Extended kubernetes auth documentation.

Author: pantierra

docs/user-guide/deployment.md

@@ -61,47 +61,4 @@ docker pull ghcr.io/developmentseed/stac-auth-proxy:v0.7.1
 
 ## Kubernetes
 
-The STAC Auth Proxy can be deployed to Kubernetes via the [Helm Chart available on the GitHub Container Registry (GHCR)](https://github.com/developmentseed/stac-auth-proxy/pkgs/container/stac-auth-proxy%2Fcharts%2Fstac-auth-proxy).
-
-### Prerequisites
-
-- Kubernetes 1.19+
-- Helm 3.2.0+
-
-### Installation
-
-```bash
-# Add the Helm repository
-helm registry login ghcr.io
-
-# Install with minimal configuration
-helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy \
-  --set env.UPSTREAM_URL=https://your-stac-api.com/stac \
-  --set env.OIDC_DISCOVERY_URL=https://your-auth-server/.well-known/openid-configuration \
-  --set ingress.host=stac-proxy.your-domain.com
-```
-
-### Configuration
-
-| Parameter                | Description                                   | Required | Default |
-| ------------------------ | --------------------------------------------- | -------- | ------- |
-| `env.UPSTREAM_URL`       | URL of the STAC API to proxy                  | Yes      | -       |
-| `env.OIDC_DISCOVERY_URL` | OpenID Connect discovery document URL         | Yes      | -       |
-| `env`                    | Environment variables passed to the container | No       | `{}`    |
-| `ingress.enabled`        | Enable ingress                                | No       | `true`  |
-| `ingress.className`      | Ingress class name                            | No       | `nginx` |
-| `ingress.host`           | Hostname for the ingress                      | No       | `""`    |
-| `ingress.tls.enabled`    | Enable TLS for ingress                        | No       | `true`  |
-| `replicaCount`           | Number of replicas                            | No       | `1`     |
-
-For a complete list of values, see the [values.yaml](https://github.com/developmentseed/stac-auth-proxy/blob/main/helm/values.yaml) file.
-
-### Management
-
-```bash
-# Upgrade
-helm upgrade stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy
-
-# Uninstall
-helm uninstall stac-auth-proxy
-```
+See [Kubernetes deployment](kubernetes.md) for detailed instructions on deploying to Kubernetes using Helm.

helm/AUTHORIZATION.md docs/user-guide/kubernetes.mdhelm/AUTHORIZATION.md renamed to docs/user-guide/kubernetes.md

@@ -1,15 +1,50 @@
-# Authorization configuration guide
+# Kubernetes Deployment
+
+Deploy STAC Auth Proxy to Kubernetes using the Helm chart.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2.0+
+
+## Installation
+
+```bash
+helm registry login ghcr.io
+
+helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy \
+  --set env.UPSTREAM_URL=https://your-stac-api.com/stac \
+  --set env.OIDC_DISCOVERY_URL=https://your-auth-server/.well-known/openid-configuration \
+  --set ingress.host=stac-proxy.your-domain.com
+```
+
+### Configuration
+
+| Parameter                | Description                                   | Required | Default |
+| ------------------------ | --------------------------------------------- | -------- | ------- |
+| `env.UPSTREAM_URL`       | URL of the STAC API to proxy                  | Yes      | -       |
+| `env.OIDC_DISCOVERY_URL` | OpenID Connect discovery document URL         | Yes      | -       |
+| `env`                    | Environment variables passed to the container | No       | `{}`    |
+| `ingress.enabled`        | Enable ingress                                | No       | `true`  |
+| `ingress.className`      | Ingress class name                            | No       | `nginx` |
+| `ingress.host`           | Hostname for the ingress                      | No       | `""`    |
+| `ingress.tls.enabled`    | Enable TLS for ingress                        | No       | `true`  |
+| `replicaCount`           | Number of replicas                            | No       | `1`     |
+
+For a complete list of values, see the [values.yaml](https://github.com/developmentseed/stac-auth-proxy/blob/main/helm/values.yaml) file.
+
+## Authorization
 
 The chart provides two levels of authorization:
 
-1. **[Route-level authorization](https://developmentseed.org/stac-auth-proxy/user-guide/route-level-auth/)**: Controls which API endpoints are accessible and by whom
-2. **[Record-level authorization](https://developmentseed.org/stac-auth-proxy/user-guide/record-level-auth/)**: Filters collections and items based on user permissions
+1. **[Route-level authorization](route-level-auth.md)**: Controls which API endpoints are accessible and by whom
+2. **[Record-level authorization](record-level-auth.md)**: Filters collections and items based on user permissions
 
-## Route-Level Authorization
+### Route-Level Authorization
 
 Configure via `authorization.route` section in `values.yaml`.
 
-### Mode: `default` (Recommended)
+#### Mode: `default` (Recommended)
 
 Public catalog with protected write operations. This is the most common configuration.
 
@@ -21,7 +56,7 @@ authorization:
 
 This automatically sets `DEFAULT_PUBLIC=true`, making all read endpoints public while requiring authentication for write operations.
 
-### Mode: `custom`
+#### Mode: `custom`
 
 Define specific public and private endpoints with custom rules.
 
@@ -45,7 +80,7 @@ authorization:
 - `privateEndpoints`: Maps regex paths to HTTP methods or `[method, scope]` tuples
   - Scopes define required OAuth2 scopes for the operation
 
-### Mode: `disabled`
+#### Mode: `disabled`
 
 No route-level authorization applied.
 
@@ -55,11 +90,11 @@ authorization:
     mode: "disabled"
 ```
 
-## Record-Level Authorization
+### Record-Level Authorization
 
 Configure via `authorization.record` section in `values.yaml`.
 
-### Mode: `disabled` (Default)
+#### Mode: `disabled` (Default)
 
 No record-level filtering applied. All collections and items are visible to authenticated users.
 
@@ -69,7 +104,7 @@ authorization:
     mode: "disabled"
 ```
 
-### Mode: `custom`
+#### Mode: `custom`
 
 Use Python filter classes to control visibility of collections and items.
 
@@ -87,9 +122,9 @@ This automatically:
 - Sets `COLLECTIONS_FILTER_CLS=stac_auth_proxy.custom_filters:CollectionsFilter`
 - Sets `ITEMS_FILTER_CLS=stac_auth_proxy.custom_filters:ItemsFilter`
 
-Review the stac-auth-proxy [documentation for more information on custom filters](https://developmentseed.org/stac-auth-proxy/user-guide/record-level-auth/#custom-filter-factories).
+Review the stac-auth-proxy [documentation for more information on custom filters](record-level-auth.md#custom-filter-factories).
 
-### Mode: `opa`
+#### Mode: `opa`
 
 Use Open Policy Agent for policy-based filtering.
 
@@ -106,9 +141,9 @@ This sets:
 - `ITEMS_FILTER_CLS=stac_auth_proxy.filters.opa:Opa`
 - `ITEMS_FILTER_ARGS='["http://opa-service:8181", "stac/items/allow"]'`
 
-## Some configuration examples
+### Configuration Examples
 
-### Example 1: Default for public catalog, protected writes
+#### Example 1: Default for public catalog, protected writes
 
 ```yaml
 authorization:
@@ -118,7 +153,7 @@ authorization:
     mode: "disabled"
 ```
 
-### Example 2: Fully protected catalog
+#### Example 2: Fully protected catalog
 
 ```yaml
 authorization:
@@ -135,7 +170,7 @@ authorization:
       filtersFile: "data/custom_filters.py"
 ```
 
-## Direct configuration
+### Direct Configuration
 
 Existing charts using `env` variables directly continue to work:
 
@@ -148,3 +183,14 @@ env:
 ```
 
 **Environment variables specified in `env` take precedence over `authorization` settings.**
+
+## Management
+
+```bash
+# Upgrade
+helm upgrade stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy
+
+# Uninstall
+helm uninstall stac-auth-proxy
+```
+

mkdocs.yml

@@ -35,6 +35,7 @@ nav:
       - Route-Level Auth: user-guide/route-level-auth.md
       - Record-Level Auth: user-guide/record-level-auth.md
       - Deployment: user-guide/deployment.md
+      - Kubernetes: user-guide/kubernetes.md
       - Tips: user-guide/tips.md
   - Architecture:
       - Middleware Stack: architecture/middleware-stack.md