tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.
It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
This is a small "library" for wrapping binaries with magic OAuth authentication based on the automatically-injected k8s service account tokens and OpenShift's OAuth service.
There's an example of this deployed at https://example-lukegb-openshiftauth-test.apps.k8s.lukegb.tech/.
The main pieces of setup that need to happen is:
* Set "serviceAccount" in pod definition
* Add Route for pod
* Edit serviceaccount and add metadata.annotations, e.g.:
serviceaccounts.openshift.io/oauth-redirectreference.first: >-
{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"example"}}
