docs(oidc): document keycloakInternalUrl platform value

sircthulhu · sircthulhu · commit ffbd20d4c779 · 2026-03-16T11:07:08.000+05:00
Add documentation for the new keycloakInternalUrl option that allows
the dashboard's oauth2-proxy to route backend requests through the
internal Keycloak service, bypassing external DNS and TLS.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin &lt;stitch14@yandex.ru&gt;
diff --git a/content/en/docs/v1/operations/configuration/platform-package.md b/content/en/docs/v1/operations/configuration/platform-package.md
@@ -96,6 +96,7 @@ spec:
 | `authentication.oidc.enabled` | `false` | Enable [OIDC][oidc] feature in Cozystack. |
 | `authentication.oidc.insecureSkipVerify` | `false` | Skip TLS certificate verification for the OIDC provider. |
 | `authentication.oidc.keycloakExtraRedirectUri` | `""` | Additional redirect URI for Keycloak OIDC client. |
+| `authentication.oidc.keycloakInternalUrl` | `""` | Internal URL for backend-to-backend requests to Keycloak. When set, the dashboard's oauth2-proxy skips OIDC discovery and routes token, JWKS, userinfo, and logout requests through this URL while keeping browser redirects on the external URL. Example: `http://keycloak-http.cozy-keycloak.svc:8080/realms/cozy`. |
 
 #### Scheduling
 
diff --git a/content/en/docs/v1/operations/oidc/enable_oidc.md b/content/en/docs/v1/operations/oidc/enable_oidc.md
@@ -81,6 +81,10 @@ kubectl patch packages.cozystack.io cozystack.cozystack-platform --type=merge -p
 }'
 ```
 
+{{% alert color="info" %}}
+**Optional**: If you want the dashboard to reach Keycloak via the internal cluster network instead of the external ingress, set `keycloakInternalUrl`. This is useful in environments with self-signed certificates or restricted external access. See [Self-Signed Certificates](../self-signed-certificates/) for details.
+{{% /alert %}}
+
 Within one minute, CozyStack will reconcile and create three new `HelmRelease` resources:
 
 ```bash
diff --git a/content/en/docs/v1/operations/oidc/self-signed-certificates.md b/content/en/docs/v1/operations/oidc/self-signed-certificates.md
@@ -73,6 +73,34 @@ talosctl apply-config -n <NODE_IP> -f nodes/<node>.yaml
 The `extraHostEntries` configuration ensures that the Keycloak domain resolves correctly within the cluster, which is essential when using internal ingress IPs.
 {{% /alert %}}
 
+## Optional: Configure Internal Keycloak URL for Dashboard
+
+By default, the Cozystack Dashboard's oauth2-proxy connects to Keycloak through the external ingress URL. In environments with self-signed certificates or restricted external access, you can configure the dashboard to use Keycloak's internal cluster service for backend requests (token exchange, JWKS validation, userinfo, logout) while keeping browser redirects on the external URL.
+
+Patch the Platform Package:
+
+```bash
+kubectl patch packages.cozystack.io cozystack.cozystack-platform --type=merge -p '{
+  "spec": {
+    "components": {
+      "platform": {
+        "values": {
+          "authentication": {
+            "oidc": {
+              "keycloakInternalUrl": "http://keycloak-http.cozy-keycloak.svc:8080/realms/cozy"
+            }
+          }
+        }
+      }
+    }
+  }
+}'
+```
+
+{{% alert color="info" %}}
+This only affects the dashboard's oauth2-proxy (pod-to-pod communication). The Kubernetes API server still requires `extraHostEntries` to reach Keycloak, since `kube-apiserver` uses host-level DNS and cannot resolve cluster service names.
+{{% /alert %}}
+
 ## Step 3: Configure kubelogin
 
 Install kubelogin if you haven't already:
