Merge pull request #93489 from openshift-cherrypick-robot/cherry-pick-92245-to-serverless-docs-1.36

Author: sheriff-rh

_attributes/common-attributes.adoc

@@ -113,11 +113,12 @@
 :ServerlessOperatorName: OpenShift Serverless Operator
 :ServerlessLogicOperatorName: OpenShift Serverless Logic Operator
 :FunctionsProductName: OpenShift Serverless Functions
-:ServerlessProductVersion: 1.35.0
-:ServerlessLogicQuarkusVersion: 3.8.6.redhat-00004
-:ServerlessLogicOrgKieVersion: 9.102.0.redhat-00005
-:ServerlessLogicRegistryVersion: registry.redhat.io/openshift-serverless-1/logic-swf-builder-rhel8:1.35.0
-:ServerlessLogic-DDL-Script-url: link:https://maven.repository.redhat.com/ga/org/kie/kogito/kogito-ddl/9.102.0.redhat-00005/kogito-ddl-9.102.0.redhat-00005-db-scripts.zip[kogito-ddl-9.102.0.redhat-00005-db-scripts.zip]
+:ServerlessProductVersion: 1.36.0
+:ServerlessLogicQuarkusVersion: 3.15.4.redhat-00001
+:ServerlessLogicOrgKieVersion: 9.103.0.redhat-00003
+:ServerlessLogicOauthDependencyVersion: 2.9.0-lts
+:ServerlessLogicRegistryVersion: registry.redhat.io/openshift-serverless-1/logic-swf-builder-rhel8:1.36.0
+:ServerlessLogic-DDL-Script-url: link:https://maven.repository.redhat.com/ga/org/kie/kogito/kogito-ddl/9.103.0.redhat-00003/kogito-ddl-9.103.0.redhat-00003-db-scripts.zip[kogito-ddl-9.103.0.redhat-00003-db-scripts.zip]
 //service mesh v2
 :product-dedicated: Red Hat OpenShift Dedicated
 :SMProductName: Red Hat OpenShift Service Mesh

modules/serverless-logic-security-config-auth-credentials-openapi.adoc

@@ -0,0 +1,93 @@
+// Module included in the following assemblies:
+// serverles-logic/serverless-logic-authentication-openapi-services
+
+:_mod-docs-content-type: PROCEDURE
+[id="serverless-logic-security-config-auth-credentials-openapi_{context}"]
+= Configuring authentication credentials for OpenAPI services
+
+To invoke OpenAPI service operations secured by authentication schemes, you must configure the corresponding credentials and parameters in your application. {ServerlessLogicProductName} uses these configurations to authenticate with the external services during workflow execution.
+
+This section describes how to define and apply the necessary configuration properties for security schemes declared in the OpenAPI specification file. You can use either `application.properties`, the `ConfigMap` associated with your workflow, or environment variables in the `SonataFlow` CR to provide these credentials.
+
+[NOTE]
+====
+The security schemes defined in an OpenAPI specification file are global to all the operations that are available in the same file. This means that the configurations set for a particular security scheme also apply to the other secured operations.
+====
+
+.Prerequisites
+
+* You have access to a {ServerlessLogicProductName} project with the appropriate roles and permissions to create applications and other workloads in {ocp-product-title}.
+* Your OpenAPI specification includes one or more security schemes.
+* You have access to the OpenAPI specification files.
+* You have identified the schemes you want to configure `http-basic-example` or `api-key-example`.
+* You have access to the `application.properties` file, the workflow `ConfigMap`, or the `SonataFlow` CR.
+
+.Procedure
+
+* Use the following format to compose your property keys:
++
+[source,text]
+----
+quarkus.openapi-generator.[filename].auth.[security_scheme_name].[auth_property_name]
+----
++
+** `filename` is the sanitized name of the file containing the OpenAPI specification, such as security_example_json. To sanitize this name, you must replace all non-alphabetic characters with `_` underscores.
+** `security_scheme_name` is the sanitized name of the security scheme object definition in the OpenAPI specification file, such as `http_basic_example` or `api_key_example`. To sanitize this name, you must replace all non-alphabetic characters with `_` underscores.
+** `auth_property_name` is the name of the property to configure, such as username. This property depends on the defined security scheme type.
++
+[NOTE]
+====
+When you are using environment variables to configure properties, follow the MicroProfile environment variable mapping rules. You can replace all non-alphabetic characters in the property key with underscores `_`, and convert the entire key to uppercase.
+====
+
+The following examples show how to provide these configuration properties using `application.properties`, the `ConfigMap` associated with your workflow, or environment variables defined in the `SonataFlow` CR: 
+
+.Example of configuring the credentials by using the `application.properties` file
+[source,text]
+----
+quarkus.openapi-generator.security_example_json.auth.http_basic_example.username=myuser
+quarkus.openapi-generator.security_example_json.auth.http_basic_example.password=mypassword
+----
+
+.Example of configuring the credentials by using the workflow `ConfigMap`
+[source,yaml]
+----
+apiVersion: v1
+data:
+  application.properties: |   
+    quarkus.openapi-generator.security_example_json.auth.http_basic_example.username=myuser
+    quarkus.openapi-generator.security_example_json.auth.http_basic_example.password=mypassword
+kind: ConfigMap
+metadata:
+  labels:
+    app: example-workflow
+  name: example-workflow-props
+  namespace: example-namespace
+----
+
+[NOTE]
+====
+If the name of the workflow is `example-workflow`, the name of the `ConfigMap` with the user defined properties must be `example-workflow-props`.
+====
+
+.Example of configuring the credentials by using environment variables in the `SonataFlow` CR
+[source,yaml]
+----
+apiVersion: sonataflow.org/v1alpha08
+kind: SonataFlow
+metadata:
+  name: example-workflow
+  namespace: example-namespace
+  annotations:
+    sonataflow.org/description: Example Workflow
+    sonataflow.org/version: 0.0.1
+    sonataflow.org/profile: preview
+spec:
+  podTemplate:
+    container:
+      env:
+        - name: QUARKUS_OPENAPI_GENERATOR_SECURITY_EXAMPLE_JSON_AUTH_HTTP_BASIC_EXAMPLE_USERNAME
+          value: myuser
+        - name: QUARKUS_OPENAPI_GENERATOR_SECURITY_EXAMPLE_JSON_AUTH_HTTP_BASIC_EXAMPLE_PASSWORD
+          value: mypassowrd
+----

modules/serverless-logic-security-example-api-key-authentication.adoc

@@ -0,0 +1,82 @@
+// Module included in the following assemblies:
+// serverles-logic/serverless-logic-authentication-openapi-services
+
+:_mod-docs-content-type: REFERENCE
+[id="serverless-logic-security-example-api-key-authentication_{context}"]
+= Example of API key authentication
+
+The following example shows how to secure an OpenAPI service operation using the `apiKey` authentication scheme. The `security-example.json` file defines the `sayHelloApiKey` operation, which uses the `api-key-example` security scheme. You can configure the API key using application properties, the workflow `ConfigMap`, or environment variables.
+
+.Example OpenAPI specification with API key authentication
+[source,json]
+----
+{
+  "openapi": "3.1.0",
+  "info": {
+    "title": "Api Key Scheme Example",
+    "version": "1.0"
+  },
+  "paths": {
+    "/hello-with-api-key": {
+      "get": {
+        "operationId": "sayHelloApiKey",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "text/plain": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        },
+        "security": [{"api-key-example" : []}]
+      }
+    }
+  },
+  "components": {
+    "securitySchemes": {
+      "api-key-example": {
+        "type": "apiKey",
+        "name": "api-key-name",
+        "in": "header"
+      }
+    }
+  }
+}
+----
+
+In this example, the `sayHelloApiKey` operation is protected by the `api-key-example` security scheme, which uses an API key passed in the HTTP request header.
+
+[id="serverless-logic-security-supported-config-properties-api-key_{context}"]
+== Supported configuration properties for API key authentication
+
+You can use the following configuration property to configure the API key:
+
+[cols="2,1,1",options="header"]
+|====
+|Description 
+|Property key
+|Example
+
+|API Key
+|`quarkus.openapi-generator.[filename].auth.[security_scheme_name].api-key`
+|`quarkus.openapi-generator.security_example_json.auth.api_key_example.api-key=MY_KEY`
+
+|====
+
+You can replace `[filename]` with the sanitized OpenAPI file name `security_example_json` and `[security_scheme_name]` with the sanitized scheme name `api_key_example`. 
+
+The `apiKey` scheme type contains an additional `name` property that configures the key name to use when the Open API service is invoked. Also, the format to pass the key depends on the value of the `in` property.
+
+* When the value is `header`, the key is passed as an HTTP request parameter.
+
+* When the value is `cookie`, the key is passed as an HTTP cookie.
+
+* When the value is `query`, the key is passed as an HTTP query parameter.
+
+In the example, the key is passed in the HTTP header as `api-key-name: MY_KEY`.
+
+{ServerlessLogicProductName} manages this internally, so no additional configuration is required beyond setting the property value.

modules/serverless-logic-security-example-auth-token-propagation.adoc

@@ -0,0 +1,90 @@
+// Module included in the following assemblies:
+// serverles-logic/serverless-logic-authentication-openapi-services
+
+:_mod-docs-content-type: REFERENCE
+[id="serverless-logic-security-example-auth-token-propagation_{context}"]
+= Example of authorization token propagation
+
+{ServerlessLogicProductName} supports token propagation for OpenAPI operations that use the `oauth2` or `http` bearer security scheme types. Token propagation enables your workflow to forward the authorization token it receives during workflow creation to downstream services.This feature is useful when your workflow needs to interact with third-party services on behalf of the client that initiated the request.
+
+You must configure token propagation individually for each security scheme. After it is enabled, all OpenAPI operations secured using the same scheme uses the propagated token unless explicitly overridden.
+
+The following example defines the `sayHelloOauth2` operation in the `security-example.json` file. This operation uses the `oauth-example` security scheme with the `clientCredentials` flow:
+
+.Example OpenAPI specification with token propagation
+[source,json]
+----
+{
+  "openapi": "3.1.0",
+  "info": {
+    "title": "Oauth2 Scheme Example",
+    "version": "1.0"
+  },
+  "paths": {
+    "/hello-with-oauth2": {
+      "get": {
+        "operationId": "sayHelloOauth2",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "text/plain": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "oauth-example": []
+          }
+        ]
+      }
+    }
+  },
+  "components": {
+    "securitySchemes": {
+      "oauth-example": {
+        "type": "oauth2",
+        "flows": {
+          "clientCredentials": {
+            "authorizationUrl": "https://example.com/oauth",
+            "tokenUrl": "https://example.com/oauth/token",
+            "scopes": {}
+          }
+        }
+      }
+    }
+  }
+}
+----
+
+[id="serverless-logic-security-supported-config-properties-token-propagation_{context}"]
+== Supported configuration properties for authorization token propagation
+
+You can use the following configuration keys to enable and customize token propagation:
+
+[NOTE]
+====
+The tokens are automatically passed to downstream services while the workflow is active. When the workflow enters a waiting state, such as a timer or event-based pause, the token propagation stops. After the workflow resumes, tokens are not re-propagated automatically. You must manage re-authentication if needed.
+====
+
+[cols="2,1,1",options="header"]
+|====
+|Property key
+|Example
+|Description 
+
+|`quarkus.openapi-generator.[filename].auth.[security_scheme_name].token-propagation`
+|`quarkus.openapi-generator.security_example_json.auth.oauth_example.token-propagation=true`
+|Enables token propagation for all operations secured with the given scheme. Default is `false`.
+
+|`quarkus.openapi-generator.[filename].auth.[security_scheme_name].header-name`
+|`quarkus.openapi-generator.security_example_json.auth.oauth_example.header-name=MyHeaderName`
+|(Optional) Overrides the default Authorization header with a custom header name to read the token from.
+
+|====
+
+You can replace `[filename]` with the sanitized OpenAPI file name `security_example_json` and `[security_scheme_name]` with the sanitized scheme name `oauth_example`.

modules/serverless-logic-security-example-basic-http-authentication.adoc

@@ -0,0 +1,74 @@
+// Module included in the following assemblies:
+// serverles-logic/serverless-logic-authentication-openapi-services
+
+:_mod-docs-content-type: REFERENCE
+[id="serverless-logic-security-example-basic-http-authentication_{context}"]
+= Example of basic HTTP authentication
+
+The following example shows how to secure a workflow operation using the HTTP basic authentication scheme. The `security-example.json` file defines an OpenAPI service with a single operation, `sayHelloBasic`, which uses the `http-basic-example` security scheme. You can configure credentials using application properties, the worfklow `ConfigMap`, or environment variables.
+
+.Example OpenAPI specification with HTTP basic authentication
+[source,json]
+----
+{
+  "openapi": "3.1.0",
+  "info": {
+    "title": "Http Basic Scheme Example",
+    "version": "1.0"
+  },
+  "paths": {
+    "/hello-with-http-basic": {
+      "get": {
+        "operationId": "sayHelloBasic",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "text/plain": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        },
+        "security": [{"http-basic-example" : []}]
+      }
+    }
+  },
+  "components": {
+    "securitySchemes": {
+      "http-basic-example": {
+        "type": "http",
+        "scheme": "basic"
+      }
+    }
+  }
+}
+----
+
+In this example, the `sayHelloBasic` operation is secured using the `http-basic-example` scheme defined in the `securitySchemes` section. When invoking this operation in a workflow, you must configure the appropriate credentials.
+
+[id="serverless-logic-security-supported-config-properties-basic-http_{context}"]
+== Supported configuration properties for basic HTTP authentication
+
+You can use the following configuration keys to provide authentication credentials for the `http-basic-example` scheme:
+
+[cols="2,1,1",options="header"]
+|====
+|Description 
+|Property key
+|Example
+
+|Username credentials
+|`quarkus.openapi-generator.[filename].auth.[security_scheme_name].username`
+|`quarkus.openapi-generator.security_example_json.auth.http_basic_example.username=MY_USER`
+
+|Password credentials
+|`quarkus.openapi-generator.[filename].auth.[security_scheme_name].password`
+|`quarkus.openapi-generator.security_example_json.auth.http_basic_example.password=MY_PASSWD`
+
+|====
+
+You can replace `[filename]` with the sanitized OpenAPI file name `security_example_json` and `[security_scheme_name]` with the sanitized scheme name `http_basic_example`. 
+