Eliminate admin credentials from operator client registration

[Alan-Cha]

Problem

Currently, the operator uses Keycloak admin credentials to register OAuth clients for agents. This has several security issues:

• Admin credentials provide full realm permissions (create/delete users, realms, clients, roles)
• Long-lived credentials requiring manual rotation
• Operator compromise = full realm admin access
• Admin credentials stored as secrets in every agent namespace

Solution

Use the operator's SPIFFE JWT-SVID to authenticate with Keycloak instead of admin credentials.

Implementation

This epic is implemented across two PRs:

Core Implementation

• Feat: SPIFFE authentication for operator client registration (Admin API) #349: Operator-side SPIFFE authentication
  • JWT-SVID authentication with Keycloak Admin API
  • Feature flags and Helm configuration
  • Backward compatible (opt-in via keycloak.spiffeAuth.enabled)

Platform Automation

• feat(platform): Add operator SPIFFE authentication bootstrap kagenti#1837: Bootstrap automation and installation scripts
  • Automated Keycloak setup (SPIFFE IdP, operator client, role assignment)
  • Helm hook job for zero-manual-step deployment
  • Installation script integration (ENABLE_OPERATOR_SPIFFE_AUTH=true)

Benefits

• ✅ Scoped permissions (manage-clients only, not full admin)
• ✅ No credential storage (cryptographic JWT-SVID authentication)
• ✅ Short-lived tokens (1 hour, auto-rotated)
• ✅ Audit trail shows operator SPIFFE ID

Related

• Builds on: Operator should read keycloak-admin-secret from kagenti-system, not agent namespaces #320 (operator reads admin creds from kagenti-system)
• Related: fix: move Keycloak admin secret to kagenti-system and remove client-registration sidecar references kagenti#1422 (Helm chart changes for Operator should read keycloak-admin-secret from kagenti-system, not agent namespaces #320)

Assisted-By: Claude Code