIDC configs (design oidc paramater so that in accepts a single config (for backwards compatibility) or an array).

Extend the OIDC schema so that user could also define requiedClaims (key-value pairs) that are essential for secure GH workflow access.

AC

• [ ] User can define multiple OIDC configs
• [ ] User can define required claims per OIDC config

Reasons

It is required to configure access to freshly created clusters via additional "workflow" OIDC https://github.com/kyma-project/kyma/issues/18305

Attachments

• diagram
• flow diagram
• https://community.sap.com/t5/additional-blogs-by-sap/using-github-actions-openid-connect-in-kubernetes/ba-p/13542513

[PK85]

Looks that Provisioner exposes APIs with pods and services CIDRs. We need to test it.

[kwiatekus]

As a first step we could enable that only for DEV landscape on a dedicated plan (preview):

• make sure KEB on DEV is creating RuntimeCR
• make sure KEB can consume extended provisiong parameters (incl. required claims and multiple oidc)

[ralikio]

Proposed based on last planning:

To preserve backward compatibility we would like to define a new parameter (e.g. "Additional OIDC") defined in the schema as a list. Old parameter will be functional and extended with requiredClaims. If user defined additional OIDC in the list and at the same time provides backward compatible one then we want to merge both.