Skip to content

Add Union authorization bootstrap docs for selfhosted#927

Closed
mhotan wants to merge 1 commit intomike/selfhosted-auth-docsfrom
mike/selfhosted-authz-bootstrap-docs
Closed

Add Union authorization bootstrap docs for selfhosted#927
mhotan wants to merge 1 commit intomike/selfhosted-auth-docsfrom
mike/selfhosted-authz-bootstrap-docs

Conversation

@mhotan
Copy link
Copy Markdown
Contributor

@mhotan mhotan commented Apr 20, 2026

Summary

  • Document how to enable and configure Union (built-in RBAC) authorization mode
  • Add bootstrap configuration: service accounts with correct sub claim values, admin users, organization/domains
  • Document trusted identity claims for internal S2S authentication
  • Add recommended migration path: Noop → verify auth → configure bootstrap → switch to Union
  • Update Configuration section to reference mode-specific docs

Stacked on #925peeter/selfhosted-docs

Context

Peeter's authorization.md had detailed External mode docs but Union mode was light — no section on how to actually enable it, bootstrap service accounts, or set the first admin. Without bootstrap docs, users enabling Union mode will see permission denials on internal services.

Key callouts

  • clientId in bootstrap serviceAccounts must match the IdP's sub claim value, which differs by provider (Okta = Client ID, Entra ID = SP Object ID)
  • All three internal service accounts (S2S, Operator, EAGER) need Admin role for platform operations
  • Migration from Noop should verify auth works first before enabling authorization

Test Plan

  • Verify rendered docs with make dev (variant = "selfmanaged")
  • Internal links resolve ({{< relref >}} to authentication guide)
  • Bootstrap config matches actual Helm chart values structure

🤖 Generated with Claude Code

@mhotan @claude
Add Union authorization bootstrap docs for selfhosted deployments
a9e6635 
Document how to enable and configure Union (built-in RBAC) mode:
- Helm values to enable Union mode
- Bootstrap configuration: service accounts, admin users, organization
- Trusted identity claims for internal S2S authentication
- Warning about clientId matching IdP sub claim (Okta vs Entra ID)
- Recommended migration path: Noop → verify auth → configure bootstrap → Union

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 20, 2026

Deploying docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: a9e6635
Status: ✅  Deploy successful!
Preview URL: https://8a20fa0b.docs-dog.pages.dev
Branch Preview URL: https://mike-selfhosted-authz-bootst.docs-dog.pages.dev

View logs

@ppiegaze
Copy link
Copy Markdown
Collaborator

ppiegaze commented Apr 22, 2026

Superseded by #934, which adapts this content to the new flyte/union variant structure (stacked on #933).

@ppiegaze ppiegaze closed this Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EngHabu EngHabu Awaiting requested review from EngHabu EngHabu is a code owner

@ppiegaze ppiegaze Awaiting requested review from ppiegaze ppiegaze is a code owner

@cosmicBboy cosmicBboy Awaiting requested review from cosmicBboy cosmicBboy is a code owner

@kumare3 kumare3 Awaiting requested review from kumare3 kumare3 is a code owner

@samhita-alla samhita-alla Awaiting requested review from samhita-alla samhita-alla is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mhotan @ppiegaze