docs: fix required permissions for oauth2-proxy requests (#141)

Signed-off-by: Michele Dolfi <dol@zurich.ibm.com>
2025-11-29 00:23:36 +00:00 · 2025-04-19 18:46:28 +02:00
parent 57f9073bc0
commit 087417e5c2
1 changed files with 8 additions and 31 deletions
--- a/docs/deploy-examples/docling-serve-oauth.yaml
+++ b/docs/deploy-examples/docling-serve-oauth.yaml
@@ -9,41 +9,18 @@ metadata:
  annotations:
    serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"docling-serve"}}'
 ---
-kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
  name: docling-serve-oauth
-  labels:
-    app: docling-serve
-    component: docling-serve-api
-rules:
-  - verbs:
-      - create
-    apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-  - verbs:
-      - create
-    apiGroups:
-      - authentication.k8s.io
-    resources:
-      - tokenreviews
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: docling-serve-oauth
-  labels:
-    app: docling-serve
-    component: docling-serve-api
-subjects:
-  - kind: ServiceAccount
-    name: docling-serve
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: docling-serve-oauth
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: docling-serve
+  namespace: docling
 ---
 apiVersion: route.openshift.io/v1
 kind: Route
@@ -153,7 +130,7 @@ spec:
            - name: proxy-tls
              mountPath: /etc/tls/private
          imagePullPolicy: Always
-          image: 'ghcr.io/docling-project/docling-serve'
+          image: 'ghcr.io/docling-project/docling-serve-cpu:fix-ui-with-https'
        - name: oauth-proxy
          resources:
            limits: