Skip to content

docs(openshift): expand OpenShift guide into multi-page section with TLS, OIDC, and ingress#2094

Open
akram wants to merge 4 commits into
NVIDIA:mainfrom
akram:docs/openshift-oidc-keycloak
Open

docs(openshift): expand OpenShift guide into multi-page section with TLS, OIDC, and ingress#2094
akram wants to merge 4 commits into
NVIDIA:mainfrom
akram:docs/openshift-oidc-keycloak

Conversation

@akram

@akram akram commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Replace the single-page plaintext-only OpenShift guide with a multi-page section covering TLS-enabled installation, external gateway access (reencrypt Route and Gateway API with Istio), Keycloak OIDC authentication with the required protocol mappers, and OpenShift identity federation. All Keycloak commands are provided in both kcadm.sh and REST API tabs.

Related Issue

Addresses #2091

Changes

  • openshift.mdxopenshift/index.mdx: landing page with Cards linking to four sub-pages
  • openshift/install.mdx: TLS-enabled installation with SCC overrides, preserves all original content (namespace creation, SCC binding, Helm overrides table, deployment rollout tip)
  • openshift/gateway-connection.mdx: three connection methods — local port-forward, reencrypt Route (with explanation of why edge and passthrough break gRPC), and Gateway API with Istio (including DestinationRule for TLS origination)
  • openshift/oidc-keycloak.mdx: Keycloak realm/client setup, the three required protocol mappers (sub, aud, realm_access.roles), realm roles, Helm OIDC values, and CLI registration with --oidc-issuer
  • openshift/identity-federation.mdx: OpenShift OAuth as a Keycloak openshift-v4 identity provider, with the ROSA HCP baseUrl caveat and federated user role assignment

Testing

  • Deployed on ROSA HCP 4.21 (OpenShift 4.21.3, Kubernetes 1.34.2)
  • Tested all kcadm.sh commands end-to-end from a clean realm (--config /tmp/kcadm.config required for non-root Keycloak containers)
  • Tested both reencrypt Route and Gateway API (Istio) paths for external access
  • Verified OIDC login with Keycloak and OpenShift identity federation (browser flow with "Login with OpenShift" button)
  • mise run pre-commit — passes (helm:lint fails on main too: missing postgresql dependency, pre-existing)
  • Unit tests added/updated — N/A, documentation only
  • E2E tests added/updated — N/A, documentation only

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable) — N/A

Replace the single-page plaintext-only OpenShift guide with a section
containing four sub-pages:

- install: TLS-enabled installation with SCC overrides
- external-access: reencrypt Route and Gateway API (Istio) options
- oidc-keycloak: Keycloak OIDC setup with required protocol mappers
- identity-federation: OpenShift OAuth as a Keycloak identity provider

Addresses NVIDIA#2091

Signed-off-by: Akram <akram.benaissi@gmail.com>
@akram akram requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners July 1, 2026 16:47
@copy-pr-bot

copy-pr-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@akram

akram commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@TaylorMutch can you PTAL ?

Comment thread docs/kubernetes/openshift/oidc-keycloak.mdx
Comment thread docs/kubernetes/openshift/identity-federation.mdx Outdated
Comment thread docs/kubernetes/openshift/gateway-connection.mdx Outdated
akram added 3 commits July 1, 2026 22:09
Address review feedback: remove the Note about AWS ELB DNS propagation
delay as it is not specific to the OpenShell setup.

Signed-off-by: Akram <akram.benaissi@gmail.com>
Address review feedback: identity federation is a specific use case
for organisations that want OpenShell users to authenticate with their
existing OpenShift credentials. The OIDC Keycloak setup works standalone.
Mark the identity federation page and all references as optional.

Signed-off-by: Akram <akram.benaissi@gmail.com>
Address review feedback: the Keycloak realm/client/mapper/role setup
is not OpenShift-specific. Move the full setup (with kcadm.sh and REST
API tabs) to docs/kubernetes/access-control.mdx under a new "Keycloak
setup" section. The OpenShift oidc-keycloak page now references the
generic guide and only contains OpenShift-specific steps (Helm upgrade,
CLI connection with --oidc-issuer).

Signed-off-by: Akram <akram.benaissi@gmail.com>
@akram

akram commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@TaylorMutch I took into account the review comments and made changes. Let me know if squash+rebase is needed.

@akram akram requested a review from TaylorMutch July 1, 2026 21:29
@TaylorMutch

Copy link
Copy Markdown
Collaborator

/ok to test 2090fb7

@TaylorMutch TaylorMutch left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've thought about this PR a bit more, and here's what I am thinking:

Platform deployers of OpenShell on Kubernetes or OpenShift will want a single page describing the ingress, identity, OIDC and TLS specifics needed for deploying OpenShell. I think splitting these out into OpenShift specific docs and then the other Kubernetes docs makes docs navigation more complicated.

If you are up for it, I would be open to incorporating OpenShift specifics into the overall Kubernetes docs pages, so that those pages are focused on the specific features of Ingress, Identity, OIDC, etc., rather than a specific platform like OpenShift. Then any OpenShift-specifics can be highlighted within the context of that feature.

What do you think @akram ? I am very much in favor of expanding OpenShift specific documentation, but I think this PR in it's current state dilutes and possibly duplicates information across our docs.

oc get gatewayclass
```

Look for a class with an Istio-based controller (e.g. `istio` or `data-science-gateway-class`). The class must show `ACCEPTED: True`.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is "data-science-gateway-class"?


The gateway multiplexes gRPC and HTTP on a single port. Both options must preserve HTTP/2 for gRPC to work.

### Remote access with Routes

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though this is OpenShift specific I do feel strongly that these docs are somewhat duplicative with the existing ingress docs we have. I think it would be better to have those docs in one place, rather than have a whole section dedicated to OpenShift specifics.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants