You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current OpenShift documentation (docs/kubernetes/openshift.mdx) covers only a minimal plaintext HTTP + oc port-forward setup with TLS and PKI disabled. Users who follow the guide end up with no external access, no authentication, and no path forward beyond "refer to Ingress."
The generic ingress docs (docs/kubernetes/ingress.mdx) only cover Envoy Gateway, which cannot be installed on OpenShift because the Ingress Operator manages Gateway API CRDs and rejects the installation. There is no documented path for exposing the gateway on OpenShift.
The existing OpenShift page has:
✅ Namespace creation and SCC binding
✅ Basic Helm install command
❌ TLS (explicitly disabled)
❌ External access (only oc port-forward)
❌ Authentication (none)
❌ OIDC / Keycloak
❌ OpenShift Routes
❌ Gateway API / Istio
❌ Identity federation
Proposed Design
Expand docs/kubernetes/openshift.mdx into a multi-page section (docs/kubernetes/openshift/) with four sub-pages, following the same pattern as get-started/tutorials/:
1. Install (openshift/install.mdx)
TLS-enabled installation with SCC overrides. Replace the current plaintext-only path with pkiInitJob.enabled=true (the default). Document the SCC overrides (fsGroup=null, runAsUser=null) alongside TLS.
Routes: Why edge and passthrough break gRPC, reencrypt route with backend-protocol=h2 annotation as the working solution
Gateway API: Using the OpenShift-managed Istio GatewayClass with GRPCRoute + DestinationRule for TLS origination. Note that Envoy Gateway cannot be installed on OpenShift.
3. OIDC with Keycloak (openshift/oidc-keycloak.mdx)
Creating a Keycloak realm, public client, and the required protocol mappers (sub, aud, realm_access.roles) — Keycloak does not include these in access tokens for public clients by default
ROSA HCP caveat: baseUrl must be the API server URL, not the OAuth route
Assigning realm roles to federated users after first login
All Keycloak commands provided in both kcadm.sh and REST API tabs.
Alternatives Considered
Update the existing single page: Adding all four topics to one page would make it too long (~600 lines) and hard to navigate. The multi-page section with a Cards index follows the established pattern (get-started/tutorials/).
Add OpenShift notes to existing generic pages (ingress.mdx, access-control.mdx): Spreading OpenShift-specific content across multiple generic pages makes the OpenShift story hard to follow end-to-end. A dedicated section is easier to discover and maintain.
Keep plaintext-only and link to generic docs: The current approach. Doesn't work because the generic ingress docs require Envoy Gateway (blocked on OpenShift) and the generic OIDC docs don't cover the Keycloak mappers required for public clients.
Agent Investigation
Deployed and validated all four topics end-to-end on ROSA HCP 4.21 (OpenShift 4.21.3, Kubernetes 1.34.2)
Tested both reencrypt Route and Gateway API (Istio) paths for external access
Tested all kcadm.sh commands in the Keycloak pod (--config /tmp/kcadm.config required for non-root containers)
Tested OIDC login with Keycloak and OpenShift identity federation (browser flow with "Login with OpenShift" button)
Problem Statement
The current OpenShift documentation (
docs/kubernetes/openshift.mdx) covers only a minimal plaintext HTTP +oc port-forwardsetup with TLS and PKI disabled. Users who follow the guide end up with no external access, no authentication, and no path forward beyond "refer to Ingress."The generic ingress docs (
docs/kubernetes/ingress.mdx) only cover Envoy Gateway, which cannot be installed on OpenShift because the Ingress Operator manages Gateway API CRDs and rejects the installation. There is no documented path for exposing the gateway on OpenShift.The existing OpenShift page has:
oc port-forward)Proposed Design
Expand
docs/kubernetes/openshift.mdxinto a multi-page section (docs/kubernetes/openshift/) with four sub-pages, following the same pattern asget-started/tutorials/:1. Install (
openshift/install.mdx)TLS-enabled installation with SCC overrides. Replace the current plaintext-only path with
pkiInitJob.enabled=true(the default). Document the SCC overrides (fsGroup=null,runAsUser=null) alongside TLS.2. Gateway Connection (
openshift/gateway-connection.mdx)Three connection methods with trade-offs:
oc port-forwardfor evaluationbackend-protocol=h2annotation as the working solutionGRPCRoute+DestinationRulefor TLS origination. Note that Envoy Gateway cannot be installed on OpenShift.3. OIDC with Keycloak (
openshift/oidc-keycloak.mdx)sub,aud,realm_access.roles) — Keycloak does not include these in access tokens for public clients by default--oidc-issuerflag ongateway add— without it, the CLI defaults to the Cloudflare edge-auth flow which hangs indefinitely (bug: gateway add defaults to Cloudflare edge-auth for HTTPS endpoints — no fallback or guidance for non-CF deployments #2057)4. Identity Federation (
openshift/identity-federation.mdx)OAuthClientin OpenShiftopenshift-v4IdP in KeycloakbaseUrlmust be the API server URL, not the OAuth routeAll Keycloak commands provided in both
kcadm.shand REST API tabs.Alternatives Considered
Update the existing single page: Adding all four topics to one page would make it too long (~600 lines) and hard to navigate. The multi-page section with a Cards index follows the established pattern (
get-started/tutorials/).Add OpenShift notes to existing generic pages (
ingress.mdx,access-control.mdx): Spreading OpenShift-specific content across multiple generic pages makes the OpenShift story hard to follow end-to-end. A dedicated section is easier to discover and maintain.Keep plaintext-only and link to generic docs: The current approach. Doesn't work because the generic ingress docs require Envoy Gateway (blocked on OpenShift) and the generic OIDC docs don't cover the Keycloak mappers required for public clients.
Agent Investigation
kcadm.shcommands in the Keycloak pod (--config /tmp/kcadm.configrequired for non-root containers)Related