Add guides for common OIDC providers

This is a first revision of this guide and likely subject to
extension/improvement going forward but it'll definitely help setting
up Weave GitOps as an OIDC client properly.

Signed-off-by: Max Jonas Werner <[email protected]>

website/docs/enterprise/getting-started/install-enterprise.mdx

@@ -135,6 +135,8 @@ You may decide to give your engineering teams access to the WGE dashboard so the
 
 OIDC extends the OAuth2 authorization protocol by including an additional field (ID Token) that contains information (claims) about a user's identity. After a user successfully authenticates with the OIDC provider, Weave GitOps Enterprise uses this information to impersonate the user in any calls to the Kubernetes API. This allows cluster administrators to use RBAC rules to control access to the cluster and the dashboard.
 
+For more specific examples of how to setup OIDC with Weave GitOps, see [this guide](../../../guides/oidc/).
+
 <Tabs groupId="infrastructure" default>
 <TabItem value="Login via an OIDC provider" label="Login via an OIDC provider">
 

website/docs/guides/oidc.mdx

@@ -0,0 +1,74 @@
+---
+title: Common OIDC provider configurations
+---
+
+This page provides guides for configuring Weave GitOps with the most common OIDC providers.
+
+## Google
+
+Google's identity provider does not support groups scopes. That's why in this example the `customScopes` field requests
+the `openid` and `email` scope for identifying users and binding RBAC roles accordingly.
+
+1. Obtain the client ID and secret by following the [official guide](https://developers.google.com/identity/openid-connect/openid-connect)
+   from Google.
+1. Configure Weave GitOps:
+
+   ```yaml
+   apiVersion: v1
+   kind: Secret
+   metadata:
+       name: oidc-auth
+       namespace: WEAVE_GITOPS_NAMESPACE
+   stringData:
+       clientID: CLIENT_ID_FROM_STEP_1
+       clientSecret: CLIENT_SECRET_FROM_STEP_1
+       issuerURL: https://accounts.google.com
+       redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
+       customScopes: openid,email
+   ```
+
+## Azure AD
+
+1. Obtain the client ID and secret by following the [official guide](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
+   from Microsoft.
+1. Configure Weave GitOps:
+
+   ```yaml
+   apiVersion: v1
+   kind: Secret
+   metadata:
+       name: oidc-auth
+       namespace: WEAVE_GITOPS_NAMESPACE
+   stringData:
+       clientID: CLIENT_ID_FROM_STEP_1
+       clientSecret: CLIENT_SECRET_FROM_STEP_1
+       issuerURL: https://login.microsoftonline.com/TENANT_ID/v2.0
+       redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
+       customScopes: openid
+       claimUsername: sub
+   ```
+
+## Keycloak
+
+Keycloak is highly customizable so the steps to obtain client ID and secret will vary depending on your setup. The
+general steps are very similar and the following steps point to the appropriate pages in the official Keycloak
+documentation:
+
+1. Log in to the Keycloak admin console and [create a realm](https://www.keycloak.org/docs/latest/server_admin/#configuring-realms).
+1. [Create a client application](https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_server_create_client)
+   and choose "OpenID Connect" as the client type.
+1. Make sure to set the "Client Authenticator" on the "Credentials" tab to "Client Id and Secret" and generate a secret.
+1. Configure Weave GitOps:
+
+   ```yaml
+   apiVersion: v1
+   kind: Secret
+   metadata:
+       name: oidc-auth
+       namespace: WEAVE_GITOPS_NAMESPACE
+   stringData:
+       clientID: CLIENT_ID_FROM_STEP_2
+       clientSecret: CLIENT_SECRET_FROM_STEP_3
+       issuerURL: https://KEYCLOAK_DOMAIN/realms/KEYCLOAK_REALM
+       redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
+   ```

website/sidebars.js

@@ -114,6 +114,7 @@
       type: 'category',
       label: 'Guides',
       items: [
+        'guides/oidc',
         'guides/displaying-custom-metadata',
         'guides/fluxga-upgrade',
       ],