Feature/add providers docs (#60)

* add-oidc-docs-2

* Update content/en/docs/oidc.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* add Identity Provider docs

* add newlines

* refactor oidc

---------

Co-authored-by: Andrei Kvapil <[email protected]>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

content/en/docs/OIDC/_index.md

@@ -0,0 +1,6 @@
+---
+title: "OIDC in Cozystack"
+linkTitle: "OIDC"
+description: "OIDC in Cozystack"
+weight: 36
+---

content/en/docs/oidc.md → content/en/docs/OIDC/enable_oidc.md

@@ -1,8 +1,8 @@
 ---
-title: "OIDC Server"
+title: "Enable OIDC Server"
 linkTitle: "OIDC Server"
-description: "OIDC Server"
-weight: 35
+description: "How to enable OIDC Server"
+weight: 10
 ---
 
 ## Prerequisites
@@ -26,11 +26,11 @@ weight: 35
 3. **Storage Configuration**  
    Storage must be properly configured.
 
-## Configuration
+## Configuration  
 
 If all prerequisites are met, you can proceed with the configuration steps.
 
-### Step 1: Enable OIDC in Cozystack
+### Step 1: Enable OIDC in Cozystack  
 
 Edit your Cozystack ConfigMap to enable OIDC:
 

content/en/docs/OIDC/identity_providers/_index.md

@@ -0,0 +1,6 @@
+---
+title: "Identity providers"
+linkTitle: "Identity providers"
+description: "Identity providers managment."
+weight: 70
+---

content/en/docs/OIDC/identity_providers/gitlab.md

@@ -0,0 +1,49 @@
+---
+title: How to configure GitLab as an Identity Provider
+linkTitle: Gitlab
+description: "How to configure GitLab as an Identity Provider"
+weight: 30
+---
+
+You can use Gitlab identity provider for Keycloak
+
+### Overview
+
+## Create Application in Gitlab
+
+- Open `https://gitlab.com/groups/<YOUR_GROUP>/-/settings/applications`
+- Click `Add new application`
+- Name: cozy, Redirect URI: `https://keycloak.<root-host>/realms/cozy/broker/gitlab/endpoint`
+- Enable Confidential, api, read_api, read_user, openid, profile, email
+- Copy and save Secret
+
+
+## Configure Keycloak Identity Provider
+Create a `KeycloakRealmIdentityProvider` resource with the following configuration:
+
+```yaml
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmIdentityProvider
+metadata:
+  name: gitlab
+spec:
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+  alias: gitlab
+  authenticateByDefault: false
+  enabled: true
+  providerId: "gitlab"
+  config:
+    clientId: "YOUR GITLAB APP ID"
+    clientSecret: "YOUR GITLAB APP SECRET"
+    syncMode: "IMPORT"
+  mappers:
+    - name: "username"
+      identityProviderMapper: "oidc-username-idp-mapper"
+      identityProviderAlias: "gitlab"
+      config:
+        target: "LOCAL"
+        syncMode: "INHERIT"
+        template: "${ALIAS}---${CLAIM.preferred_username}"
+```

content/en/docs/OIDC/identity_providers/google.md

@@ -0,0 +1,72 @@
+---
+title: How to configure Google as an Identity Provider
+linkTitle: Google
+description: "How to configure Google as an Identity Provider"
+weight: 30
+---
+
+## Configure Google
+
+- Head over to [Google Console](https://console.cloud.google.com/apis/dashboard), login in to the console using Google account and you will see Google Developer Console. Once logged in, head over the top left drop-down to create new project.
+![1](/img/oidc/identity_providers/google/1.jpeg)
+
+- Click on "New Project" to proceed.
+![2](/img/oidc/identity_providers/google/2.jpeg)
+
+- Enter the project name of your choice and select the Organisation if you have multiple organisations. Once done click on "Create"
+![3](/img/oidc/identity_providers/google/3.jpeg)
+
+- Once the project is created you will get a pop-up suggesting to configure the consent screen. If not then head over to the Dashboard and head over to "Explore and enable APIs" options. Then Click on "Credentials" > "Configure Consent Screen" and head over to the next step.
+![4](/img/oidc/identity_providers/google/4.jpeg)
+
+- Click on "External" as we want to allow any Google account to be able to sign in to our application and hit "Create".
+![5](/img/oidc/identity_providers/google/5.jpeg)
+
+- After this, we will be redirected to pages where we will have to configure different things
+    - Application type: Public
+    - Application name: Your application name
+    - Authorised domains: Your application top-level domain name
+    - Application Homepage link: Your application homepage
+    - Application Privacy Policy link: Your application privacy policy link
+
+- Now head over to the Create Credentials option in the navbar and click on "OAuth Client ID".
+![6](/img/oidc/identity_providers/google/6.jpeg)
+
+- Select Application type as a "Web application" and name the application according to your choice. Next, Add the link provided in the Keycloak tab under "Authorized Redirect URIs" and click "Create". The link should look something like this
+```bash
+https://YOUR_KEYCLOAK_DOMAIN/auth/realms/cozy/broker/google/endpoint
+```
+![7](/img/oidc/identity_providers/google/7.jpeg)
+
+- As it is done, you will see a pop up with the information required in the next step. You will need to "Client ID" and "Client secret" in next step so make sure you make a safe copy of it.
+![8](/img/oidc/identity_providers/google/8.jpeg)
+
+## Configure Keycloak Identity Provider
+Create a `KeycloakRealmIdentityProvider` resource with the following configuration:
+
+```yaml
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmIdentityProvider
+metadata:
+  name: google
+spec:
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+  alias: google
+  authenticateByDefault: false
+  enabled: true
+  providerId: "google"
+  config:
+    clientId: "YOUR GOOGLE APP ID"
+    clientSecret: "YOUR GOOGLE APP SECRET"
+    syncMode: "IMPORT"
+  mappers:
+    - name: "username"
+      identityProviderMapper: "oidc-username-idp-mapper"
+      identityProviderAlias: "google"
+      config:
+        target: "LOCAL"
+        syncMode: "INHERIT"
+        template: "${ALIAS}---${CLAIM.email}"
+```

content/en/docs/users-managment/users_and_roles.md → content/en/docs/OIDC/users_and_roles.md

@@ -2,7 +2,7 @@
 title: Creating users and add roles for them
 linkTitle: Users and roles
 description: "How to create users and add roles for them"
-weight: 30
+weight: 50
 ---
 
 Creating users and add roles for them
@@ -40,8 +40,22 @@ To create a user, refer to the following documentation:
    ```
    Then Keycloak will be available at: `keycloak.infra.example.org`
 
+  {{% alert color="warning" %}}
+  If you are planning to integrate with external services either as clients or as IdPs, your Keycloak address needs to be publicly accessible and reachable by these services.
+  {{% /alert %}}
+
+
 ## Configure Roles for Each Tenant in Cozy:
 
+### Cluster wide
+- **`cozystack-cluster-admin`**
+  - Allow all.
+
+- **`kubeapps-admin`**
+  - Allow all in "" api group
+  - Allow all for helmreleases in helm.toolkit.fluxcd.io and apps.cozystack.io
+
+### Tenant wide
 - **`tenant-abc-view`**
   - Read-only access to resources from our API.
   - Ability to view logs.

content/en/docs/components.md

@@ -2,7 +2,7 @@
 title: "Cozystack Components"
 linkTitle: "Components"
 description: "Cozystack Components"
-weight: 40
+weight: 15
 ---
 
 ## Basic Platform Stack