Add service-proxy feature for accessing managed cluster services from hub

[xuezhaojun]

Summary

This PR implements a new service-proxy feature that enables users on the hub cluster to access services in managed clusters through an HTTPS proxy server with authentication and impersonation support.

Key Changes

New Components

• User Server (pkg/userserver/): HTTPS server on hub that receives user requests and forwards them to ANP proxy-server
• Service Proxy (pkg/serviceproxy/): HTTP proxy server on managed clusters that forwards requests to target services with impersonation support

Core Features

1. User Authentication & Impersonation

   • Support for external IDP users, groups, and hub ServiceAccount tokens
   • Automatic user impersonation when accessing kubernetes.default.svc
   • Special handling for hub ServiceAccount tokens with cluster:hub: prefix

2. Helm Chart Updates

   • New user-server deployment and service templates
   • Updated CRDs for ManagedProxyServiceResolver
   • Additional RBAC permissions for certificate management

3. Infrastructure Improvements

   • New utility functions for token validation and user extraction
   • Certificate controller for automated cert management
   • Enhanced e2e test framework with better isolation

Requirements

• Hub and managed clusters must use the same external IDP for user impersonation

Testing

• Updated e2e tests with new test infrastructure
• Added comprehensive unit tests for utility functions
• Manual testing guide included in pkg/serviceproxy/readme.md

Related Documentation

• Service proxy architecture and flow diagrams in pkg/serviceproxy/readme.md
• Detailed testing instructions for impersonation features

---

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xuezhaojun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [xuezhaojun]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

❌ Patch coverage is 18.26401% with 452 lines in your changes missing coverage. Please review.
✅ Project coverage is 14.82%. Comparing base (7bcbdcf) to head (27ea6ac).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/serviceproxy/service_proxy.go	0.00%	170 Missing ⚠️
pkg/userserver/user_server.go	0.00%	135 Missing ⚠️
pkg/controllers/manager.go	0.00%	54 Missing ⚠️
pkg/controllers/certcontroller.go	0.00%	26 Missing ⚠️
pkg/proxyagent/agent/stolostron_getvalue.go	59.64%	11 Missing and 12 partials ⚠️
pkg/utils/utils.go	72.50%	19 Missing and 3 partials ⚠️
pkg/version/version.go	0.00%	17 Missing ⚠️
pkg/proxyagent/agent/agent.go	66.66%	1 Missing and 1 partial ⚠️
pkg/proxyserver/controllers/manifests.go	0.00%	2 Missing ⚠️
...ontrollers/managedproxyconfiguration_controller.go	66.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #244      +/-   ##
==========================================
+ Coverage   13.91%   14.82%   +0.90%     
==========================================
  Files          32       39       +7     
  Lines        1717     2260     +543     
==========================================
+ Hits          239      335      +96     
- Misses       1460     1892     +432     
- Partials       18       33      +15     

Flag	Coverage Δ
unit	14.82% <18.26%> (+0.90%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[xuezhaojun]

/assign @qiujian16

[xuezhaojun]

This is currently agent-identifiers flag: @qiujian16

spec:
  containers:
  - args:
    - --proxy-server-host=proxy-entrypoint.open-cluster-management-addon.svc
    - --proxy-server-port=8091
    - --agent-identifiers=host=cluster-64edaa3fb9310e98cdb183cddbf156d9964a05c017fa7f8e.open-cluster-management.proxy&host=loopback&host=loopback.open-cluster-management-cluster-proxy

It contains both hash value (service-proxy server) and managed cluster name(kube-apiserver).