Skip to content

MTA-6893 Document Hub OIDC authentication#382

Open
Pkylas007 wants to merge 2 commits into
mainfrom
mta-6893-hub-oidc-doc
Open

MTA-6893 Document Hub OIDC authentication#382
Pkylas007 wants to merge 2 commits into
mainfrom
mta-6893-hub-oidc-doc

Conversation

@Pkylas007

@Pkylas007 Pkylas007 commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

JIRA

Version

  • 8.2.0

Previews

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features
    • Expanded install-guide documentation with Hub OIDC authentication, local basic user authentication, LDAP federation (including LDAP token lifecycle), and identity-provider (IdP) authentication.
    • Added guidance for Keycloak/RHBK scope management and 8.2.0 Keycloak migration, plus authentication token/API key management and URI templating wildcard patterns.
    • Added new procedures for enabling authentication, configuring authentication fields in the Tackle CR, creating IdP/Ldap custom resources, and generating/revoking API keys.
  • Documentation
    • Added/updated reference pages for authentication fields and LDAP mapping logic; enhanced VS Code and CLI OIDC connection steps.
  • Bug Fixes
    • Removed an outdated Keycloak build section from the UI installation flow.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds documentation for Hub OIDC, LDAP, local authentication, identity providers, API keys, URI templating, CLI authentication, and VS Code integration. It also updates guide wiring, Keycloak content, RBAC descriptions, and profile-analysis procedures.

Changes

Authentication and documentation guide updates

Layer / File(s) Summary
Guide wiring and Keycloak updates
docs/install-guide/master.adoc, assemblies/mta-install-title/assembly_installing-mta-ui.adoc, assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc, docs/topics/mta-install/*
Guide includes and Keycloak-related documentation are updated for the new authentication content.
Hub OIDC assembly and concepts
assemblies/mta-install-title/assembly_hub-oidc-authentication.adoc, docs/topics/mta-install/con_*.adoc
Hub OIDC concepts document authentication options, administrative tasks, migration behavior, scopes, roles, and LDAP token lifecycle.
Authentication CR configuration and reference
docs/topics/mta-install/proc_enable-authentication-cr.adoc, docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc
The Tackle CR procedure and reference document authentication settings, token behavior, lifespans, caching, and key rotation.
Identity provider and LDAP configuration
assemblies/mta-install-title/assembly_identity-provider-authentication.adoc, assemblies/mta-install-title/assembly_ldap-authentication.adoc, docs/topics/mta-install/proc_*identity-provider*.adoc, docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc, docs/topics/mta-install/ref_*ldap*.adoc
Identity-provider and LDAP assemblies and procedures document secrets, custom resources, federation, mappings, token lifecycle, and directory configuration.
Local authentication
assemblies/mta-install-title/assembly_basic-authentication-local-users.adoc, docs/topics/mta-install/proc_*users*.adoc, docs/topics/mta-install/proc_change-password-web-console.adoc, docs/topics/mta-install/proc_create-custom-role-assign-permissions.adoc
Local authentication procedures document user creation, password changes, and custom role and permission assignment.
Access token and API key management
assemblies/mta-install-title/assembly_managing-access-tokens-api-keys.adoc, docs/topics/mta-install/proc_*api-key*.adoc
API-key documentation covers generation and revocation for administrators and migrators.
URI templating and VS Code guidance
assemblies/mta-install-title/assembly_uri-templating-wildcard-patterns.adoc, docs/topics/mta-install/ref_uri-*.adoc, docs/topics/vscode/*, docs/vs-code-extension-guide/master.adoc
OIDC URI variables and wildcard patterns are documented, and VS Code OIDC and Hub profile guidance is updated.
CLI Hub authentication and profile analysis
assemblies/cli-guide/assembly_analyzing-applications-using-profiles.adoc, docs/topics/mta-cli/proc_connect-to-hub.adoc, docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc
The CLI guide adds Hub connection instructions and updates profile analysis steps to use authenticated CLI workflows.

Estimated code review effort: 3 (Moderate) | ~30 minutes

Possibly related PRs

Suggested reviewers: sshveta, jortel

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: documenting Hub OIDC authentication and related auth updates.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch mta-6893-hub-oidc-doc

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
docs/topics/mta-install/con_roles-personas-users-permissions.adoc (1)

9-19: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Keep the role count aligned with the new list.

The intro still says the product uses three roles, but the page now documents four (admin, architect, migrator, and project-manager). Readers will otherwise get conflicting guidance.

💡 Suggested fix
-The {ProductFullName} uses three roles, each corresponding to a persona.
+The {ProductFullName} uses four roles, each corresponding to a persona.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/topics/mta-install/con_roles-personas-users-permissions.adoc` around
lines 9 - 19, The intro text in con_roles-personas-users-permissions.adoc still
says there are three roles, but the role list now includes four personas. Update
the opening description near the role overview to match the expanded set of
roles documented in the same section, and keep the count consistent with admin,
architect, migrator, and project-manager so the narrative and bullets align.
docs/topics/mta-install/proc_accessing-rhbk-admin-console.adoc (1)

17-20: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Parameterize the secret lookup namespace.

The command hard-codes openshift-mta, but the prose says the secret lives in the namespace where you installed the product. That makes the instruction fail for any non-default installation.

💡 Suggested fix
-$ *oc get secret mta-keycloak-rhbk -n openshift-mta -o json| jq -r '.data.password | `@base64d`'*
+$ *oc get secret mta-keycloak-rhbk -n _<namespace>_ -o json | jq -r '.data.password | `@base64d`'*
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/topics/mta-install/proc_accessing-rhbk-admin-console.adoc` around lines
17 - 20, The secret lookup in the RHBK admin console access instructions is
hard-coded to the default namespace, which conflicts with the surrounding
guidance. Update the command to use the installation namespace consistently,
matching the prose that refers to the namespace where {ProductShortName} was
installed, so the documented lookup works regardless of the chosen namespace.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/topics/mta-install/con_scope_rhbk.adoc`:
- Line 9: The abstract sentence in the con_scope_rhbk.adoc topic is incomplete
and ends mid-thought, so update the opening sentence to be a complete,
grammatical statement. Edit the introductory text in this topic so it fully
expresses the intended idea about simplifying role and scope management for
{ProductShortName} Hub OpenID Connect (OIDC) in RHBK, and make sure the abstract
no longer renders as a fragment.

In `@docs/topics/mta-install/proc_configure-identity-provider-cr.adoc`:
- Around line 32-38: The IdentityProvider example is using schema metadata under
primary instead of a real boolean value, making the manifest invalid. Update the
primary field in the sample manifest to an actual boolean value and remove the
description/type fragment, keeping the example aligned with the IdentityProvider
CR structure in proc_configure-identity-provider-cr.adoc.

In `@docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc`:
- Around line 55-59: The LDAP federation example contains a malformed group
filter in the custom resource snippet, so update the groupFilter value in the
example to use the correctly balanced expression in the
proc_create-custom-resource-ldap-federation content. Make sure the filter string
in the LDAP configuration example matches the intended pattern with the missing
closing brace added, and verify the surrounding password and userFilter fields
remain unchanged.

In `@docs/topics/mta-install/proc_create-secret-idp-client.adoc`:
- Around line 19-40: The procedure text is inconsistent: the secret example
creates idp-client-secret.yaml, but the apply step in the same section still
refers to ldap-secret.yaml. Update the apply instruction in
proc_create-secret-idp-client.adoc to use the same filename as the generated
Secret definition, and keep the wording aligned with the idp-client-secret
resource so users can apply the file they just created.

In `@docs/topics/mta-install/proc_enable-authentication-cr.adoc`:
- Around line 18-23: The procedure mixes an interactive edit flow with a
file-based apply flow, which makes the steps inconsistent. Update the steps
around the Edit the tackle CR section so they use one approach only: either keep
the oc edit command in the relevant procedure content and remove any later
apply-tackle-yaml wording, or switch the whole flow to a file edit plus oc apply
pattern and reference the same CR editing step consistently. Make sure the
instructions in the authentication procedure stay aligned with the chosen flow
across the affected sections.
- Around line 34-45: The example under the YAML source block uses invalid
key/value assignment syntax and quoted booleans, so update the snippet in the
authentication procedure to use standard YAML mappings and plain boolean values.
Fix the `spec` example by replacing the `=`-style entries with YAML `:` pairs
and removing quotes from boolean-like values so it can be copied and parsed
correctly.

In `@docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc`:
- Line 13: Fix the wording in the JWT payload description by changing “personal
identifiable information” to “personally identifiable information” in the
authentication-fields content. Update the sentence in the documentation text
only, keeping the rest of the explanation about token lifespan and role updates
unchanged.

In
`@docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc`:
- Around line 13-17: The LDAP wildcard examples in the rule-semantics doc are
inconsistent with the stated case-sensitive matching behavior. Update the
affected example patterns and sample values in the LDAP mappings section so the
wildcard matches use the same casing as the CN values returned by the server,
keeping the examples aligned with the case-sensitive rule. Use the existing
wildcard/matching examples in this document as the reference points and make the
pattern/value pairs consistent throughout the affected mappings.

In `@docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc`:
- Line 33: The wording in the OIDC authentication doc implies the extension
stores the IdP password locally, which should be avoided. Update the sentence in
the documentation text to describe reauthentication as token/session reuse or
refreshed permissions instead of “saved password,” keeping the meaning centered
on the existing auth session and permission renewal.

---

Outside diff comments:
In `@docs/topics/mta-install/con_roles-personas-users-permissions.adoc`:
- Around line 9-19: The intro text in con_roles-personas-users-permissions.adoc
still says there are three roles, but the role list now includes four personas.
Update the opening description near the role overview to match the expanded set
of roles documented in the same section, and keep the count consistent with
admin, architect, migrator, and project-manager so the narrative and bullets
align.

In `@docs/topics/mta-install/proc_accessing-rhbk-admin-console.adoc`:
- Around line 17-20: The secret lookup in the RHBK admin console access
instructions is hard-coded to the default namespace, which conflicts with the
surrounding guidance. Update the command to use the installation namespace
consistently, matching the prose that refers to the namespace where
{ProductShortName} was installed, so the documented lookup works regardless of
the chosen namespace.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 99b03a36-019c-470c-8093-669f2184f268

📥 Commits

Reviewing files that changed from the base of the PR and between cbd58bd and 10f0054.

📒 Files selected for processing (30)
  • assemblies/mta-install-title/assembly_basic-authentication-local-users.adoc
  • assemblies/mta-install-title/assembly_hub-oidc-authentication.adoc
  • assemblies/mta-install-title/assembly_identity-provider-authentication.adoc
  • assemblies/mta-install-title/assembly_installing-mta-ui.adoc
  • assemblies/mta-install-title/assembly_ldap-authentication.adoc
  • assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc
  • assemblies/mta-install-title/assembly_uri-templating-wildcard-patterns.adoc
  • docs/install-guide/master.adoc
  • docs/topics/mta-install/con_administrative-tasks.adoc
  • docs/topics/mta-install/con_keycloak-migration.adoc
  • docs/topics/mta-install/con_ldap-token-lifecycle.adoc
  • docs/topics/mta-install/con_roles-personas-users-permissions.adoc
  • docs/topics/mta-install/con_scope_rhbk.adoc
  • docs/topics/mta-install/con_why-use-hub-oidc.adoc
  • docs/topics/mta-install/proc_accessing-rhbk-admin-console.adoc
  • docs/topics/mta-install/proc_add-users-assign-roles-web-console.adoc
  • docs/topics/mta-install/proc_change-password-web-console.adoc
  • docs/topics/mta-install/proc_configure-identity-provider-cr.adoc
  • docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc
  • docs/topics/mta-install/proc_create-custom-role-assign-permissions.adoc
  • docs/topics/mta-install/proc_create-secret-idp-client.adoc
  • docs/topics/mta-install/proc_enable-authentication-cr.adoc
  • docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc
  • docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc
  • docs/topics/mta-install/ref_openldap-active-directory-configurations.adoc
  • docs/topics/mta-install/ref_uri-template-variables.adoc
  • docs/topics/mta-install/ref_uri-wildcard-patterns.adoc
  • docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc
  • docs/topics/vscode/proc_vscode-analyzing-application-using-profiles.adoc
  • docs/vs-code-extension-guide/master.adoc
💤 Files with no reviewable changes (1)
  • assemblies/mta-install-title/assembly_installing-mta-ui.adoc

Comment thread docs/topics/mta-install/con_scope_rhbk.adoc Outdated
Comment on lines +32 to +38
clientSecret:
name: idp-client-secret
namespace: openshift-mta
redirectURI: "https://hub.example.com/oidc/idp/callback"
primary:
description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication.
type: boolean

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Replace the schema fragment with an actual field value.

The sample manifest puts description and type under primary, which makes the YAML invalid for an IdentityProvider CR. This should be a boolean field in the example, not schema metadata.

🛠️ Proposed fix
-  primary:
-    description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication.
-    type: boolean
+  primary: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
clientSecret:
name: idp-client-secret
namespace: openshift-mta
redirectURI: "https://hub.example.com/oidc/idp/callback"
primary:
description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication.
type: boolean
clientSecret:
name: idp-client-secret
namespace: openshift-mta
redirectURI: "https://hub.example.com/oidc/idp/callback"
primary: true
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/topics/mta-install/proc_configure-identity-provider-cr.adoc` around
lines 32 - 38, The IdentityProvider example is using schema metadata under
primary instead of a real boolean value, making the manifest invalid. Update the
primary field in the sample manifest to an actual boolean value and remove the
description/type fragment, keeping the example aligned with the IdentityProvider
CR structure in proc_configure-identity-provider-cr.adoc.

Comment thread docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc Outdated
Comment thread docs/topics/mta-install/proc_create-secret-idp-client.adoc Outdated
Comment thread docs/topics/mta-install/proc_enable-authentication-cr.adoc
Comment thread docs/topics/mta-install/proc_enable-authentication-cr.adoc
Comment thread docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc Outdated
Comment thread docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc Outdated
Comment thread docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc Outdated
Comment thread docs/topics/mta-install/proc_create-secret-idp-client.adoc Outdated
Comment thread docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
docs/topics/mta-install/proc_create-secret-idp-client.adoc (1)

19-40: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Use an underscore-separated placeholder here.

_<idp-client-secret>.yaml_ violates the repo’s AsciiDoc placeholder convention. Please switch this example and the oc apply command to either a concrete filename or an underscore-separated placeholder, e.g. _<idp_client_secret>.yaml_.

🛠 Suggested edit
- Create a secret such as `_<idp-client-secret>.yaml_`:
+ Create a secret such as `_<idp_client_secret>.yaml_`:
...
-$ *oc apply -f `_<idp-client-secret>.yaml_`*
+$ *oc apply -f `_<idp_client_secret>.yaml_`*
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/topics/mta-install/proc_create-secret-idp-client.adoc` around lines 19 -
40, The example filename placeholder for the secret manifest should follow the
repo’s AsciiDoc underscore-separated convention. Update the placeholder used in
the secret creation step and the `oc apply` command in
`proc_create-secret-idp-client.adoc` to use a concrete filename or an
underscore-separated placeholder such as `_<idp_client_secret>.yaml_`, keeping
the references consistent across the `idp-client-secret` instructions.

Source: Learnings

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/topics/mta-install/proc_create-secret-idp-client.adoc`:
- Around line 19-40: The example filename placeholder for the secret manifest
should follow the repo’s AsciiDoc underscore-separated convention. Update the
placeholder used in the secret creation step and the `oc apply` command in
`proc_create-secret-idp-client.adoc` to use a concrete filename or an
underscore-separated placeholder such as `_<idp_client_secret>.yaml_`, keeping
the references consistent across the `idp-client-secret` instructions.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 71d6f329-b59f-4b61-a017-2b69f1d2ed9c

📥 Commits

Reviewing files that changed from the base of the PR and between 10f0054 and 3d65f46.

📒 Files selected for processing (22)
  • assemblies/mta-install-title/assembly_hub-oidc-authentication.adoc
  • assemblies/mta-install-title/assembly_identity-provider-authentication.adoc
  • assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc
  • docs/install-guide/master.adoc
  • docs/topics/mta-install/con_administrative-tasks.adoc
  • docs/topics/mta-install/con_keycloak-migration.adoc
  • docs/topics/mta-install/con_ldap-token-lifecycle.adoc
  • docs/topics/mta-install/con_mta-features.adoc
  • docs/topics/mta-install/con_scope_rhbk.adoc
  • docs/topics/mta-install/con_why-use-hub-oidc.adoc
  • docs/topics/mta-install/proc_add-users-assign-roles-web-console.adoc
  • docs/topics/mta-install/proc_configure-identity-provider-cr.adoc
  • docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc
  • docs/topics/mta-install/proc_create-custom-role-assign-permissions.adoc
  • docs/topics/mta-install/proc_create-secret-idp-client.adoc
  • docs/topics/mta-install/proc_enable-authentication-cr.adoc
  • docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc
  • docs/topics/mta-install/ref_custom-resource-settings.adoc
  • docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc
  • docs/topics/mta-install/ref_uri-template-variables.adoc
  • docs/topics/mta-install/ref_uri-wildcard-patterns.adoc
  • docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc
💤 Files with no reviewable changes (1)
  • docs/topics/mta-install/ref_custom-resource-settings.adoc
✅ Files skipped from review due to trivial changes (13)
  • docs/topics/mta-install/ref_uri-template-variables.adoc
  • docs/topics/mta-install/con_why-use-hub-oidc.adoc
  • docs/topics/mta-install/ref_uri-wildcard-patterns.adoc
  • docs/topics/mta-install/con_mta-features.adoc
  • assemblies/mta-install-title/assembly_hub-oidc-authentication.adoc
  • docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc
  • docs/topics/mta-install/con_keycloak-migration.adoc
  • assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc
  • docs/topics/mta-install/proc_enable-authentication-cr.adoc
  • docs/topics/mta-install/con_scope_rhbk.adoc
  • docs/topics/mta-install/proc_configure-identity-provider-cr.adoc
  • docs/topics/mta-install/con_ldap-token-lifecycle.adoc
  • docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc
🚧 Files skipped from review as they are similar to previous changes (7)
  • docs/topics/mta-install/proc_add-users-assign-roles-web-console.adoc
  • docs/topics/mta-install/proc_create-custom-role-assign-permissions.adoc
  • assemblies/mta-install-title/assembly_identity-provider-authentication.adoc
  • docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc
  • docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc
  • docs/topics/mta-install/con_administrative-tasks.adoc
  • docs/install-guide/master.adoc

@Pkylas007
Pkylas007 requested a review from sshveta July 7, 2026 13:00
@Pkylas007

Pkylas007 commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

@jortel Thank you for multiple rounds of reviews in my draft!

Can you please take a look at the preview links and provide me your feedback?

@Pkylas007
Pkylas007 requested a review from dymurray July 7, 2026 16:36

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
docs/topics/mta-install/proc_generate-api-key-web-console.adoc (1)

22-26: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add secure-handling guidance for the API key.

Because the key can remain valid for up to 10 years, instruct users to store it in a secret manager, never commit or log it, and revoke/regenerate it if exposed.

Suggested documentation
 . Copy the displayed token.
 +
+IMPORTANT: Treat the API key as a secret. Store it securely, do not commit or log it, and revoke it immediately if it is exposed.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/topics/mta-install/proc_generate-api-key-web-console.adoc` around lines
22 - 26, Update the API-key instructions near “Copy the displayed token” to
direct users to store the key in a secure secret manager, never commit or log
it, and revoke and regenerate it immediately if exposed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/topics/mta-install/proc_generate-api-key-web-console.adoc`:
- Around line 22-26: Update the API-key instructions near “Copy the displayed
token” to direct users to store the key in a secure secret manager, never commit
or log it, and revoke and regenerate it immediately if exposed.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 17907230-2f86-449b-a230-6291d1543cf1

📥 Commits

Reviewing files that changed from the base of the PR and between 3d65f46 and 94628e9.

📒 Files selected for processing (10)
  • assemblies/mta-install-title/assembly_managing-access-tokens-api-keys.adoc
  • assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc
  • docs/install-guide/master.adoc
  • docs/topics/mta-install/con_keycloak-migration.adoc
  • docs/topics/mta-install/con_roles-personas-users-permissions.adoc
  • docs/topics/mta-install/con_scope_rhbk.adoc
  • docs/topics/mta-install/con_why-use-hub-oidc.adoc
  • docs/topics/mta-install/proc_generate-api-key-web-console.adoc
  • docs/topics/mta-install/proc_revoke-api-key-admin.adoc
  • docs/topics/mta-install/proc_revoke-api-key-migrator.adoc
💤 Files with no reviewable changes (1)
  • assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc
✅ Files skipped from review due to trivial changes (5)
  • docs/topics/mta-install/proc_revoke-api-key-migrator.adoc
  • docs/topics/mta-install/con_scope_rhbk.adoc
  • docs/topics/mta-install/proc_revoke-api-key-admin.adoc
  • docs/topics/mta-install/con_why-use-hub-oidc.adoc
  • docs/topics/mta-install/con_roles-personas-users-permissions.adoc
🚧 Files skipped from review as they are similar to previous changes (2)
  • docs/topics/mta-install/con_keycloak-migration.adoc
  • docs/install-guide/master.adoc

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc (1)

44-58: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Make the analysis mode examples match the Java guidance.

The copy-paste commands use --mode source-only, while the TIP says Java applications require full. A Java user following the procedure literally may receive an incomplete analysis. Provide separate Java/non-Java commands or make the mode an explicit placeholder in both examples.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc` around lines 44 -
58, Update the command examples in the analysis procedure to align with the Java
guidance: provide separate commands for Java using --mode full and non-Java
using --mode source-only, or replace the mode with an explicit placeholder and
document the required values. Apply this consistently to both the basic command
and the --target quarkus example.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc`:
- Around line 44-58: Update the command examples in the analysis procedure to
align with the Java guidance: provide separate commands for Java using --mode
full and non-Java using --mode source-only, or replace the mode with an explicit
placeholder and document the required values. Apply this consistently to both
the basic command and the --target quarkus example.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d5cee7fa-fb50-4f7f-b58a-4705fbbceb69

📥 Commits

Reviewing files that changed from the base of the PR and between 94628e9 and a666db1.

📒 Files selected for processing (4)
  • assemblies/cli-guide/assembly_analyzing-applications-using-profiles.adoc
  • assemblies/mta-install-title/assembly_managing-access-tokens-api-keys.adoc
  • docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc
  • docs/topics/mta-cli/proc_connect-to-hub.adoc
✅ Files skipped from review due to trivial changes (1)
  • docs/topics/mta-cli/proc_connect-to-hub.adoc
🚧 Files skipped from review as they are similar to previous changes (1)
  • assemblies/mta-install-title/assembly_managing-access-tokens-api-keys.adoc

@Pkylas007
Pkylas007 requested a review from anarnold97 July 10, 2026 14:43
Comment thread assemblies/mta-install-title/assembly_basic-authentication-local-users.adoc Outdated
Comment thread assemblies/mta-install-title/assembly_hub-oidc-authentication.adoc Outdated
Comment thread assemblies/mta-install-title/assembly_identity-provider-authentication.adoc Outdated
Comment thread assemblies/mta-install-title/assembly_identity-provider-authentication.adoc Outdated
Comment thread assemblies/mta-install-title/assembly_identity-provider-authentication.adoc Outdated
Comment thread assemblies/mta-install-title/assembly_ldap-authentication.adoc Outdated
Comment thread assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc Outdated
Comment thread assemblies/mta-install-title/assembly_uri-templating-wildcard-patterns.adoc Outdated
= Scope management in RHBK

[role="_abstract"]
You can manually manage {ProductFullName} scopes in Red Hat Build of Keycloak (RHBK) and assign the scopes to roles so that {ProductShortName} assigns the necessary permissions to the Keycloak user.

@jortel jortel Jul 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make it clear that: Although dynamic scopes are highly recommended user's can assign individual scopes.

@Pkylas007 Pkylas007 Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jortel ! I have placed the dynamic scope section above the manual scope management to emphasize it as the preferred method to expand scopes. RH does not permit me to use the word "recommend".

Please could you take a look at the update?

Comment thread docs/topics/mta-cli/proc_connect-to-hub.adoc Outdated
Comment thread docs/topics/mta-cli/proc_connect-to-hub.adoc Outdated
Comment thread docs/topics/mta-cli/proc_connect-to-hub.adoc Outdated
Comment thread docs/topics/mta-cli/proc_connect-to-hub.adoc Outdated
Comment thread docs/topics/mta-install/con_administrative-tasks.adoc Outdated
Comment thread docs/topics/mta-install/con_administrative-tasks.adoc Outdated
Comment thread docs/topics/mta-install/con_administrative-tasks.adoc Outdated
Comment thread docs/topics/mta-install/con_administrative-tasks.adoc Outdated
Comment thread docs/topics/mta-install/con_administrative-tasks.adoc
Comment thread docs/topics/mta-install/con_administrative-tasks.adoc Outdated
Comment thread docs/topics/mta-install/con_administrative-tasks.adoc Outdated
Comment thread docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc Outdated
Comment thread docs/topics/mta-install/proc_create-custom-role-assign-permissions.adoc Outdated
= Enable authentication in Tackle custom resource

[role="_abstract"]
Administrators can optionally configure authentication fields and token lifespan in the Tackle custom resource. If you do not configure, the {ProductFullName} Hub applies default values for the authentication and token fields.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Administrators can optionally configure authentication fields and token lifespan in the Tackle custom resource. If you do not configure, the {ProductFullName} Hub applies default values for the authentication and token fields.
As an administrator, you can configure authentication fields and the token lifespan in the Tackle custom resource (CR). If you do not configure these fields, the {ProductFullName} Hub applies default values.

The word "optionally" is redundant because the auxiliary verb "can" combined with the next sentence ("If you do not...") already implies it is optional. Removing it improves minimalism. Additionally, you can tighten the end of the second sentence to just "applies default values" to avoid needlessly repeating the field names.

Comment thread docs/topics/mta-install/proc_enable-authentication-cr.adoc Outdated
= Generate API key from the web console

[role="_abstract"]
You can generate application programming interface (API) keys in the {ProductFirstRef} web console. The API key inherits permissions from the authenticated user's roles and has a maximum lifespan limit of 10 years. You can optionally configure the lifespan period when you create a token.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
You can generate application programming interface (API) keys in the {ProductFirstRef} web console. The API key inherits permissions from the authenticated user's roles and has a maximum lifespan limit of 10 years. You can optionally configure the lifespan period when you create a token.
As an administrator, you can generate application programming interface (API) keys in the {ProductFirstRef} web console. An API key inherits permissions from the authenticated user's roles and has a maximum lifespan of 10 years. You can configure the lifespan when you create a token.

Change the first sentence to start with "As an administrator, you can..." to maintain the consistent conversational tone established in previous reviews.

"maximum lifespan limit" is redundant. Change to "maximum lifespan".
"lifespan period" is also redundant. Change to "lifespan".

As noted in previous reviews, "optionally" is redundant when paired with the auxiliary verb "can". Simply say "You can configure the lifespan..."

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to split this introduction to keep it under 300 characters. Thanks for the review!

Comment thread docs/topics/mta-install/proc_generate-api-key-web-console.adoc
= Revoke API keys as an administrator

[role="_abstract"]
Administrators can revoke an application programming interface (API) key before its lifespan in the migration toolkit for application (MTA) web console.

@anarnold97 anarnold97 Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Administrators can revoke an application programming interface (API) key before its lifespan in the migration toolkit for application (MTA) web console.
As an administrator, you can revoke an application programming interface (API) key before it expires in the {ProductFirstRef} web console.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please let me check with the SME if we can use expires here. API keys have a separate parameter called expiration, other than lifespan.

Comment thread docs/topics/mta-install/proc_revoke-api-key-admin.adoc
Comment thread docs/topics/mta-install/proc_revoke-api-key-migrator.adoc Outdated
Comment thread docs/topics/mta-install/proc_revoke-api-key-migrator.adoc
Comment thread docs/topics/mta-install/proc_revoke-api-key-migrator.adoc Outdated
Comment thread docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc Outdated
Comment thread docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc Outdated
Comment thread docs/topics/mta-install/ref_openldap-active-directory-configurations.adoc Outdated
Comment thread docs/topics/mta-install/ref_uri-template-variables.adoc Outdated
Comment thread docs/topics/mta-install/ref_uri-template-variables.adoc Outdated
Comment thread docs/topics/mta-install/ref_uri-wildcard-patterns.adoc Outdated
Comment thread docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc Outdated

@anarnold97 anarnold97 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Not a long wrong, despite the number of comments

Nothing I would really say blocks merging, apart from the version numbers being repeated 8.2.0 and 8.2.

The rest is just RH SSG stuff, which is more to guide you than anything else.

I am making it Request changes just so you can run it past me again, as i imagine you would like a re-review later.

@Pkylas007
Pkylas007 requested review from anarnold97 and jortel July 15, 2026 11:26
@Pkylas007

Copy link
Copy Markdown
Collaborator Author

Thanks. Not a long wrong, despite the number of comments

Nothing I would really say blocks merging, apart from the version numbers being repeated 8.2.0 and 8.2.

The rest is just RH SSG stuff, which is more to guide you than anything else.

I am making it Request changes just so you can run it past me again, as i imagine you would like a re-review later.

@anarnold97 Thanks for the detailed review! I think I've included a majority of your feedback. Also, replaced version references with the version attribute as we discussed. Could you take a look at the updates, please?

* The `architect` role corresponds to the architect persona. An architect is a technical lead for the migration project. They can run assessments, create and modify applications and related information. They cannot modify or delete sensitive information, but can view it. For example, they can associate an existing set of credentials with a specific application repository.

* The `tackle-migrator` role corresponds to the Migrator persona. A Migrator can analyze applications. However, the Migrator cannot create, modify, or delete the applications.
* The `migrator` role corresponds to the migrator persona. A migrator can analyze applications but cannot create, modify, or delete the them.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cannot create, modify, or delete them

[role="_abstract"]
As an administrator, you can simplify security and regulatory compliance by implementing the {ProductFullName} Hub as an OpenID Connect (OIDC) broker to federate user authentication to an identity provider (IdP).

You can integrate the following IdPs and managing roles and permissions in the {ProductShortName} web console for authorization:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can integrate the following IdPs and manage roles

:_mod-docs-content-type: PROCEDURE

[id="revoke-api-key-migrator_{context}"]
= Revoke API keys as an migrator

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revoke API keys as a migrator

= Authentication fields in the Tackle CR

[role="_abstract"]
As an administrator, you can configure the authentication fields in the Tackle custom resource (CR) to include permission and role changes in new tokens, apply stateless validation, and control staleness for sessions and tokens by

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sentence is incomplete

name: idp-client-secret
namespace: openshift-mta
redirectURI: "https://hub.example.com/oidc/idp/callback"
primary:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look correct .
I think it should be

Suggested change
primary:
primary:true

@jortel can you please review .

Signed-off-by: Prabha Kylasamiyer Sundara Rajan <pkylasam@redhat.com>
@Pkylas007
Pkylas007 force-pushed the mta-6893-hub-oidc-doc branch from ac3cccc to 50bf86f Compare July 19, 2026 12:59
Signed-off-by: Prabha Kylasamiyer Sundara Rajan <pkylasam@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants