Kubernetes service account authentication

[snuxoll]

Is your feature request related to a problem? Please describe.

RabbitMQ already has pretty deep support for running on Kubernetes, including the Cluster Operator and Topology Operator projects, along with support for OAuth 2.0 authentication, but it does not yet have a simple way to handle authentication using Kubernetes service accounts without manually configuring the issuer.

Describe the solution you'd like

A new auth backend (rabbitmq_auth_backend_k8s) based upon the existing rabbitmq_auth_backend_oauth2) that handles automatic discovery of the Kubernetes token issuer (a request made to https://kubernetes.default.svc/.well-known/openid-configuration with the service account token).

Describe alternatives you've considered

Manually configuring the OAuth 2 backend does work, but only if the Kubernetes API service allows unauthenticated requests to the openid-connect discovery endpoint (not enabled by default) or the cluster is managed by a cloud provider that offers external OIDC endpoints (AKS, EKS, GKE, etc.).

Additional context

This feature would work best in tandem with some additional support in both the cluster operator and topology operators to:

• Enable the auth backend (cluster operator)
• Create users with a reference to service accounts (topology operator)

Client library support would also be required to make full use of this.

[michaelklishin]

@snuxoll this is not specific enough to be an issue.

We have invested a very non-trivial amount of time into OAuth 2 support and the K8S Operator and both are available for free under permissive open source licenses. If that's not enough for you, you are welcome to develop what's missing and contribute it (or simply open source it as a 3rd party plugin).