Skip to content

docs(kubernetes): add OIDC authentication guide#596

Open
IvanHunters wants to merge 3 commits into
mainfrom
docs/kubernetes-oidc-authentication
Open

docs(kubernetes): add OIDC authentication guide#596
IvanHunters wants to merge 3 commits into
mainfrom
docs/kubernetes-oidc-authentication

Conversation

@IvanHunters

@IvanHunters IvanHunters commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a new guide under content/en/docs/next/kubernetes/: OIDC authentication for kubectl.

Documents how to enable per-user OIDC authentication and RBAC on tenant Kubernetes clusters via the new spec.oidc selector on the Kubernetes resource. Covers all three modes (None, System, CustomConfig), how to retrieve and use the chart-generated kubeconfig, the toggle-off cleanup mechanic, prerequisites, gotchas (legacy --oidc-* flag collision), and what is deliberately out of scope for this feature (per-tenant realms, IdP federation into cozy, cross-cluster SSO).

Ships alongside cozystack/cozystack#3044, the code PR that adds the spec.oidc selector to the Kubernetes chart. Full architectural rationale lives in cozystack/community#24.

Only adds to docs/next/; version-specific pages (v1.5, ...) get the guide when the code PR lands in that release.

Test plan

  • HUGO_ENVIRONMENT=development hugo renders the site cleanly (1686 pages, zero warnings); page reachable at /docs/next/kubernetes/oidc-authentication/.
  • weight: 45 sits between the section index (40) and gpu-sharing.md (50); appears in the intended sidebar slot.
  • YAML examples (spec.oidc.mode: System, CustomConfig inline, CustomConfig secretRef, kubectl krew install oidc-login) verified end-to-end on a dev cluster against the code PR.
  • docs/next/ is skipped by the production build (as designed via config/production/hugo.yaml); Netlify deploy-preview will show it.

Summary by CodeRabbit

  • Documentation
    • Added a new guide for OIDC-based kubectl authentication in Cozystack-managed Kubernetes clusters.
    • Explains per-cluster audience isolation, available spec.oidc.mode options, and provides configuration examples for platform-managed and custom identity providers.
    • Covers how to obtain and use kubeconfig for sign-in, authentication workflow with the login plugin, prerequisites/gotchas (including legacy flag incompatibility), and cleanup behavior when OIDC is disabled or clusters are deleted.

Guide covers spec.oidc modes (None/System/CustomConfig), kubeconfig retrieval,
toggle-off cleanup, prerequisites, common gotchas, and out-of-scope items.
Placed under docs/next/; ships alongside the code PR that adds the selector.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
@netlify

netlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit 5cd4b7e
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a44e1cef0a5690008a704d8
😎 Deploy Preview https://deploy-preview-596--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5de4da27-3bfb-451c-ab98-c523f54ad73a

📥 Commits

Reviewing files that changed from the base of the PR and between 3486a40 and 865b708.

📒 Files selected for processing (1)
  • content/en/docs/next/kubernetes/oidc-authentication.md

📝 Walkthrough

Walkthrough

Adds a new documentation page describing OIDC-based kubectl authentication for Cozystack-managed Kubernetes clusters, covering per-cluster audience isolation, OIDC modes, configuration examples, kubeconfig retrieval, sign-in flow, cleanup behavior, prerequisites, and out-of-scope items.

Changes

OIDC Documentation

Layer / File(s) Summary
New OIDC authentication documentation
content/en/docs/next/kubernetes/oidc-authentication.md
New page explains per-cluster audience isolation, spec.oidc.mode options (None, System, CustomConfig), Keycloak/BYO IdP configuration examples, kubeconfig retrieval and oidc-login sign-in, cleanup on toggling OIDC off, prerequisites/gotchas, and out-of-scope items.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding a Kubernetes OIDC authentication guide.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/kubernetes-oidc-authentication

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds documentation for configuring OIDC authentication for kubectl in tenant Kubernetes clusters, detailing the System, CustomConfig, and None modes. The review feedback suggests minor corrections to the documentation for accuracy, specifically clarifying that the issuer is tenant-supplied rather than operator-supplied in CustomConfig mode, and correcting the schema path reference for the certificate authority.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

name: acme-byo-authn-config # Secret with a `config.yaml` key holding the AuthenticationConfiguration
```

Setting both `config` and `secretRef.name` (or neither) fails the render. In `CustomConfig` mode no Keycloak objects are provisioned in `cozy`; the tenant apiserver trusts the operator-supplied issuer directly.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In CustomConfig mode, the tenant apiserver trusts the tenant-supplied (or user-supplied) issuer directly, rather than the "operator-supplied" issuer (since the operator does not provision Keycloak objects or supply the issuer in this mode). Consider updating "operator-supplied" to "tenant-supplied" for clarity.


- **Don't mix with legacy `--oidc-*` flags.** The tenant kube-apiserver refuses to boot if both `--authentication-config` (injected by `spec.oidc`) and any legacy `--oidc-*` flag are set. If you previously wired OIDC by hand through `controlPlane.apiServer.extraArgs`, remove those flags before enabling `spec.oidc`. The chart fails the render with a pointer to this migration.
- **`oidc-login` plugin required.** Without `kubectl krew install oidc-login` the exec block errors out client-side. The plugin is a documented prerequisite.
- **Custom issuer with a self-signed CA.** In `CustomConfig` mode you can supply the CA inline under `issuer.certificateAuthority`. The legacy `--oidc-*` flag path could not.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In CustomConfig mode, the CA is supplied under certificateAuthority at the JWT authenticator level, not under issuer.certificateAuthority. Consider updating the text to refer to certificateAuthority or jwt[].certificateAuthority to match the schema.

When `username.claim` is `email` the tenant kube-apiserver rejects
tokens with `email_verified: false` (kubernetes/kubernetes#123737).
Add a gotcha entry so operators provisioning cozy-realm users through
KeycloakRealmUser or the Keycloak UI set `emailVerified: true` before
granting cluster access, avoiding a silent "oidc: email not verified"
at login.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
The tenant kube-apiserver receives no claimValidationRules from the
Phase 1 chart, so the previous wording that suggested the chart
enforces email_verified overstated the guarantee. Rewrite the bullet
to describe the actual layered mechanism: prescriptive emailVerified
at provisioning, cozy realm's default duplicateEmails: false, k8s
upstream side-effect on explicit false, and CEL claimValidationRules
as a follow-up hardening path.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant