docs: document operator install flow and release installer workflow

[mangelajo]

Summary

• replace service installation guidance with operator-first workflows for Kubernetes (OLM/OperatorHub), OpenShift/OKD, and manual installer YAML
• add service-operator.md with Jumpstarter CR examples, cert-manager scenarios, authentication pointers, and API field/condition reference tables
• add a release workflow that builds controller/deploy/operator/dist/install.yaml and uploads it to GitHub releases as operator-installer.yaml

Test plan

• Validate docs formatting/lints for modified markdown files
• Verify no remaining Helm references in python/docs
• Trigger the new release workflow on a published release and confirm operator-installer.yaml is attached

Made with Cursor

Summary by CodeRabbit

• New Features

  • Automatically builds and uploads an operator installer manifest to release assets when a release is published.

• Documentation

  • Replaced Helm/ArgoCD install instructions with an operator-based installation workflow across local, service, and production docs.
  • Moved JWT authentication configuration into Jumpstarter's spec.authentication.jwt (replacing the separate AuthenticationConfiguration resource).
  • Added a comprehensive operator installation guide with prerequisites, methods, API field reference, TLS and OAuth examples.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a release-triggered GitHub Actions workflow to build and upload an operator installer manifest, migrates installation docs from Helm to an operator-based installation path, and moves authentication configuration examples into spec.authentication.jwt within the Jumpstarter CR.

Changes

Cohort / File(s)	Summary
Release Operator Installer Workflow .github/workflows/release-operator-installer.yaml	Adds a release-triggered workflow that checks out the repo, sets up Go (from controller/deploy/operator/go.mod), derives VERSION from the release tag, runs make -C controller/deploy/operator build-installer IMG="${IMG}", produces operator-installer.yaml, and uploads it to the release assets via the gh CLI.
Authentication Configuration Documentation python/docs/source/getting-started/configuration/authentication.md	Replaces standalone AuthenticationConfiguration examples with a nested spec.authentication.jwt under Jumpstarter; updates examples, mappings, validation text, and references to use the nested schema.
Installation Index & Local Guide python/docs/source/getting-started/installation/service/index.md, python/docs/source/getting-started/installation/service/service-local.md	Removes Helm-specific prerequisites/commands and replaces local/quick-start Helm instructions with links and guidance for installing via the operator.
New Operator Installation Guide python/docs/source/getting-started/installation/service/service-operator.md	Adds a comprehensive operator-based installation guide (OLM/OperatorHub/manual paths), Jumpstarter CR examples for Kubernetes (Ingress) and OpenShift (Route), cert-manager examples, verification commands, operator behavior notes, and API field references.
Production Installation Guide (operator migration) python/docs/source/getting-started/installation/service/service-production.md	Removes Helm/ArgoCD and Route TLS platform-specific install blocks and replaces them with a pointer to the operator installer; retains TLS/gRPC notes and shifts deployment guidance to the operator path.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• bennyz
• kirkbrauer

Poem

🐇 I hopped through changelogs, nibbling lines so spry,

Built a tiny installer beneath the release sky,
Docs shed Helm for an operator's gentle sway,
Auth tucked into spec to brighten the day,
A joyful hop—now ship it away!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main changes: adding documentation for operator-based installation flow and a new release workflow for the operator installer.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/operator-install-and-release-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for jumpstarter-docs ready!

Name	Link
🔨 Latest commit	292923f
🔍 Latest deploy log	https://app.netlify.com/projects/jumpstarter-docs/deploys/69b27d5cb95ed90008f68b1e
😎 Deploy Preview	https://deploy-preview-310--jumpstarter-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

python/docs/source/getting-started/installation/service/service-operator.md (1)

99-99: Consider normalizing command blocks to avoid MD014 lint warnings.

The command snippets at Lines [99], [186], and [194-195] use $ prompts in non-output examples, which triggers markdownlint MD014 in your static checks.

Also applies to: 186-186, 194-195

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@python/docs/source/getting-started/installation/service/service-operator.md`
at line 99, Remove the leading "$ " prompt from the inline command examples
(e.g., the snippet containing "$ kubectl create namespace jumpstarter-lab" and
the other non-output blocks) so they are plain commands (kubectl create
namespace jumpstarter-lab), keeping prompts only in blocks that show shell
interaction/output; update the three affected code blocks accordingly to
eliminate MD014 warnings while preserving any blocks that are true interactive
examples.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@python/docs/source/getting-started/configuration/authentication.md`:
- Around line 291-294: Update the two validation messages that currently read
"cannot used reserved system: prefix" to "cannot use reserved system: prefix";
specifically modify the message value associated with expression
"!user.username.startsWith('system:')" (currently message: 'username cannot used
reserved system: prefix') and the message value associated with expression
"user.groups.all(group, !group.startsWith('system:'))" (currently message:
'groups cannot used reserved system: prefix') to use the correct grammar "cannot
use reserved system: prefix".

In `@python/docs/source/getting-started/installation/service/service-local.md`:
- Line 213: Update the sentence that currently reads "nip.io based hostnames" to
hyphenate the compound modifier as "nip.io-based hostnames" in the documentation
text so the phrase is grammatically correct and clearer to readers.

In `@python/docs/source/getting-started/installation/service/service-operator.md`:
- Around line 194-195: The combined kubectl command "kubectl get
deploy,svc,ingress,route -n jumpstarter-lab" mixes Kubernetes and OpenShift
resources causing failures on vanilla K8s; split the verification into
platform-appropriate commands by replacing the single "deploy,svc,ingress,route"
invocation with separate checks (e.g., use "deploy,svc,ingress" for standard
Kubernetes and "deploy,svc,route" for OpenShift) or provide two distinct kubectl
lines so each cluster only queries resources it supports.

---

Nitpick comments:
In `@python/docs/source/getting-started/installation/service/service-operator.md`:
- Line 99: Remove the leading "$ " prompt from the inline command examples
(e.g., the snippet containing "$ kubectl create namespace jumpstarter-lab" and
the other non-output blocks) so they are plain commands (kubectl create
namespace jumpstarter-lab), keeping prompts only in blocks that show shell
interaction/output; update the three affected code blocks accordingly to
eliminate MD014 warnings while preserving any blocks that are true interactive
examples.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 70bcd9b7-9c61-4690-a40d-aa94db8a92bb

📥 Commits

Reviewing files that changed from the base of the PR and between 24aa76c and ed662dd.

📒 Files selected for processing (6)

• .github/workflows/release-operator-installer.yaml
• python/docs/source/getting-started/configuration/authentication.md
• python/docs/source/getting-started/installation/service/index.md
• python/docs/source/getting-started/installation/service/service-local.md
• python/docs/source/getting-started/installation/service/service-operator.md
• python/docs/source/getting-started/installation/service/service-production.md

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/release-operator-installer.yaml (1)

14-17: Consider reducing fetch-depth for faster checkout.

fetch-depth: 0 clones the entire repository history. Since the build only needs the current code at the release tag, fetch-depth: 1 (or omitting the option entirely) would be sufficient and faster.

♻️ Proposed simplification

       - name: Checkout repository
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-operator-installer.yaml around lines 14 - 17, The
checkout step currently uses actions/checkout@v4 with fetch-depth: 0 which
fetches full history; change the step in the workflow where "Checkout
repository" is defined (the uses: actions/checkout@v4 step) to use a shallow
clone by setting fetch-depth: 1 or removing the fetch-depth key entirely to
speed up checkout for release builds that only need the current tag.

python/docs/source/getting-started/installation/service/service-operator.md (1)

118-118: Consider using a placeholder version in examples.

The hardcoded image tag 0.8.1-rc.2 will become outdated as new versions are released. Consider using a placeholder like <version> or referencing "latest stable" with a note to check releases.

Also applies to: 134-134, 158-158, 172-172

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@python/docs/source/getting-started/installation/service/service-operator.md`
at line 118, Replace the hardcoded image tag
"quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1-rc.2" with a placeholder
(e.g., "quay.io/jumpstarter-dev/jumpstarter-controller:<version>") or a
documented token like
"quay.io/jumpstarter-dev/jumpstarter-controller:latest-stable" and add a brief
comment/note telling readers to check the project's releases for the appropriate
version; update all occurrences of that exact string (seen in the examples
including the other instances reported) so examples stay current.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release-operator-installer.yaml:
- Around line 14-17: The checkout step currently uses actions/checkout@v4 with
fetch-depth: 0 which fetches full history; change the step in the workflow where
"Checkout repository" is defined (the uses: actions/checkout@v4 step) to use a
shallow clone by setting fetch-depth: 1 or removing the fetch-depth key entirely
to speed up checkout for release builds that only need the current tag.

In `@python/docs/source/getting-started/installation/service/service-operator.md`:
- Line 118: Replace the hardcoded image tag
"quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1-rc.2" with a placeholder
(e.g., "quay.io/jumpstarter-dev/jumpstarter-controller:<version>") or a
documented token like
"quay.io/jumpstarter-dev/jumpstarter-controller:latest-stable" and add a brief
comment/note telling readers to check the project's releases for the appropriate
version; update all occurrences of that exact string (seen in the examples
including the other instances reported) so examples stay current.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f7a7d4d5-71a8-4989-abc9-ce29a8dc588d

📥 Commits

Reviewing files that changed from the base of the PR and between ed662dd and c28d7fe.

⛔ Files ignored due to path filters (1)

• python/uv.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .github/workflows/release-operator-installer.yaml
• python/docs/source/getting-started/configuration/authentication.md
• python/docs/source/getting-started/installation/service/index.md
• python/docs/source/getting-started/installation/service/service-local.md
• python/docs/source/getting-started/installation/service/service-operator.md
• python/docs/source/getting-started/installation/service/service-production.md

[coderabbitai]

🧹 Nitpick comments (2)

python/docs/source/getting-started/installation/service/service-operator.md (1)

209-210: Clarify JWT configuration scope in OAuth integration note.

The note states "Configure this through spec.authentication.jwt" but doesn't specify that jwt is an array field that can contain multiple authenticators. Consider adding a brief mention that multiple OIDC providers can be configured.

📝 Suggested clarification

-- **OAuth / OIDC integration**: Configure this through `spec.authentication.jwt` in the `Jumpstarter` CR (issuer URL, audiences, and claim mappings). The operator applies this configuration to controller runtime settings, but does not install or configure your identity provider.
+- **OAuth / OIDC integration**: Configure this through `spec.authentication.jwt[]` in the `Jumpstarter` CR (issuer URL, audiences, and claim mappings). You can configure multiple OIDC providers by adding entries to the array. The operator applies this configuration to controller runtime settings, but does not install or configure your identity provider.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@python/docs/source/getting-started/installation/service/service-operator.md`
around lines 209 - 210, Clarify that spec.authentication.jwt on the Jumpstarter
CR is an array allowing multiple JWT/OIDC authenticators: update the OAuth/OIDC
integration note to state that spec.authentication.jwt is a list (supports
multiple entries) and each element configures an issuer/audiences/claim mappings
so users can register multiple OIDC providers; reference the Jumpstarter CR and
spec.authentication.jwt in the sentence so readers know where to configure
multiple authenticators.

python/docs/source/getting-started/configuration/authentication.md (1)

33-45: Consider adding YAML structure clarity for JWT array field.

The example shows jwt: followed by a list item - issuer:, which correctly represents an array of JWT authenticators. For users less familiar with YAML, consider adding a brief comment indicating this is an array that supports multiple OIDC providers.

📝 Suggested enhancement

 spec:
   authentication:
+    # JWT is an array - add multiple entries for different OIDC providers
     jwt:
     - issuer:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@python/docs/source/getting-started/configuration/authentication.md` around
lines 33 - 45, The example YAML should clarify that the jwt field is an array of
JWT authenticators supporting multiple OIDC providers: update the snippet around
the jwt and - issuer entries to include a short comment (near the jwt: key or
before the - issuer:) stating "jwt is an array — add one entry per OIDC
provider" and ensure the example still shows claimMappings.username mapping to
preferred_username and the issuer.url and certificateAuthority fields so readers
see the full structure for jwt, issuer, claimMappings, username and claim:
preferred_username.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@python/docs/source/getting-started/configuration/authentication.md`:
- Around line 33-45: The example YAML should clarify that the jwt field is an
array of JWT authenticators supporting multiple OIDC providers: update the
snippet around the jwt and - issuer entries to include a short comment (near the
jwt: key or before the - issuer:) stating "jwt is an array — add one entry per
OIDC provider" and ensure the example still shows claimMappings.username mapping
to preferred_username and the issuer.url and certificateAuthority fields so
readers see the full structure for jwt, issuer, claimMappings, username and
claim: preferred_username.

In `@python/docs/source/getting-started/installation/service/service-operator.md`:
- Around line 209-210: Clarify that spec.authentication.jwt on the Jumpstarter
CR is an array allowing multiple JWT/OIDC authenticators: update the OAuth/OIDC
integration note to state that spec.authentication.jwt is a list (supports
multiple entries) and each element configures an issuer/audiences/claim mappings
so users can register multiple OIDC providers; reference the Jumpstarter CR and
spec.authentication.jwt in the sentence so readers know where to configure
multiple authenticators.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cb97d982-b8aa-4e9d-aa5b-069ee7903b6a

📥 Commits

Reviewing files that changed from the base of the PR and between c28d7fe and 57a6e28.

📒 Files selected for processing (2)

• python/docs/source/getting-started/configuration/authentication.md
• python/docs/source/getting-started/installation/service/service-operator.md

[mangelajo]

This was mostly written by cursor under my review and guidance, and then I reviewed it all manually as usual. I would +1 :D but I can't

[coderabbitai]

🧹 Nitpick comments (1)

python/docs/source/getting-started/installation/service/service-operator.md (1)

107-143: Align image tags with stable release versions.

The CR examples use 0.8.1-rc.2 (release candidate) tags, while Line 84 references the stable v0.8.1 release. For production documentation, consider using consistent stable version tags throughout.

📝 Suggested alignment

Update the image tags in both Kubernetes and OpenShift CR examples:

   controller:
-    image: quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1-rc.2
+    image: quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1
     imagePullPolicy: IfNotPresent

   routers:
-    image: quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1-rc.2
+    image: quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1
     imagePullPolicy: IfNotPresent

Apply this change to both the Kubernetes example (lines 118, 134) and OpenShift example (lines 158, 172).

Also applies to: 147-180

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@python/docs/source/getting-started/installation/service/service-operator.md`
around lines 107 - 143, The CR examples use RC image tags
(quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1-rc.2) while the doc
references stable v0.8.1; update the image fields (controller.image and
routers.image) in the Kubernetes example and the equivalent image fields in the
OpenShift example to the consistent stable release tag (e.g.,
quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1) so both examples use the
same stable version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@python/docs/source/getting-started/installation/service/service-operator.md`:
- Around line 107-143: The CR examples use RC image tags
(quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1-rc.2) while the doc
references stable v0.8.1; update the image fields (controller.image and
routers.image) in the Kubernetes example and the equivalent image fields in the
OpenShift example to the consistent stable release tag (e.g.,
quay.io/jumpstarter-dev/jumpstarter-controller:0.8.1) so both examples use the
same stable version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a0de2664-d100-4f21-a4bb-89313cd11a66

📥 Commits

Reviewing files that changed from the base of the PR and between 57a6e28 and 292923f.

📒 Files selected for processing (3)

• python/docs/source/getting-started/configuration/authentication.md
• python/docs/source/getting-started/installation/service/service-operator.md
• python/docs/source/getting-started/installation/service/service-production.md