use kube-authkit for better k8s authentication (#970)

* use kube-authkit for better k8s authentication

Signed-off-by: Saad Zaher <szaher@redhat.com>

* update poetry.lock

Signed-off-by: Saad Zaher <szaher@redhat.com>

* fix tests

Signed-off-by: Saad Zaher <szaher@redhat.com>

* fix test issues

Signed-off-by: Saad Zaher <szaher@redhat.com>

* fix tests for ci

Signed-off-by: Saad Zaher <szaher@redhat.com>

* mock k8s client calls

Signed-off-by: Saad Zaher <szaher@redhat.com>

* tests: mock k8s clients and add test resource files to fix CI

Replace global no-op of kubeconfig loaders with targeted test-only mocks so tests that assert loader behavior can still patch them locally.
Add fake k8s clients (AuthenticationApi, CoreV1Api, CustomObjectsApi) implementing the methods used by unit tests (get_api_group, read_namespaced_secret, list_namespaced_custom_object, list_cluster_custom_object, get/create/delete_namespaced_custom_object, etc.).
Create minimal resource YAMLs under $HOME/.codeflare/resources and TLS files in a tmp CWD so tests do not raise FileNotFoundError.
Test-only change: no production code modified.

Signed-off-by: Saad Zaher <szaher@redhat.com>

* Introduce set_k8s_client in codeflare-sdk

Signed-off-by: Saad Zaher <szaher@redhat.com>

* fix the unit tests

Signed-off-by: Saad Zaher <szaher@redhat.com>

* fix linting issues

Signed-off-by: Saad Zaher <szaher@redhat.com>

* upgrade to kube-authkit 0.2.0

Signed-off-by: Saad Zaher <szaher@redhat.com>

* update docs to use latest params from authkit 0.2.0

Signed-off-by: Saad Zaher <szaher@redhat.com>

* Update src/codeflare_sdk/common/kubernetes_cluster/auth.py

Co-authored-by: Bryan Keane <bryankeane0@gmail.com>

* fix check if authkit available

Signed-off-by: Saad Zaher <szaher@redhat.com>

---------

Signed-off-by: Saad Zaher <szaher@redhat.com>
Co-authored-by: Bryan Keane <bryankeane0@gmail.com>

Author: szaher

README.md

@@ -17,6 +17,86 @@ Full documentation can be found [here](https://project-codeflare.github.io/codef
 
 Can be installed via `pip`: `pip install codeflare-sdk`
 
+## Authentication
+
+CodeFlare SDK uses [kube-authkit](https://github.com/opendatahub-io/kube-authkit) for Kubernetes authentication, supporting multiple authentication methods:
+
+- **Auto-Detection** - Automatically detects kubeconfig or in-cluster authentication
+- **Token-Based** - Authenticate with API server token
+- **OIDC** - OpenID Connect authentication with device flow or client credentials
+- **OpenShift OAuth** - Native OpenShift OAuth support
+- **Kubeconfig** - Traditional kubeconfig file authentication
+- **In-Cluster** - Service account authentication when running in a pod
+
+### Quick Start
+
+```python
+from kube_authkit import get_k8s_client, AuthConfig
+from codeflare_sdk import set_api_client, Cluster, ClusterConfiguration
+
+# Option 1: Auto-detect authentication (recommended - no explicit auth needed!)
+cluster = Cluster(ClusterConfiguration(
+    name='my-cluster',
+    num_workers=2,
+))
+cluster.apply()
+
+# Option 2: OIDC authentication
+auth_config = AuthConfig(
+    method="oidc",
+    oidc_issuer="https://your-oidc-provider.com",
+    client_id="your-client-id",
+    use_device_flow=True
+)
+api_client = get_k8s_client(config=auth_config)
+set_api_client(api_client)  # Register with CodeFlare SDK
+
+# Option 3: OpenShift OAuth with token
+auth_config = AuthConfig(
+    k8s_api_host="https://api.example.com:6443",
+    token="your-token"
+)
+api_client = get_k8s_client(config=auth_config)
+set_api_client(api_client)  # Register with CodeFlare SDK
+
+# Now create your cluster
+cluster = Cluster(ClusterConfiguration(
+    name='my-cluster',
+    num_workers=2,
+))
+cluster.apply()
+```
+
+### Migration from Legacy Authentication
+
+If you're using the deprecated `TokenAuthentication` or `KubeConfigFileAuthentication` classes, please see our [Migration Guide](./docs/auth_migration_guide.md) for detailed instructions on updating to kube-authkit.
+
+**Legacy classes (deprecated):**
+```python
+# ⚠️ Deprecated - will be removed in v1.0.0
+from codeflare_sdk import TokenAuthentication
+auth = TokenAuthentication(token="...", server="...")
+auth.login()
+```
+
+**New recommended approach:**
+```python
+# ✅ Recommended - Auto-detection (no explicit auth needed!)
+from codeflare_sdk import Cluster, ClusterConfiguration
+cluster = Cluster(ClusterConfiguration(name="my-cluster"))
+
+# ✅ For OIDC or OpenShift OAuth with token
+from kube_authkit import AuthConfig, get_k8s_client
+from codeflare_sdk import set_api_client
+
+auth_config = AuthConfig(
+    k8s_api_host="https://api.example.com:6443",
+    token="your-token"
+)
+api_client = get_k8s_client(config=auth_config)
+set_api_client(api_client)  # Register with CodeFlare SDK
+```
+
 ## Development
 
 Please see our [CONTRIBUTING.md](./CONTRIBUTING.md) for detailed instructions.