WIP: IAM, RBAC, Creds — architecture map and consolidation plan

[markturansky]

Summary

This PR adds two documents produced from a full audit of the platform's IAM landscape:

• docs/internal/architecture/iam-architecture.md — current-state map of every token, credential, secret, service account, and auth flow in the system (frontend → backend → operator → control plane → ambient-api-server). Includes ASCII flow diagrams and tables for all token types, K8s Secrets, and service accounts.

• docs/internal/proposals/iam-consolidation-plan.md — three concrete improvement proposals:

  1. Consolidate around RH SSO — replace K8s SA TokenRequest access keys with Keycloak confidential clients; replace the RSA exchange hack in runner pods with RFC 8693 OIDC Token Exchange; eliminate the control plane token server entirely
  2. DB RBAC as source of truth — ambient-api-server's role_bindings table becomes the single admin write plane; a new reconciler syncs K8s RoleBindings from DB state; backend SSAR unchanged
  3. Extend the credentials table — add user_id/scope columns to replace scattered per-user OAuth K8s Secrets (GitLab, Google, Jira, Gerrit, CodeRabbit) with a single auditable API

Status

Design/discussion phase. No code changes. Looking for feedback on approach before implementation begins.

Key questions for reviewers

• Is RFC 8693 token exchange available and enabled in the current RH SSO realm, or does that require infra work?
• Any objection to the control plane token server going away?
• DB RBAC reconciliation: prefer it in the control plane or as a standalone operator?
• Credentials table: should user_id credentials be accessible project-wide or strictly per-user?

Test plan

• N/A — documentation only

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (2)

• WIP
• DO NOT MERGE

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d919fa56-0288-47d8-aded-35b7b4ff5cc5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch wip/iam-rbac-creds

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch wip/iam-rbac-creds

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 ready!

Name	Link
🔨 Latest commit	9df20b8
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ec007220cc3f000882bda6
😎 Deploy Preview	https://deploy-preview-1466--cheerful-kitten-f556a0.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.