Additional documentation for OAuth 0.15.0 features and how to use Service Accounts

[mstruk]

Type of change

• Documentation

Description

This PR adds documentation for features introduced in #9970

Checklist

Please go through this checklist and make sure all applicable tasks have been done

• Write tests
• Make sure all tests pass
• Update documentation
• Check RBAC rights for Kubernetes / OpenShift roles
• Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
• Reference relevant issue(s) and close them after merging
• Update CHANGELOG.md
• Supply screenshots for visual changes, such as Grafana dashboards

[PaulRMellor]

Thanks Marko. I left a few suggestions, including removing repeating callout descriptions that we already describe earlier in particular sections to be a bit more streamline.

[PaulRMellor]

I think we can drop 1, 2 and 4 callouts as we described the properties in the previous example.

[PaulRMellor]

we can remove callout 1.

[mstruk]

Made additional changes suggested in the review

[mstruk]

Done.

[mstruk]

Done.

[PaulRMellor]

Thanks Marko. Just a couple of suggestions

[scholzj]

Where do I get this Secret? I guess it should be using /var/run/secrets/kubernetes.io/serviceaccount/ca.crt? But it is not present in any Secret by default :-/. It might be in the ConfigMap, but not sure if it applies to all environments .

[scholzj]

Ok, you describe it here -> that should be in a callout of the example above.

We also might need to address it in some better way. Can't we configure the path to the CA directly? If not, we might need add support for loading the public keys from a CM as requested in #10308. (not necessarily blocker for this PR)

I opened #10354 to track this.

[mstruk]

Within current CRD functionality I didn't find a way to specify this as a path to the file on the disk - basically a passthrough String rather than a Secret, with the expectation that the file is provided to the container by the infrastructure or another operator.

[mstruk]

@scholzj I don't think you can add a code block to the content of the callout. Best I can do is refer to the further section that explains it in more detail.

[scholzj]

Have you tried something like this? That should work:

<6> Trusted certificates to connect to authorization server. This should point to a manually created Secret that contains the Kubernetes API server public certificate, which is mounted to the running pods under `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. You can use the following commend to create the Secret:
+
[source,shell,subs=attributes+]
----
kubectl get cm kube-root-ca.crt -o jsonpath="{['data']['ca\.crt']}" > /tmp/ca.crt
kubectl create secret generic oauth-server-cert --from-file=ca.crt=/tmp/ca.crt
----

[scholzj]

[mstruk]

Thanks, I modified it as you suggested. Looks like the plus does the trick.

[scholzj]

Thanks.

[scholzj]

Thanks @mstruk