[EPIC] - Improve Greenhouse Chart Installation Experience & Documentation

[adiclepcea]

User Story

As a platform engineer, I can install Greenhouse on a new cluster by following clear, complete documentation, so that I can get a working installation without needing additional guidance.

Description

We have short installation documentation: https://cloudoperators.github.io/greenhouse/docs/getting-started/install/

The Greenhouse installation documentation and Helm chart setup have several areas that could be improved to make the experience smoother. It would be great to have better coverage of prerequisites, clearer guidance on chart values, and a few chart improvements to help users get up and running more easily. This issue captures those improvements to make the installation experience more reliable and self-contained.

Acceptance Criteria

• Improve https://cloudoperators.github.io/greenhouse/docs/getting-started/install/
  • Close sub-issues
• Verify our installation process by installing Greenhouse to a local kind cluster
  • Run our e2e test suite with this installation

All sub-headers in the following description have been made sub-issues. We keep the initial input for reference.This is the epic tracking the overall progress.

Documentation — Prerequisites

• Flux Controllers + CRDs (provide an installation guide for Flux via Kustomize or Helm with the components and configuration required for Greenhouse, including):
  • The Flux version supported by Greenhouse with the required Flux components
  • NetworkPolicy to allow the greenhouse namespace to access Flux artifacts (if applicable)
  • PersistentVolumeClaims for Flux components
  • Recommended performance tuning: concurrent workers, requeue intervals, resource limits, and leader election settings
• cert-manager (required for Greenhouse webhooks)

Documentation — Installation Steps

• A GitOps installation guide (Flux/ArgoCD based) alongside the imperative helm install guide would be a welcome addition
• Gardener-specific structured authentication setup could use its own documentation section

Documentation — Chart Values

• keepUpstreamGroups for ID Proxy is currently undocumented in values.yaml — adding documentation would help
• .Values.apiServerFQDN for CORS Proxy appears to be missing from chart values.yaml — it would be good to either add it or document it
• The reference to clientID and clientSecret in global values pointing to an external repo (sapcc/helm-charts) could be clarified — either inlining it or providing a migration path would reduce confusion
• Documentation for oauth2ClientRedirectURIs in Organization for kubectl + OIDC login with Greenhouse auth would be appreciated

Documentation — Identity Provider Integration

• It would be helpful to document the idproxy callback URL that needs to be registered in the IDP
• Documentation for IDP custom claim usage for login_name would be useful (see feat(dex): add option to modify userid claim, skip email_verified verification #1569 for customization)
• It would be worth noting that the group referenced in mappedOrgAdminIdPGroup should already exist in the IDP for RBAC authorization to work

Documentation — Secrets

• Adding documentation for the required v1.Secret format for OIDC Client ID and Client Secret for Organizations would help new users

Chart Fix

• It would be great to remove kustomization.yaml from charts/manager/crds/ — when Greenhouse is installed via Flux HelmRelease or ArgoCD Application, the controller attempts to reconcile all files in the chart including kustomization.yaml, causing it to fail

Chart Improvement

• It would be great to consolidate the RBAC resources from sapcc/helm-charts (system/greenhouse-organization/templates/organization/rbac.yaml) into the main Greenhouse chart to avoid depending on an external repo. Specifically:
  • ClusterRoleBinding greenhouse:cluster-admin — binds the IdP group and role:<namespace>:admin to cluster-admin

Reference Issues

• feat(dex): add option to modify userid claim, skip email_verified verification #1569 — IDP custom claim for login_name