LCORE-1019: Split auth.md into modular documentation structure

[major]

Description

Reorganize authentication documentation from a single 368-line file into a dedicated docs/auth/ directory with focused files for each authentication module. This makes the documentation easier to navigate and maintain.

New structure:

• docs/auth/index.md - Overview, configuration basics, module selection guide
• docs/auth/noop.md - noop & noop-with-token modules
• docs/auth/kubernetes.md - K8s/OCP authentication
• docs/auth/jwk-token.md - JWT/OAuth2 with role extraction
• docs/auth/api-key-token.md - Static API key auth
• docs/auth/rh-identity.md - Expanded Red Hat Identity auth documentation
• docs/auth/authorization.md - Role resolution & access rules

rh-identity expansion includes:

• User and System identity type documentation
• Entitlement validation configuration
• Header structure examples (decoded JSON)
• Request examples with curl commands
• Error response reference table
• Troubleshooting guide

The original docs/auth.md is retained as a redirect page to maintain existing links.

Type of change

• Documentation Update

Tools used to create PR

• Assisted-by: Claude (Anthropic)
• Generated by: N/A

Related Tickets & Documents

• Related Issue: https://issues.redhat.com/browse/LCORE-1019

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

This is a documentation-only change. Testing steps:

1. Verify all markdown files render correctly
2. Verify all internal links between documentation files work
3. Verify existing link in README.md (docs/auth.md) still works via redirect

Summary by CodeRabbit

Documentation

• Reorganized authentication documentation into modular guides covering each authentication method (API Key Token, JWK Token, Kubernetes, No-op, and Red Hat Identity)
• Added comprehensive authorization system documentation detailing role and access resolution, configuration options, and example setups
• Updated configuration examples for improved clarity

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR reorganizes authentication documentation from a monolithic file into modular documentation pages. The main docs/auth.md file is refactored to provide navigation links to dedicated pages covering noop, Kubernetes, JWT token, API key token, Red Hat Identity authentication modules and authorization system.

Changes

Cohort / File(s)	Summary
Main Auth Documentation Reorganization docs/auth.md	Removed detailed module content (noop, noop-with-token, k8s, jwk-token, api-key-token, rh-identity) and authorization sections; replaced with concise overview and quick navigation links pointing to modular docs (−362 lines, +10 lines).
Authentication Module Documentation docs/auth/noop.md, docs/auth/kubernetes.md, docs/auth/jwk-token.md, docs/auth/api-key-token.md, docs/auth/rh-identity.md	Five new module-specific documentation files covering configuration, behavior, identity handling, examples, and security considerations for each authentication method.
Authorization & Index Reference docs/auth/index.md, docs/auth/authorization.md	New modular authentication system overview with configuration guidance and comprehensive RBAC authorization documentation including role resolution strategies, access rules, and example configurations.
Configuration Example examples/lightspeed-stack-rh-identity.yaml	Updated YAML formatting: changed authentication.module from quoted to unquoted string and reformatted required_entitlements from inline to block-style list; no functional changes.

Possibly related PRs

• Regenerated OpenAPI spec + doc #451 — Adds OpenAPI/schema definitions (AuthorizationConfiguration, AccessRule, JwtRoleRule) that directly correspond to the new authorization and JWT token documentation.
• LCORE-261: updated OpenAPI #817 — Introduces RHIdentityConfiguration OpenAPI schema addition that corresponds to the new rh-identity module documentation.
• AAP-59476: API Key (Bearer) token auth module. #855 — Implements the "api-key-token" authentication module that this PR documents.

Suggested labels

ok-to-test

Suggested reviewers

• tisnik

---

🎯 2 (Simple) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: splitting a monolithic auth.md file into a modular documentation structure organized by authentication modules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@docs/auth/api-key-token.md`:
- Around line 57-63: The example YAML uses the wrong env var syntax; update the
snippet under authentication -> module: api-key-token and api_key_config ->
api_key to use the format expected by replace_env_vars(), i.e. ${env.VAR_NAME}
(change ${API_KEY} to ${env.API_KEY}) so the configuration loader will correctly
substitute the environment variable.

🧹 Nitpick comments (1)

docs/auth/index.md (1)

45-47: Add language identifier to code block.

For better rendering and to satisfy markdown linting, consider adding a language identifier to the code block. For ASCII art diagrams, use text:

-```
+```text
 Request → Authentication Module → User Identity → Role Resolution → Access Check → Endpoint

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find configuration loading code and environment variable handling

echo "=== Searching for configuration loader implementations ==="
rg -n "yaml|load.*config|environ|getenv|VAR" --type py -g "*.py" | head -50

echo -e "\n=== Looking for specific config/loader files ==="
fd -e py -e yaml | grep -E "(config|load|auth)" | head -20

echo -e "\n=== Checking main entry points ==="
fd -e py | xargs grep -l "yaml\|config" | head -10

Repository: lightspeed-core/lightspeed-stack

Length of output: 6111

---

🏁 Script executed:

#!/bin/bash
# Find the actual load_configuration implementation and environment variable handling

echo "=== Finding load_configuration method ==="
rg -n "def load_configuration" --type py -B2 -A10

echo -e "\n=== Check api_key_token.py for env var handling ==="
rg -n "environment\|environ\|getenv\|\${" --type py src/authentication/api_key_token.py -A2 -B2

echo -e "\n=== Look for any environment variable substitution functions ==="
rg -n "substitute\|interpolate\|expand.*env" --type py

echo -e "\n=== Check how YAML is loaded in main config ==="
rg -n "yaml.load\|safe_load" --type py -B3 -A3 | head -40

Repository: lightspeed-core/lightspeed-stack

Length of output: 1224

---

🏁 Script executed:

#!/bin/bash
# Find replace_env_vars function implementation

echo "=== Find replace_env_vars import and definition ==="
rg -n "replace_env_vars|from.*import.*replace" --type py -B2 -A10

echo -e "\n=== Search for def replace_env_vars ==="
rg -n "def replace_env_vars" --type py -A20

echo -e "\n=== Check for regex or pattern matching env vars ==="
rg -n "\\\$\{|environ\|getenv" --type py -B3 -A3

Repository: lightspeed-core/lightspeed-stack

Length of output: 5535

---

🏁 Script executed:

#!/bin/bash
# Find examples and tests showing how replace_env_vars works

echo "=== Search for test cases with environment variables ==="
rg -n "replace_env_vars|API_KEY|\\\$\{" --type py tests/ -A3 -B1 | head -60

echo -e "\n=== Look for example configuration files with env vars ==="
find . -name "*.yaml" -o -name "*.yml" | xargs grep -l "API_KEY\|\\\$\{" 2>/dev/null

echo -e "\n=== Check example configuration files ==="
ls -la examples/
cat examples/lightspeed-stack-api-key-auth.yaml 2>/dev/null | head -40

Repository: lightspeed-core/lightspeed-stack

Length of output: 3273

---

🏁 Script executed:

#!/bin/bash
# Search for actual environment variable usage patterns in config files

echo "=== Search all YAML files for environment variable patterns ==="
find . -name "*.yaml" -o -name "*.yml" | xargs grep -h "^\|" 2>/dev/null | sort -u | head -20

echo -e "\n=== Look for any test configurations with env vars ==="
find tests/ -name "*.yaml" -o -name "*.yml" | xargs cat 2>/dev/null | grep -E "\$|API_KEY|env" -B2 -A2

echo -e "\n=== Check if llama_stack is in requirements/dependencies ==="
find . -name "requirements*.txt" -o -name "pyproject.toml" -o -name "setup.py" | xargs grep -l "llama.stack\|llama_stack" 2>/dev/null

echo -e "\n=== Check pyproject.toml for llama_stack version info ==="
cat pyproject.toml 2>/dev/null | head -100

Repository: lightspeed-core/lightspeed-stack

Length of output: 50388

---

Update example to use correct environment variable syntax.

The documentation shows ${API_KEY} but the correct syntax is ${env.API_KEY} with the env. prefix. The llama-stack configuration loader's replace_env_vars() function expects environment variables in the format ${env.VAR_NAME}.

Update the example to:

authentication:
  module: api-key-token
  api_key_config:
    api_key: ${env.API_KEY}  # From environment variable

🤖 Prompt for AI Agents

In `@docs/auth/api-key-token.md` around lines 57 - 63, The example YAML uses the
wrong env var syntax; update the snippet under authentication -> module:
api-key-token and api_key_config -> api_key to use the format expected by
replace_env_vars(), i.e. ${env.VAR_NAME} (change ${API_KEY} to ${env.API_KEY})
so the configuration loader will correctly substitute the environment variable.

[tisnik]

LGTM