bug: TokenReview oidc authenticator isn't initialized when workspace is initialized

[OlegErshov]

Describe the bug

In 0.31.1 kcp version it seems that oidc-authenticator which is configured in WorkspaceAuthenticationConfiguration resource is initialized after the first TokenReview is created, because TokenReview in status has an error invalid bearer token, oidc: authenticator not initialized, but when the second request comes everything is fine. It doesn't matter how much time has passed after the workspace is initialied, the first TokenReview request gets 401 and the immediately coming second request gets authenticated response.

Steps To Reproduce

If's it's sufficient, for reproducing you can run task local-setup from this branch platform-mesh/helm-charts#1663.

After the setup is ready, you need to:

1. login into the https://portal.localhost:8443/
2. create an organization
3. switch into the org
4. navigate into acocunts page

It will trigger TokenReview request. First TokenReview will have in status invalid bearer token, oidc: authenticator not initialized.

Keycloak is configured as an oidc authenticator for workspaces by WorkspaceAuthenticationConfiguration resource in :root:orgs workspace. It happens during organization initialization and at the moment of tokenReview request the workspace is already initialized

Expected Behaviour

oidc initializer is initialized at the moment when workspace is initialized and first request returns authenticated.

Additional Context

No response

[ntnn]

Validated the bug, the test hid the error because it was wrapped in an .Eventually. The problem is that we built the authenticator but didn't wait for authenticator to be actually ready.

[OlegErshov]

Thank you for looking into this!