Enhances documentation deploying OSAC UI on an OpenShift cluster

[alosadagrande]

Adds docs/deployment-openshift-guide.md, a full walkthrough for deploying OSAC UI on OpenShift with fulfillment-service and Keycloak.

Updates existing docs to reference the guide and align OpenShift deployment instructions with the current setup.

Summary by CodeRabbit

• Documentation
  • Introduced comprehensive OpenShift deployment guide with step-by-step instructions for building container images, configuring Keycloak, setting up fulfillment-service integration, and troubleshooting common issues.
  • Clarified Helm chart installation prerequisites and requirements for fulfillment-service and Keycloak OIDC configuration.
  • Enhanced runbook with detailed manifest application steps for OpenShift environments.

[coderabbitai]

Walkthrough

This PR consolidates OpenShift deployment documentation by introducing a comprehensive deployment guide and updating existing entry points. The new guide walks operators through container image build, Keycloak OIDC configuration, fulfillment service integration, UI deployment, verification, and troubleshooting. README.md and Helm chart documentation are updated to reference the guide, and runbook instructions now include explicit manifest application commands.

Changes

OpenShift Deployment Documentation

Layer / File(s)	Summary
Container image build and prerequisites docs/deployment-openshift-guide.md	Deployment guide introduces prerequisites (OpenShift access, fulfillment-service, Keycloak, container tooling) and Podman build/push workflow for the OSAC UI image to a container registry.
Keycloak and identity provider setup docs/deployment-openshift-guide.md	Keycloak OIDC configuration for the osac realm including external hostname (KC_HOSTNAME), OIDC discovery verification, osac-ui public client registration with detailed settings table, and user account creation in admin console.
Fulfillment and UI deployment configuration docs/deployment-openshift-guide.md	Fulfillment-service configuration to trust Keycloak's external token issuer via gRPC flag, verification of trusted issuer output, UI Deployment manifest updates, and ConfigMap environment variables for internal API URL and TLS toggles.
Deployment, verification, and troubleshooting docs/deployment-openshift-guide.md	OpenShift deployment commands, health endpoint and OIDC discovery verification with curl/jq examples, browser login guidance, and troubleshooting table covering issuer discovery failures, certificate trust errors, internal hostname redirects, and authorization issues.
Documentation entry points and references README.md, deploy/chart/README.md, docs/runbook.md	README.md OpenShift section simplified to reference the new deployment guide with updated prerequisites and oc command sequence; Helm chart README clarified with prerequisites and integration requirements; runbook updated with guide link and explicit oc apply commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Risk Assessment: Low – Documentation-only changes with no code modifications, dependency alterations, or exported entity changes. Content accuracy and completeness are primary concerns. Review focus: verify deployment steps align with actual service APIs, configuration expectations (Keycloak client IDs, environment variable names), and security posture (TLS, token issuer trust chain, external hostname configuration).

Suggested reviewers

• batzionb

Poem

🚀 A deployment guide blooms bright,
From container builds to Keycloak's light,
Each step unfolds with care and grace,
OSAC finds its rightful place.
No code to break, just docs that bind—
A clearer path for ops to find. ✨

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	deployment-openshift-guide.md prints Keycloak admin credentials via oc get deployment ... | grep ... KEYCLOAK_ADMIN_PASSWORD, and token is parsed with jq -r .access_token, risking secret leakage.	Update docs to avoid commands that output passwords/tokens to stdout (e.g., capture values in shell variables or omit grep/jq -r output), and don’t show secret-containing results.
Ai-Attribution	⚠️ Warning	FAIL: PR shows “Summary by CodeRabbit”/edited by coderabbitai, but the commit(s) lack Assisted-by/Generated-by or any co-authored-by trailers; risk: attribution/compliance gap.	Add Red Hat AI attribution trailers (Assisted-by or Generated-by) to the AI-influenced commit(s); don’t use Co-Authored-By for AI attribution.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: enhancing documentation for OpenShift deployment of the OSAC UI, which aligns with all four documentation file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	Scanned PR docs/README files for hardcoded secrets (password/token/api_key/private key/embedded-cred URLs and base64 strings) and found only placeholders like and $TOKEN; no real s...
No-Weak-Crypto	✅ Passed	Docs-only PR diff shows no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB mentions and no token/secret comparisons via '=='/'!=' or '-eq'/'-ne'.
No-Injection-Vectors	✅ Passed	Scanned PR-related docs and the repo for flagged injection patterns (shell=True, eval/exec, pickle.loads, yaml.load, os.system, dangerouslySetInnerHTML, SQL string concatenation); none found.
Container-Privileges	✅ Passed	PR changes only README/docs files; no container/K8s manifests were modified or contain privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation terms.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/deployment-openshift-guide.md`:
- Around line 101-103: Add a language hint to the fenced code block containing
the CLI flag (--grpc-authn-trusted-token-issuers=...) so the fence is labeled as
bash; locate the fenced block around that flag in
docs/deployment-openshift-guide.md and change the opening triple backticks to
include "bash" (e.g., ```bash) to satisfy markdownlint and improve copy/paste.
- Around line 56-60: The grep command in the docs is invalid because `-A`
requires a numeric count; update the snippet that searches for the
KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD environment vars to include a numeric
context value (e.g., change the pipeline to use `grep -E " KEYCLOAK_ADMIN|
KEYCLOAK_ADMIN_PASSWORD" -A 1`) so the command returns the matching lines plus
the following line containing the value instead of failing.
- Around line 156-158: Update the docs to stop steering operators toward setting
FULFILLMENT_TLS_INSECURE=1 and OIDC_TLS_INSECURE=1 as a normal remedy; instead
reference the repository's CA-bundle trust handling and instruct operators to
add the service/Keycloak CA to the cluster CA bundle or the container's trust
store (and only use *_TLS_INSECURE=1 for short-lived local testing with an
explicit warning), and revise the FULFILLMENT_API_URL note to reiterate using
the internal Service URL while warning that disabling TLS verification is
unacceptable for production.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: aa540c39-d01f-41b1-8727-8eae98b4c2ff

📥 Commits

Reviewing files that changed from the base of the PR and between cca7be2 and 17ce02c.

📒 Files selected for processing (4)

• README.md
• deploy/chart/README.md
• docs/deployment-openshift-guide.md
• docs/runbook.md