feat: Expose TLS settings and example deploy with oauth-proxy (#112)

Signed-off-by: Michele Dolfi <dol@zurich.ibm.com>
2025-12-03 02:23:19 +00:00 · 2025-03-31 08:51:30 -04:00
parent 9ffe49a359
commit 7a0fabae07
5 changed files with 283 additions and 7 deletions
--- a/docs/deployment.md
+++ b/docs/deployment.md
@@ -1,12 +1,40 @@
 # Deployment

-## Kubernetes and OpenShift
+## OpenShift

-### Knative
+### Secure deployment with `oauth-proxy`

-The following manifest will launch Docling Serve using Knative to expose the application
-with an external ingress endpoint.
+Manifest example: [docling-serve-oauth.yaml](./deploy-examples/docling-serve-oauth.yaml)

-```yaml
-# TODO
+This deployment has the following features:
+
+- TLS encryption between all components (using the cluster-internal CA authority).
+- Authentication via a secure `oauth-proxy` sidecar.
+- Expose the service using a secure OpenShift `Route`
+
+Install the app with:
+
+```sh
+kubectl apply -f docs/deploy-examples/docling-serve-oauth.yaml
+```
+
+For using the API:
+
+```sh
+# Retrieve the endpoint
+DOCLING_NAME=docling-serve
+DOCLING_ROUTE="https://$(oc get routes ${DOCLING_NAME} --template={{.spec.host}})"
+
+# Retrieve the authentication token
+OCP_AUTH_TOKEN=$(oc whoami --show-token)
+
+# Make a test query
+curl -X 'POST' \
+  "${DOCLING_ROUTE}/v1alpha/convert/source/async" \
+  -H "Authorization: Bearer ${OCP_AUTH_TOKEN}" \
+  -H "accept: application/json" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "http_sources": [{"url": "https://arxiv.org/pdf/2501.17887"}]
+  }'
 ```