Skip to content

docs(openshift): expand OpenShift guide into multi-page section with TLS, OIDC, and ingress#2094

Open
akram wants to merge 4 commits into
NVIDIA:mainfrom
akram:docs/openshift-oidc-keycloak
Open

docs(openshift): expand OpenShift guide into multi-page section with TLS, OIDC, and ingress#2094
akram wants to merge 4 commits into
NVIDIA:mainfrom
akram:docs/openshift-oidc-keycloak

Conversation

@akram

@akram akram commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Replace the single-page plaintext-only OpenShift guide with a multi-page section covering TLS-enabled installation, external gateway access (reencrypt Route and Gateway API with Istio), Keycloak OIDC authentication with the required protocol mappers, and OpenShift identity federation. All Keycloak commands are provided in both kcadm.sh and REST API tabs.

Related Issue

Addresses #2091

Changes

  • openshift.mdxopenshift/index.mdx: landing page with Cards linking to four sub-pages
  • openshift/install.mdx: TLS-enabled installation with SCC overrides, preserves all original content (namespace creation, SCC binding, Helm overrides table, deployment rollout tip)
  • openshift/gateway-connection.mdx: three connection methods — local port-forward, reencrypt Route (with explanation of why edge and passthrough break gRPC), and Gateway API with Istio (including DestinationRule for TLS origination)
  • openshift/oidc-keycloak.mdx: Keycloak realm/client setup, the three required protocol mappers (sub, aud, realm_access.roles), realm roles, Helm OIDC values, and CLI registration with --oidc-issuer
  • openshift/identity-federation.mdx: OpenShift OAuth as a Keycloak openshift-v4 identity provider, with the ROSA HCP baseUrl caveat and federated user role assignment

Testing

  • Deployed on ROSA HCP 4.21 (OpenShift 4.21.3, Kubernetes 1.34.2)
  • Tested all kcadm.sh commands end-to-end from a clean realm (--config /tmp/kcadm.config required for non-root Keycloak containers)
  • Tested both reencrypt Route and Gateway API (Istio) paths for external access
  • Verified OIDC login with Keycloak and OpenShift identity federation (browser flow with "Login with OpenShift" button)
  • mise run pre-commit — passes (helm:lint fails on main too: missing postgresql dependency, pre-existing)
  • Unit tests added/updated — N/A, documentation only
  • E2E tests added/updated — N/A, documentation only

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable) — N/A

Replace the single-page plaintext-only OpenShift guide with a section
containing four sub-pages:

- install: TLS-enabled installation with SCC overrides
- external-access: reencrypt Route and Gateway API (Istio) options
- oidc-keycloak: Keycloak OIDC setup with required protocol mappers
- identity-federation: OpenShift OAuth as a Keycloak identity provider

Addresses NVIDIA#2091

Signed-off-by: Akram <akram.benaissi@gmail.com>
@akram akram requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners July 1, 2026 16:47
@copy-pr-bot

copy-pr-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@akram

akram commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@TaylorMutch can you PTAL ?

Comment thread docs/kubernetes/openshift/oidc-keycloak.mdx
Comment thread docs/kubernetes/openshift/identity-federation.mdx Outdated
Comment thread docs/kubernetes/openshift/gateway-connection.mdx Outdated
akram added 3 commits July 1, 2026 22:09
Address review feedback: remove the Note about AWS ELB DNS propagation
delay as it is not specific to the OpenShell setup.

Signed-off-by: Akram <akram.benaissi@gmail.com>
Address review feedback: identity federation is a specific use case
for organisations that want OpenShell users to authenticate with their
existing OpenShift credentials. The OIDC Keycloak setup works standalone.
Mark the identity federation page and all references as optional.

Signed-off-by: Akram <akram.benaissi@gmail.com>
Address review feedback: the Keycloak realm/client/mapper/role setup
is not OpenShift-specific. Move the full setup (with kcadm.sh and REST
API tabs) to docs/kubernetes/access-control.mdx under a new "Keycloak
setup" section. The OpenShift oidc-keycloak page now references the
generic guide and only contains OpenShift-specific steps (Helm upgrade,
CLI connection with --oidc-issuer).

Signed-off-by: Akram <akram.benaissi@gmail.com>
@akram

akram commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@TaylorMutch I took into account the review comments and made changes. Let me know if squash+rebase is needed.

@akram akram requested a review from TaylorMutch July 1, 2026 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants