feat: MachineAccountKey Proxy Backend

[JoseSzycho]

This PR migrates the MachineAccountKey resource from the legacy iam.miloapis.com group to the modern identity.miloapis.com group. It also implements a proxy-based backend that delegates key management to an external authentication provider (Zitadel), moving away from internal etcd-backed storage.

Summary of Changes

1. API Migration and Refactoring

• API Group Change: Moved MachineAccountKey from iam.miloapis.com/v1alpha1 to identity.miloapis.com/v1alpha1.

• New Schema: Defined the resource schema in pkg/apis/identity/v1alpha1/machineaccountkey_types.go, including support for auto-generated public keys and PEM-encoded private keys returned on creation.

2. Implementation of Proxy Backend

• REST Implementation: Developed a new REST handler in internal/apiserver/identity/machineaccountkeys that implements Kubernetes standard operations (Create, Get, List, Delete).

• Dynamic Provider: Implemented a DynamicProvider that proxies requests to an external auth-provider URL using client-go dynamic interfaces. It handles identity forwarding via X-Remote-* headers using transport.NewAuthProxyRoundTripper.

3. Roles and Access Control

• RBAC Roles: Added predefined roles for machine account key management:

  • identity-machine-account-keys-editor: Allows creation, updating, and deletion.

  • identity-machine-account-keys-viewer: Allows read-only access.

• Protected Resources: Established identity.miloapis.com-machineaccountkey as a ProtectedResource, linking it to Project as its parent in the resource hierarchy.

Related to:

• Machine Account and Key Management enhancements#129

[joggrbot]

📝 Documentation Analysis

Joggr found 1 outdated docs in the pull request.

Autofix

Joggr opened 1 pull request(s) to fix the outdated docs.

• docs: for pull #546, fixed 1 outdated doc(s) #557

Outdated

file	reason	confidence
docs/api/iam.md	The document is outdated because it does not mention the MachineAccountKey API/resource, which was entirely removed from the iam.miloapis.com group and moved to identity.miloapis.com (with a new API group, updated spec fields, and a proxy/virtual API model). All references, CRDs, types, and deep copy logic for MachineAccountKey have been removed from the IAM API, but the documentation does not reflect this breaking API change.	80.2%

---

✅ Latest commit analyzed: 1f72354 | Powered by Joggr

[github-actions]

🤖 I automatically added missing newlines at the end of 1 file(s) in this PR.

All files should now end with a newline character as per coding standards.

[cla-assistant]

All committers have signed the CLA.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ JoseSzycho
❌ github-actions[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}