docs(openshift): expand OpenShift guide into multi-page section with TLS, OIDC, and ingress#2094
Open
akram wants to merge 4 commits into
Open
docs(openshift): expand OpenShift guide into multi-page section with TLS, OIDC, and ingress#2094akram wants to merge 4 commits into
akram wants to merge 4 commits into
Conversation
Replace the single-page plaintext-only OpenShift guide with a section containing four sub-pages: - install: TLS-enabled installation with SCC overrides - external-access: reencrypt Route and Gateway API (Istio) options - oidc-keycloak: Keycloak OIDC setup with required protocol mappers - identity-federation: OpenShift OAuth as a Keycloak identity provider Addresses NVIDIA#2091 Signed-off-by: Akram <akram.benaissi@gmail.com>
2 tasks
Contributor
Author
|
@TaylorMutch can you PTAL ? |
2 tasks
TaylorMutch
requested changes
Jul 1, 2026
2 tasks
Address review feedback: remove the Note about AWS ELB DNS propagation delay as it is not specific to the OpenShell setup. Signed-off-by: Akram <akram.benaissi@gmail.com>
Address review feedback: identity federation is a specific use case for organisations that want OpenShell users to authenticate with their existing OpenShift credentials. The OIDC Keycloak setup works standalone. Mark the identity federation page and all references as optional. Signed-off-by: Akram <akram.benaissi@gmail.com>
Address review feedback: the Keycloak realm/client/mapper/role setup is not OpenShift-specific. Move the full setup (with kcadm.sh and REST API tabs) to docs/kubernetes/access-control.mdx under a new "Keycloak setup" section. The OpenShift oidc-keycloak page now references the generic guide and only contains OpenShift-specific steps (Helm upgrade, CLI connection with --oidc-issuer). Signed-off-by: Akram <akram.benaissi@gmail.com>
Contributor
Author
|
@TaylorMutch I took into account the review comments and made changes. Let me know if squash+rebase is needed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the single-page plaintext-only OpenShift guide with a multi-page section covering TLS-enabled installation, external gateway access (reencrypt Route and Gateway API with Istio), Keycloak OIDC authentication with the required protocol mappers, and OpenShift identity federation. All Keycloak commands are provided in both
kcadm.shand REST API tabs.Related Issue
Addresses #2091
Changes
openshift.mdx→openshift/index.mdx: landing page with Cards linking to four sub-pagesopenshift/install.mdx: TLS-enabled installation with SCC overrides, preserves all original content (namespace creation, SCC binding, Helm overrides table, deployment rollout tip)openshift/gateway-connection.mdx: three connection methods — local port-forward, reencrypt Route (with explanation of why edge and passthrough break gRPC), and Gateway API with Istio (includingDestinationRulefor TLS origination)openshift/oidc-keycloak.mdx: Keycloak realm/client setup, the three required protocol mappers (sub,aud,realm_access.roles), realm roles, Helm OIDC values, and CLI registration with--oidc-issueropenshift/identity-federation.mdx: OpenShift OAuth as a Keycloakopenshift-v4identity provider, with the ROSA HCPbaseUrlcaveat and federated user role assignmentTesting
kcadm.shcommands end-to-end from a clean realm (--config /tmp/kcadm.configrequired for non-root Keycloak containers)mise run pre-commit— passes (helm:lint fails on main too: missing postgresql dependency, pre-existing)Checklist