Skip to content

docs: document OIDC secret structure, app-native OAuth, and wrap-chart gotchas#10

Merged
dcmcand merged 1 commit into
mainfrom
docs/oidc-secret-and-app-native-oauth
Apr 7, 2026
Merged

docs: document OIDC secret structure, app-native OAuth, and wrap-chart gotchas#10
dcmcand merged 1 commit into
mainfrom
docs/oidc-secret-and-app-native-oauth

Conversation

@dcmcand

@dcmcand dcmcand commented Apr 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds documentation based on real-world experience building the nebari-superset-pack. These are gaps and gotchas discovered during that process.

Changes

docs/auth-flow.md:

  • Document the full OIDC secret structure: client-id, client-secret, issuer-url, spa-client-id, device-client-id
  • Document the client ID naming convention (<namespace>-<nebariapp-name>)
  • Document the auto-created RBAC resources (Role + RoleBinding for secret access)
  • Add comprehensive "App-Native OAuth" section covering:
    • Gateway-only auth vs app-native auth vs dual-layer auth patterns
    • Concrete extraEnvRaw / valueFrom.secretKeyRef wiring examples
    • OIDC discovery URL construction from issuer-url
    • extraEnv vs extraEnvRaw guidance
    • Reference to nebari-superset-pack as a working example

docs/nebariapp-crd-reference.md:

  • Update provisionClient description with client ID naming convention and link to secret structure docs
  • Update enforceAtGateway description with link to app-native OAuth docs
  • Update clientSecretRef description to mention issuer-url key

examples/wrap-existing-chart/README.md:

  • Add "Discovering the upstream service name" section with helm template verification
  • Add "Wrapping charts with Bitnami sub-dependencies" warning about the paywall
  • Add "Sub-chart values are static" note about template expression limitation
  • Add "App-native OAuth for RBAC" cross-reference

Test plan

  • Verify all markdown links resolve correctly
  • Verify the OIDC secret structure matches the operator source code
  • Review wrap-existing-chart README for clarity

Closes #4, closes #5, closes #6, closes #7, closes #9

…t gotchas

- Document full OIDC secret structure including issuer-url key,
  client ID naming convention, and auto-created RBAC resources
- Add comprehensive app-native OAuth section with dual-layer auth
  pattern, credential wiring examples, and Superset reference
- Cross-reference auth-flow.md from CRD reference for provisionClient
  and enforceAtGateway fields
- Add service name discovery guidance for wrap-existing-chart pattern
- Add Bitnami paywall warning and alternatives (CloudNativePG, Valkey)
- Document that Helm sub-chart values cannot use template expressions

Closes #4, closes #5, closes #6, closes #7, closes #9
@dcmcand dcmcand merged commit d85f1f0 into main Apr 7, 2026
3 of 4 checks passed
@dcmcand dcmcand deleted the docs/oidc-secret-and-app-native-oauth branch April 7, 2026 11:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment