fix: Rebase pinniped-concierge on workload-cluster to bitnami chart

ansible/vars/metacluster.yml

@@ -111,7 +111,7 @@ components:
               inCluster: true
           staticClients:
           - id: pinniped-supervisor
-            secret: pinniped-supervisor-secret
+            secret: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}
             name: Pinniped Supervisor client
             redirectURIs:
             - https://auth.{{ vapp['metacluster.fqdn'] }}/callback

ansible/vars/workloadcluster.yml

@@ -24,10 +24,20 @@ downstream:
     helm:
       version: 1.2.11  # (= Pinniped v0.25.0)
       chart: bitnami/pinniped
+      namespace: pinniped-concierge
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       chart_values: !unsafe |
         supervisor:
           enabled: false
+      extra_manifests: !unsafe
+        - src: jwtauthenticator.j2
+          _template:
+            name: metacluster-sso
+            spec: |2
+                issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
+                audience: {{ vapp['workloadcluster.name'] | lower }}
+                tls:
+                  certificateAuthorityData: {{ ca_bundle }}
 
     sealed-secrets:
       version: 2.8.1  # (= Sealed Secrets v0.20.2)