Add instructions for bypassing IdP with admin token (#5376)

* add instructions for bypassing IdP with admin token, closes #5374

* Apply suggestions from code review

Co-authored-by: Jason Stirnaman <stirnamanj@gmail.com>

* fix broken clustered tab, relocated idp-bypass file

* link to management token definition

* remove management token term from idp bypass guide

* add commands for deleting an admin token

---------

Co-authored-by: Jason Stirnaman <stirnamanj@gmail.com>

assets/styles/layouts/article/_html-diagrams.scss

@@ -526,10 +526,6 @@ table tr.point{
   .plan-double-column {
     display: flex;
     justify-content: space-around;
-
-    .plan-column {
-      // width: 50%;
-    }
   }
 }
 

content/influxdb/clustered/admin/bypass-identity-provider.md

@@ -0,0 +1,111 @@
+---
+title: Bypass your identity provider
+description: >
+  InfluxDB clustered generates a valid access token (known as the _admin token_)
+  that can be used in development and testing environments in lieu of configuring
+  and using an OAuth2 identity provider.
+menu:
+  influxdb_clustered:
+    parent: Administer InfluxDB Clustered
+weight: 207
+---
+
+{{< product-name >}} generates a valid access token (known as the _admin token_)
+for managing databases and database tokens and stores it as a secret in your
+InfluxDB namespace.
+You can use the admin token with the [`influxctl` CLI](/influxdb/clustered/reference/cli/influxctl/)
+in lieu of configuring and using an OAuth2 identity provider.
+
+{{% warn %}}
+#### Do not use in production
+
+This feature is for development and testing purposes only and should not be used
+in a production InfluxDB cluster.
+{{% /warn %}}
+
+## Configure influxctl to use the admin token
+
+{{% code-placeholders "INFLUXDB_NAMESPACE|DIRECTORY_PATH" %}}
+
+1.  If you haven't already, [download, install, or upgrade to `influxctl` v2.2.0 or newer](/influxdb/clustered/reference/cli/influxctl/#download-and-install-influxctl).
+2.  Use `kubectl` to retrieve the admin token from your cluster namespace's
+    secret store and copy it to a file:
+
+    ```sh
+    kubectl get secrets/admin-token \
+      --template={{.data.token}} \
+      --namespace INFLUXDB_NAMESPACE | base64 -d > token.json
+    ```
+
+3.  Update your `influxctl` connection profile with a new `[profile.auth.token]`
+    section.
+4.  In the `[profile.auth.token]` section, assign the `token_file` setting to the location of your saved admin token file:
+
+    ```toml
+    [[profile]]
+    # ...
+      [profile.auth.token]
+        token_file = "/DIRECTORY_PATH/token.json"
+    ```
+{{% /code-placeholders %}}
+
+In the examples above, replace the following:
+
+- {{% code-placeholder-key %}}`INFLUXDB_NAMESPACE`{{% /code-placeholder-key %}}:
+  The name of your InfluxDB namespace.
+- {{% code-placeholder-key %}}`DIRECTORY_PATH`{{% /code-placeholder-key %}}:
+  The directory path to your admin token file, `token.json`.
+
+## Revoke an admin token
+
+The admin token is a long-lived access token.
+The only way to revoke the token is to do the following:
+
+{{% code-placeholders "INFLUXDB_NAMESPACE|KEY_GEN_JOB|001" %}}
+
+1.  Delete the `rsa-keys` secret from your InfluxDB cluster's context and namespace:
+
+    ```sh
+    kubectl delete secrets/rsa-keys --namespace INFLUXDB_NAMESPACE
+    ```
+
+2.  Rerun the `key-gen` job:
+
+    1.  List the jobs in your InfluxDB namespace to find the key-gen job pod:
+
+        ```
+        # List jobs to find the key-gen job pod
+        kubectl get jobs --namespace INFLUXDB_NAMESPACE
+        ```
+
+    2.  Run the key-gen job and increment the job number as needed:
+    
+        ```sh
+        kubectl create job \
+          --from=job/KEY_GEN_JOB key-gen-001 \
+          --namespace INFLUXDB_NAMESPACE
+        ```
+
+3.  Restart the `token-management` service:
+
+    ```sh
+    kubectl delete pods \
+      --selector app=token-management \
+      --namespace INFLUXDB_NAMESPACE
+    ```
+
+{{% /code-placeholders %}}
+
+In the examples above, replace the following:
+
+- {{% code-placeholder-key %}}`INFLUXDB_NAMESPACE`{{% /code-placeholder-key %}}:
+  The name of your InfluxDB namespace.
+- {{% code-placeholder-key %}}`KEY_GEN_JOB`{{% /code-placeholder-key %}}:
+  The name of the key-gen job pod.
+- {{% code-placeholder-key %}}`001`{{% /code-placeholder-key %}}:
+  A unique number used to increment the key-gen job.
+
+{{% note %}}
+To create a new admin token after revoking the existing one, rerun the
+`create-admin-token` job.
+{{% /note %}}

content/influxdb/clustered/admin/custom-partitions/_index.md

@@ -6,7 +6,7 @@ description: >
   specific schema and workload.
 menu:
   influxdb_clustered:
-    parent: Administer InfluxDB Cloud
+    parent: Administer InfluxDB Clustered
 weight: 103
 influxdb/clustered/tags: [storage]
 related:

content/influxdb/clustered/admin/tables/_index.md

@@ -7,7 +7,7 @@ description: >
   In previous versions of InfluxDB, tables were known as "measurements."
 menu:
   influxdb_clustered:
-    parent: Administer InfluxDB Cloud
+    parent: Administer InfluxDB Clustered
 weight: 101
 influxdb/clustered/tags: [tables]
 ---

content/influxdb/clustered/admin/tokens/database/list.md

@@ -5,7 +5,7 @@ description: >
   to list tokens in your InfluxDB cluster.
 menu:
   influxdb_clustered:
-    parent: Manage database tokens
+    parent: Database tokens
 weight: 202
 list_code_example: |
   ```sh

content/influxdb/clustered/admin/tokens/database/update.md

@@ -5,7 +5,7 @@ description: >
   to update a database token's permissions in your InfluxDB cluster.
 menu:
   influxdb_clustered:
-    parent: Manage database tokens
+    parent: Database tokens
 weight: 201
 list_code_example: |
   ```sh

content/influxdb/clustered/admin/upgrade.md

@@ -7,7 +7,7 @@ menu:
   influxdb_clustered:
     name: Upgrade InfluxDB
     parent: Administer InfluxDB Clustered
-weight: 101
+weight: 206
 influxdb/clustered/tags: [upgrade]
 related:
   - /influxdb/clustered/install/

content/influxdb/clustered/install/auth.md

@@ -20,6 +20,18 @@ If you choose to deploy your provider with your InfluxDB cluster, the process
 outlined below should be done _after_ your initial InfluxDB cluster deployment.
 {{% /note %}}
 
+{{% note %}}
+#### Bypass your identity provider for development and testing
+
+If running in a development or testing environment and you do not want to
+authorize with an OAuth2 identity provider, {{< product-name >}} provides an
+_admin token_ in your cluster's namespace that can be used to bypass your
+identity provider.
+
+For more information, see
+[Bypass your identity provider](/influxdb/clustered/admin/bypass-identity-provider/).
+{{% /note %}}
+
 InfluxDB Clustered requires that your OAuth2 identity provider supports
 [Device Authorization Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow).
 InfluxData has tested with the following identity providers:

layouts/shortcodes/code-placeholders.html

@@ -2,5 +2,5 @@
 {{- $color := .Get 1 | default "magenta" -}}
 {{- $elReplace := print "<div class='code-placeholder-wrapper'><var title='Edit $0' class='code-placeholder " $color "' data-code-var='$0' data-code-var-value='$0'>$0<span class='code-placeholder-edit-icon cf-icon Pencil'></span></var></div>" -}}
 {{- $code := .Inner | markdownify -}}
-{{- $codeCallout := replaceRE $regex $elReplace $code -}}
-{{ $codeCallout | safeHTML }}
+{{- $codePlaceholders := replaceRE $regex $elReplace $code -}}
+{{ $codePlaceholders | safeHTML }}