feat: add user-operation commands (ResetPassword/Reset2FA/Lock/Unlock)

[RapidNode777]

Description

This PR adds a new d8 user command group to deckhouse-cli to perform Dex local user management actions via UserOperation custom resources provided by the user-authn module.

The commands create UserOperation resources and optionally wait until the operation is completed, returning success or an error based on the resource status.

Related main implementation PR in Deckhouse:
deckhouse/deckhouse#15561

---

What’s included

New commands

d8 user reset2fa <username>

Requests a 2FA reset for the specified local Dex user
(removes 2FA-related session artifacts).

---

d8 user reset-password <username> <bcryptHash>

Resets the user password to the provided bcrypt hash
(as required by the UserOperation API).

---

d8 user lock <username> <lockDuration>

Locks the user for the specified duration.

Examples:

• 10m
• 1h
• 10h

---

d8 user unlock <username>

Unlocks the user.

---

Common flags / behavior

--wait (default: true)

Wait for .status.phase to become Succeeded or Failed.

--timeout (default: 5m)

How long to wait when --wait=true.

-k, --kubeconfig, --context

Standard kubeconfig selection flags.

---

Why do we need it, and what problem does it solve?

Cluster administrators often need to manage local Dex users (reset password, reset 2FA, lock/unlock accounts) without manually editing Dex storage or crafting Kubernetes YAML by hand.

With the main Deckhouse implementation, these actions are handled declaratively via UserOperation resources.
This PR provides a convenient CLI interface to create such resources and track their execution, making user management faster, safer, and less error-prone.

It simplifies operations such as:

• Resetting a user’s password.
• Forcing a reset of 2FA (TOTP).
• Locking or unlocking a user account for a specified period of time.

The commands automate resource creation and status tracking, reducing manual intervention and enabling consistent automation.

---

Checklist

• The code is covered by unit tests.
• e2e tests passed.
• Documentation updated according to the changes.
• Changes were tested in a Kubernetes cluster manually.

---

Changelog entries

section: user-authn
type: feature
summary: Introduce `d8 user` commands to execute Dex local user management operations via UserOperation resources
impact_level: default

---

Tests

root@bordiyan-cloud-master-0:~# d8 user --help
Request local user operations (ResetPassword/Reset2FA/Lock/Unlock) in the Deckhouse user-authn module.

 The command creates a UserOperation custom resource and (optionally) waits for completion.

 © Flant JSC 2026

Usage:
  d8 user [command]

Aliases:
  user, userop

Available Commands:
  lock           Lock local user in Dex for a period of time
  reset-password Reset local user's password in Dex (requires bcrypt hash)
  reset2fa       Reset local user's 2FA (TOTP) in Dex
  unlock         Unlock local user in Dex

Flags:
      --context string      The name of the kubeconfig context to use
  -h, --help                help for user
  -k, --kubeconfig string   KubeConfig of the cluster. (default is $KUBECONFIG when it is set, $HOME/.kube/config otherwise) (default "/root/.kube/config")

Use "d8 user [command] --help" for more information about a command.

root@bordiyan-cloud-master-0:~# d8 k get users
NAME                           EMAIL                                      GROUPS                               EXPIRE_AT
ua-new-ua2fa-20260205-074542   ua-new-ua2fa-20260205-074542@example.com   ["ua-group-ua2fa-20260205-072659"]   
ua-old-ua2fa-20260205-072659   ua-old-ua2fa-20260205-072659@example.com   ["ua-group-ua2fa-20260205-072659"] 

root@bordiyan-cloud-master-0:~# d8 user reset2fa ua-new-ua2fa-20260205-074542
Succeeded: op-reset2fa-1770295133

root@bordiyan-cloud-master-0:~# PASS='Test12345!'
root@bordiyan-cloud-master-0:~# HASH="$(echo -n "$PASS" | htpasswd -BinC 10 "" | cut -d: -f2 | tr -d '\n')"
root@bordiyan-cloud-master-0:~# d8 user reset-password ua-new-ua2fa-20260205-074542"$HASH"
Succeeded: op-resetpass-1770295279

root@bordiyan-cloud-master-0:~# d8 user lock ua-new-ua2fa-20260205-074542 10h
Succeeded: op-lock-1770295397

root@bordiyan-cloud-master-0:~# d8 user unlock ua-new-ua2fa-20260205-074542
Succeeded: op-unlock-1770295460

[AlwxSin]

I’ve left some comments.