docs auth

docs/OPERATIONS-RUNBOOK.md

@@ -496,6 +496,122 @@ data:
 
 When a new namespace is created, Kyverno automatically copies this secret.
 
+### Authentication Secrets
+
+Applications using the authentication sidecar require specific secrets depending on the auth mode.
+
+#### Token Mode Secrets
+
+Token-based auth uses an `auth-tokens` Secret:
+
+```bash
+# Method 1: From Helm values (automatic)
+# Tokens specified in values.yaml are automatically created
+
+# Method 2: Manual creation
+kubectl create secret generic auth-tokens \
+  --from-literal=tokens="token1
+token2
+token3" \
+  --namespace=myapp
+
+# Method 3: From file
+echo "d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823" > tokens.txt
+echo "8803f621acc3898df1d7a8f514bc3602551a0681a8f747bd4e43c3c5849d57a7" >> tokens.txt
+kubectl create secret generic auth-tokens \
+  --from-file=tokens=tokens.txt \
+  --namespace=myapp
+rm tokens.txt
+```
+
+#### OIDC Mode Secrets
+
+OIDC auth requires an `auth-oidc` Secret with two keys:
+
+```bash
+# Generate secrets
+CLIENT_SECRET="your-oidc-client-secret-from-provider"
+COOKIE_SECRET=$(openssl rand -hex 32)
+
+# Create plain secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=$CLIENT_SECRET \
+  --from-literal=cookie-secret=$COOKIE_SECRET \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+
+# Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-auth-oidc.yaml \
+  > secrets/myapp-auth-oidc-sealed.yaml
+
+# Apply sealed secret
+kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
+
+# Commit to Git
+git add secrets/myapp-auth-oidc-sealed.yaml
+git commit -m "Add OIDC secrets for myapp"
+git push
+
+# Clean up
+rm private/myapp-auth-oidc.yaml
+```
+
+#### Rotating Authentication Secrets
+
+**Token Rotation**:
+
+```bash
+# Generate new token
+NEW_TOKEN=$(openssl rand -hex 32)
+
+# Get current tokens
+kubectl get secret auth-tokens -n myapp -o yaml > /tmp/tokens.yaml
+
+# Edit tokens (add new, optionally remove old)
+# Then re-seal and apply
+
+# Restart pods to use new tokens
+kubectl rollout restart deployment myapp -n myapp
+```
+
+**OIDC Secret Rotation**:
+
+```bash
+# Rotate cookie secret (safe - invalidates existing sessions)
+NEW_COOKIE_SECRET=$(openssl rand -hex 32)
+
+# Recreate secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=$CLIENT_SECRET \
+  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
+  --namespace=myapp \
+  --dry-run=client -o yaml | \
+  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
+  kubectl apply -f -
+
+# Restart to pick up new secret
+kubectl rollout restart deployment myapp -n myapp
+```
+
+#### Viewing Authentication Secrets
+
+```bash
+# List auth-related secrets
+kubectl get secrets -n myapp | grep auth
+
+# View token secret (tokens are in plain text in the Secret)
+kubectl get secret auth-tokens -n myapp -o jsonpath='{.data.tokens}' | base64 -d
+
+# View OIDC secret keys (values are base64 encoded)
+kubectl get secret auth-oidc -n myapp -o jsonpath='{.data.client-secret}' | base64 -d
+kubectl get secret auth-oidc -n myapp -o jsonpath='{.data.cookie-secret}' | base64 -d
+```
+
+**See**: [Developer Guide - Enabling Authentication](../docs/DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for complete authentication setup guide.
+
 ---
 
 ## Monitoring & Alerting