Notes from exploration/testing + discussions on Slack:

• local development: use "service account token" + "impersonation headers"
• production: authenticate to external OIDC provider (e.g. RH internal SSO) and use its token to fetch data from multiple clusters
  • this will be possible after upgrading to OCP 4.19

Slack thread: https://redhat-internal.slack.com/archives/C04F4NE15U1/p1760956427695939

Ideally, it would be nice to have both options (service account token + impersonation headers AND authenticating with external OIDC provider), so the impersonation approach can be used during development/debugging, while OIDC provider is used for production.