Expand documentation on token exchange based login

[NickCao]

Summary by CodeRabbit

• Documentation
  • Updated instructions to streamline the setup of OpenID Connect (OIDC) authentication.
  • Added comprehensive guidance for integrating Dex for Kubernetes Service Account authentication, including certificate, binding, and configuration steps for enhanced security and usability.

[coderabbitai]

Walkthrough

The documentation has been updated to simplify the OIDC setup for the Jumpstarter system. Instead of patching clients and exporters using kubectl commands, users now employ the jmp admin create --oidc-username flag to set the OIDC username during creation. Additionally, the guide now includes detailed instructions for configuring Dex for Kubernetes Service Account authentication by initializing a self-signed CA, creating a TLS certificate secret, installing Dex with Helm, and setting up a cluster role binding.

Changes

File(s)	Change Summary
docs/.../oidc.md	Revised steps for creating clients/exporters to use the --oidc-username flag with jmp admin create. Added sections on Dex setup including CA init, TLS secret creation, Helm installation, OIDC connector configuration, and role binding for OIDC discovery.

Sequence Diagram(s)

sequenceDiagram
    participant User as User
    participant CLI as Jumpstarter CLI
    participant API as Jumpstarter API
    participant Dex as Dex Server
    User->>CLI: Execute "jmp admin create --oidc-username"
    CLI->>API: Request client/exporter creation
    API->>Dex: Verify OIDC credentials
    Dex-->>API: Return OIDC validation result
    API-->>CLI: Respond with creation confirmation

Loading

sequenceDiagram
    participant Admin as System Admin
    participant K8s as Kubernetes API
    participant Dex as Dex Server
    Admin->>K8s: Initialize self-signed CA and create TLS secret
    Admin->>K8s: Install Dex via Helm with OIDC configuration
    K8s-->>Dex: Deploy Dex with provided settings
    Admin->>K8s: Create cluster role binding for unauthenticated OIDC discovery

Loading

Possibly related PRs

• esp32: introduce esp32 driver jumpstarter#294: Addresses similar OIDC integration changes in client/exporter configuration.
• feat: add automotive diagnostic drivers (DoIP, UDS-CAN, UDS-DoIP) jumpstarter#295: Introduces the --oidc-username flag in client and exporter creation functions.
• feat: accept both singular and plural noun forms in CLI commands jumpstarter#329: Implements enhancements related to OIDC token-based login using a --token option.

Suggested reviewers

• mangelajo

Poem

I'm a bunny with code so fine,
Hopping through docs with a joyful sign,
OIDC now leads the digital dance,
With Dex and commands, our systems advance,
Celebrate each change—hoppin' in rhythm all the time! 🐇🌟

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[netlify]

✅ Deploy Preview for jumpstarter-docs ready!

Name	Link
🔨 Latest commit	6da5a75
🔍 Latest deploy log	https://app.netlify.com/sites/jumpstarter-docs/deploys/67cb2f3ec6573c0008b7fd8a
😎 Deploy Preview	https://deploy-preview-332--jumpstarter-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

docs/source/config/oidc.md (3)

52-66: Dex Certificate Setup Documentation
The steps for initializing a self-signed CA, building the server certificate, and creating the TLS secret for Dex are clear and sequential. Consider adding a brief troubleshooting note or a pointer to further documentation in case certificate generation fails.

---

125-142: Configuring Jumpstarter to Trust Dex
The YAML snippet for setting up Jumpstarter’s authentication configuration is clear and aligns with the Dex setup. However, ensure that the code block is properly closed (i.e. terminated with triple backticks) in the final document to avoid markdown rendering issues. Additionally, a brief note on how users might obtain or generate the <content of pki/ca.crt> would make this section even clearer.

---

146-163: Login Command Instructions and Markdown Formatting
The login command examples for both clients and exporters are straightforward. To improve readability and adhere to markdown best practices, please specify a language for the fenced code block. For example, change the opening fence from:

-```
+```shell

Additionally, consider using the phrasal verb “log in” instead of “login” (when used as a verb) for grammatical consistency.

🧰 Tools

🪛 LanguageTool

[misspelling] ~146-~146: Did you mean the verb “log in”?
Context: ...igured. Finally, instruct the users to login with the following commands in pods con...

(LOG_IN)

🪛 markdownlint-cli2 (0.17.2)

148-148: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a5954df and 124cc15.

📒 Files selected for processing (1)

• docs/source/config/oidc.md (2 hunks)

🧰 Additional context used

🪛 LanguageTool

docs/source/config/oidc.md

[uncategorized] ~144-~144: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...:test-service-account`. Just prefix the full service account name with "dex:", as previously...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

---

[misspelling] ~146-~146: Did you mean the verb “log in”?
Context: ...igured. Finally, instruct the users to login with the following commands in pods con...

(LOG_IN)

🪛 markdownlint-cli2 (0.17.2)

docs/source/config/oidc.md

148-148: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms (6)

• GitHub Check: pytest-matrix (3.11)
• GitHub Check: pytest-matrix (3.12)
• GitHub Check: pytest-matrix (3.13)
• GitHub Check: e2e
• GitHub Check: build-and-push-image (jumpstarter-dev/jumpstarter-devspace .devfile/Containerfile.client)
• GitHub Check: build-and-push-image (jumpstarter-dev/jumpstarter-dev .devfile/Containerfile)

🔇 Additional comments (4)

docs/source/config/oidc.md (4)

30-30: Streamlined Client/Exporter Creation Instructions
The updated instructions using the --oidc-username flag simplify the process by eliminating the need for separate patching via kubectl commands. Please verify that any prior references to patching are removed for consistency.

---

68-113: Comprehensive Dex Helm Configuration
The provided YAML configuration (dex.values.yaml) is well-structured and covers key settings (HTTPS enablement, TLS paths, storage configuration, static clients, and connectors). Ensure that the certificate paths (e.g. /etc/dex/tls/tls.crt) match those generated previously and that the in-cluster storage settings are valid for your deployment environment.

---

115-123: RBAC and Helm Commands for Dex Installation
The instructions for creating a cluster role binding to allow unauthenticated access for OIDC discovery and for installing Dex via Helm are precise. For environments with strict RBAC policies, please verify whether additional permissions may be necessary.

---

143-145: Client and Exporter Creation with Dex
The instructions to create clients and exporters using the jmp admin create command—with the requirement to prefix the service account name with "dex:"—are consistent with the updated configuration.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~144-~144: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...:test-service-account`. Just prefix the full service account name with "dex:", as previously...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

[mangelajo]

Looks great!