Fixed code rabbit comments & docs

Signed-off-by: Dmytro Zaharnytskyi <zdmytro@redhat.com>

Author: dmytro-zaharnytskyi

docs/samples/install/keycloak/README.md

@@ -71,8 +71,8 @@ The easiest way to configure realms is through the web UI:
    - **Authorization:** OFF
    - **Authentication flow:** Standard flow, Direct access grants
    - Click "Next"
-   - **Valid redirect URIs:** `https://*.{your-cluster-domain}/*`
-   - **Web origins:** `+` (allows CORS from redirect URIs)
+   - **Valid redirect URIs:** `https://maas.apps.{your-cluster-domain}/*` (restrict to the MaaS gateway host)
+   - **Web origins:** `https://maas.apps.{your-cluster-domain}` (restrict to the MaaS gateway host)
    - Click "Save"
 
 5. **Configure Group Mapper**

scripts/README.md

@@ -35,7 +35,8 @@ Automated deployment script for OpenShift clusters supporting both operator-base
 - `--operator-type <odh|rhoai>` - Which operator to install (default: odh)
 - `--deployment-mode <operator|kustomize>` - Deployment method (default: operator)
 - `--namespace <namespace>` - Target namespace for deployment
-- `--external-oidc` - Enable external OIDC patching for `maas-api`
+- `--external-oidc` - Enable external OIDC on the `maas-api` AuthPolicy (kustomize mode only; in operator mode, configure `spec.externalOIDC` on the `ModelsAsService` CR)
+- `--enable-keycloak` - Deploy a Keycloak instance for external OIDC testing
 - `--enable-tls-backend` - Enable TLS backend (default)
 - `--disable-tls-backend` - Disable TLS backend
 - `--verbose` - Enable debug logging
@@ -147,10 +148,26 @@ Results:
 
 ---
 
-### External OIDC Test Configuration
-This repository no longer provisions a temporary Keycloak instance for external OIDC testing.
+### External OIDC
 
-Use an externally provisioned OIDC provider and set these variables when running the Prow-style E2E flow with `EXTERNAL_OIDC=true`:
+External OIDC can be enabled in two ways:
+
+**Operator mode:** Edit the `ModelsAsService` CR to add `spec.externalOIDC` with
+`issuerUrl` and `clientId`. The operator patches the AuthPolicy automatically.
+
+**Kustomize mode:** Use `--external-oidc` with env vars:
+```bash
+OIDC_ISSUER_URL=https://idp.example.com/realms/my-realm \
+OIDC_CLIENT_ID=my-client \
+./scripts/deploy.sh --deployment-mode kustomize --external-oidc
+```
+
+For a development Keycloak instance, use `--enable-keycloak` or run
+`./scripts/setup-keycloak.sh` directly. See
+[Keycloak setup](../docs/samples/install/keycloak/README.md) for realm
+configuration and test users.
+
+**E2E testing** with `EXTERNAL_OIDC=true` requires these environment variables:
 
 - `OIDC_ISSUER_URL`
 - `OIDC_TOKEN_URL`

scripts/data/maas-api-authpolicy-external-oidc-patch.yaml

@@ -8,7 +8,19 @@ spec:
           issuerUrl: __OIDC_ISSUER_URL__
         priority: 1
       openshift-identities:
+        when:
+          - predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-")'
         priority: 2
+    authorization:
+      oidc-client-bound:
+        when:
+          - predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-") && request.headers.authorization.matches("^Bearer [^.]+\\.[^.]+\\.[^.]+$")'
+        patternMatching:
+          patterns:
+            - selector: auth.identity.azp
+              operator: eq
+              value: __OIDC_CLIENT_ID__
+        priority: 1
     response:
       success:
         headers:

scripts/deploy.sh

@@ -1425,18 +1425,33 @@ resolve_external_oidc_issuer() {
   printf '%s\n' "$oidc_issuer_url"
 }
 
+resolve_external_oidc_client_id() {
+  local oidc_client_id="${OIDC_CLIENT_ID:-}"
+  if [[ -z "$oidc_client_id" ]]; then
+    oidc_client_id=$(get_odh_overlay_param "oidc-client-id" 2>/dev/null || echo "")
+  fi
+
+  if [[ -z "$oidc_client_id" ]]; then
+    return 1
+  fi
+
+  printf '%s\n' "$oidc_client_id"
+}
+
 patch_authpolicy_from_template() {
   local authpolicy_name="$1"
   local template_file="$2"
   local maas_namespace="$3"
   local oidc_issuer_url="${4:-}"
+  local oidc_client_id="${5:-}"
 
   local rendered_patch
   rendered_patch="$(mktemp)"
 
   sed \
     -e "s|__MAAS_NAMESPACE__|${maas_namespace}|g" \
     -e "s|__OIDC_ISSUER_URL__|${oidc_issuer_url}|g" \
+    -e "s|__OIDC_CLIENT_ID__|${oidc_client_id}|g" \
     "$template_file" > "$rendered_patch"
 
   kubectl patch authpolicy "$authpolicy_name" -n "$NAMESPACE" --type=merge --patch-file "$rendered_patch"
@@ -1481,8 +1496,8 @@ configure_maas_api_authpolicy() {
   local api_keys_patch="$project_root/scripts/data/maas-api-authpolicy-api-keys-patch.yaml"
   log_info "  Patching AuthPolicy to ensure API key support..."
   if ! patch_authpolicy_from_template "$authpolicy_name" "$api_keys_patch" "$NAMESPACE"; then
-    log_warn "  Failed to patch AuthPolicy with API key configuration"
-    return 0
+    log_error "  Failed to patch AuthPolicy with API key configuration"
+    return 1
   fi
 
   if [[ "$EXTERNAL_OIDC" != "true" ]]; then
@@ -1496,11 +1511,17 @@ configure_maas_api_authpolicy() {
     return 1
   }
 
+  local oidc_client_id
+  oidc_client_id="$(resolve_external_oidc_client_id)" || {
+    log_error "External OIDC requested but no oidc-client-id or OIDC_CLIENT_ID was configured"
+    return 1
+  }
+
   local oidc_patch="$project_root/scripts/data/maas-api-authpolicy-external-oidc-patch.yaml"
-  log_info "  Enabling OIDC JWT validation with issuer: $oidc_issuer_url"
-  if ! patch_authpolicy_from_template "$authpolicy_name" "$oidc_patch" "$NAMESPACE" "$oidc_issuer_url"; then
-    log_warn "  Failed to patch AuthPolicy with external OIDC configuration"
-    return 0
+  log_info "  Enabling OIDC JWT validation with issuer: $oidc_issuer_url, clientId: $oidc_client_id"
+  if ! patch_authpolicy_from_template "$authpolicy_name" "$oidc_patch" "$NAMESPACE" "$oidc_issuer_url" "$oidc_client_id"; then
+    log_error "  Failed to patch AuthPolicy with external OIDC configuration"
+    return 1
   fi
 
   log_info "  AuthPolicy patched successfully"

scripts/setup-keycloak.sh

@@ -25,7 +25,7 @@
 #
 # Access Keycloak Admin Console:
 #   1. Get admin password:
-#      kubectl get secret -n keycloak-system keycloak-initial-admin \
+#      kubectl get secret -n keycloak-system maas-keycloak-initial-admin \
 #        -o jsonpath='{.data.password}' | base64 -d
 #   2. Navigate to: https://keycloak.{cluster-domain}
 #   3. Login as: admin / {password-from-step-1}
@@ -92,6 +92,7 @@ spec:
   name: keycloak-operator
   source: community-operators
   sourceNamespace: openshift-marketplace
+  startingCSV: keycloak-operator.v26.5.6
   installPlanApproval: Automatic
 EOF