Goal

Request a temporary Bound Service Account for accessing the VNC console of a VM only.
The SA should have access to the VNC endpoint only, and to nothing else, further more the token should expire after a configurable amount of time.

This is a follow up to CNV-15742
Specifically https://issues.redhat.com/browse/CNV-15472?focusedCommentId=19974978&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-19974978:

a. the clunky way but considered most correct way

1. Creating a ticket involves creating a ServiceAccount, a RBAC rule for the specific vnc endpoint of the one VM, a rolebinding and finally a bound token
2. Users can the use this token as normal and it will only work for the VM in question
3. Once the token expires it can't be used.
4. While we have to clean up after the token expires, if system componets are down, integrity is not at risk because core k8s takes care of invalidating the tokens

User Stories

• As a cluster administrator
  I want retrieve a Bound Service Account token from an endpoint
  so that I can give it to a third party for accessing the cluster and gaining access to the VNC endpoint only.
• As a thrid party
  I want to have a temporary token
  so that I can authenticate against the kubernetes api, and gain temporary access to the VNC endpoint of a specific VM

Non-Requirements

• List of things not included in this epic, to alleviate any doubt raised during the grooming process.

Notes

• Configure remote console access in OpenStack
• Should the static html page to use this API be on product level, or Proof-Of-Concept?
• -> part of upstream doc
• Will be documentation required?
• -> yes, upstream and downstream

Done Checklist