OSDOCS-10767

Author: jneczypor

_topic_maps/_topic_map_rosa_hcp.yml

@@ -83,6 +83,14 @@ Topics:
   Topics:
   - Name: Deploying a cluster
     File: cloud-experts-getting-started-hcp-for-hcp
+  - Name: Creating an admin user
+    File: cloud-experts-getting-started-admin
+  - Name: Setting up an identity provider
+    File: cloud-experts-getting-started-idp
+  - Name: Granting admin rights
+    File: cloud-experts-getting-started-admin-rights
+  - Name: Accessing your cluster
+    File: cloud-experts-getting-started-accessing
 # ---
 # Name: Architecture
 # Dir: architecture

rosa_learning/creating_cluster_workshop/cloud-experts-getting-started-accessing.adoc

@@ -0,0 +1,80 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-getting-started-accessing"]
+= Tutorial: Accessing your cluster
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-getting-started-accessing
+
+toc::[]
+
+//rosaworkshop.io content metadata
+//Brought into ROSA product docs 2023-11-30
+
+You can connect to your cluster using the command line interface (CLI) or the {hybrid-console} user interface (UI).
+
+== Accessing your cluster using the CLI
+
+To access the cluster using the CLI, you must have the `oc` CLI installed. If you are following the tutorials, you already installed the `oc` CLI.
+
+. Log in to the {cluster-manager-url}.
+. Click your username in the top right corner.
+. Click *Copy Login Command*.
++
+image::cloud-experts-getting-started-accessing-copy-login.png[]
+
+. This opens a new tab with a choice of identity providers (IDPs). Click the IDP you want to use. For example, "rosa-github".
++
+image::cloud-experts-getting-started-accessing-copy-token.png[]
+
+. A new tab opens. Click *Display token*.
+
+. Run the following command in your terminal:
++
+[source,terminal]
+----
+$ oc login --token=sha256~GBAfS4JQ0t1UTKYHbWAK6OUWGUkdMGz000000000000 --server=https://api.my-rosa-cluster.abcd.p1.openshiftapps.com:6443
+----
++
+.Example output
++
+[source,terminal]
+----
+Logged into "https://api.my-rosa-cluster.abcd.p1.openshiftapps.com:6443" as "rosa-user" using the token provided.
+
+You have access to 79 projects, the list has been suppressed. You can list all projects with ' projects'
+
+Using project "default".
+----
+
+. Confirm that you are logged in by running the following command:
++
+[source,terminal]
+----
+$ oc whoami
+----
++
+.Example output
++
+[source,terminal]
+----
+rosa-user
+----
+
+. You can now access your cluster.
+
+== Accessing the cluster via the {hybrid-console-second}
+. Log in to the {cluster-manager-url}.
+.. To retrieve the {hybrid-console-second} URL run:
++
+[source,terminal]
+----
+rosa describe cluster -c <cluster-name> | grep Console
+----
+
+. Click your IDP. For example, "rosa-github".
++
+image::cloud-experts-getting-started-accessing-copy-token.png[]
+
+. Enter your user credentials.
+. You should be logged in. If you are following the tutorials, you will be a cluster-admin and should see the {hybrid-console-second} webpage with the *Administrator* panel visible.
++
+image::cloud-experts-getting-started-accessing-logged.png[]

rosa_learning/creating_cluster_workshop/cloud-experts-getting-started-admin-rights.adoc

@@ -0,0 +1,80 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-getting-started-admin-rights"]
+= Tutorial: Granting admin privileges
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-getting-started-admin-rights
+
+toc::[]
+
+//rosaworkshop.io content metadata
+//Brought into ROSA product docs 2023-11-30
+
+Administration (admin) privileges are not automatically granted to users that you add to your cluster. If you want to grant admin-level privileges to certain users, you will need to manually grant them to each user. You can grant admin privileges from either the ROSA command line interface (CLI) or the Red{nbsp}Hat OpenShift Cluster Manager web user interface (UI).
+
+Red{nbsp}Hat offers two types of admin privileges:
+
+* `cluster-admin`: `cluster-admin` privileges give the admin user full privileges within the cluster.
+
+* `dedicated-admin`: `dedicated-admin` privileges allow the admin user to complete most administrative tasks with certain limitations to prevent cluster damage. It is best practice to use `dedicated-admin` when elevated privileges are needed.
+
+For more information on admin privileges, see the xref:../../rosa_install_access_delete_clusters/rosa-sts-accessing-cluster.adoc#rosa-create-cluster-admins_rosa-sts-accessing-cluster[administering a cluster] documentation.
+
+== Using the ROSA CLI
+
+. Assuming you are the user who created the cluster, run one of the following commands to grant admin privileges:
++
+* For `cluster-admin`:
++
+[source,terminal]
+----
+$ rosa grant user cluster-admin --user <idp_user_name> --cluster=<cluster-name>
+----
++
+* For `dedicated-admin`:
++
+[source,terminal]
+----
+$ rosa grant user dedicated-admin --user <idp_user_name> --cluster=<cluster-name>
+----
+
+. Verify that the admin privileges were added by running the following command:
++
+[source,terminal]
+----
+$ rosa list users --cluster=<cluster-name>
+----
++
+.Example output
++
+[source,terminal]
+----
+$ rosa list users --cluster=my-rosa-cluster
+ID                 GROUPS
+<idp_user_name>    cluster-admins
+----
+
+. If you are currently logged into the {hybrid-console}, log out of the console and log back in to the cluster to see a new perspective with the "Administrator Panel". You might need an incognito or private window.
++
+image:cloud-experts-getting-started-admin-rights-admin-panel.png[]
+
+. You can also test that admin privileges were added to your account by running the following command. Only a `cluster-admin` users can run this command without errors.
++
+[source,terminal]
+----
+$ oc get all -n openshift-apiserver
+----
+
+== Using the Red{nbsp}Hat OpenShift Cluster Manager UI
+
+. Log in to the {cluster-manager-url}.
+. Select your cluster.
+. Click the *Access Control* tab.
+. Click the *Cluster roles and Access* tab in the sidebar.
+. Click *Add user*.
++
+image::cloud-experts-getting-started-admin-rights-access-control.png[]
+
+. On the pop-up screen, enter the user ID.
+. Select whether you want to grant the user `cluster-admins` or `dedicated-admins` privileges.
++
+image::cloud-experts-getting-started-admin-rights-add-user2.png[]

rosa_learning/creating_cluster_workshop/cloud-experts-getting-started-admin.adoc

@@ -0,0 +1,83 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-getting-started-admin"]
+= Tutorial: Creating an admin user
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-getting-started-admin
+
+toc::[]
+
+//rosaworkshop.io content metadata
+//Brought into ROSA product docs 2023-11-27
+
+Creating an administration (admin) user allows you to access your cluster quickly. Follow these steps to create an admin user. 
+
+[NOTE]
+====
+An admin user works well in this tutorial setting. For actual deployment, use a xref:../../authentication/sd-configuring-identity-providers.adoc#sd-configuring-identity-providers[formal identity provider] to access the cluster and grant the user admin privileges.
+====
+
+. Run the following command to create the admin user:
++
+[source,terminal]
+----
+rosa create admin --cluster=<cluster-name>
+----
++
+.Example output
++
+[source,terminal]
+----
+W: It is recommended to add an identity provider to login to this cluster. See 'rosa create idp --help' for more information.
+I: Admin account has been added to cluster 'my-rosa-cluster'. It may take up to a minute for the account to become active.
+I: To login, run the following command:
+oc login https://api.my-rosa-cluster.abcd.p1.openshiftapps.com:6443 \
+--username cluster-admin \
+--password FWGYL-2mkJI-00000-00000
+----
+
+. Copy the log in command returned to you in the previous step and paste it into your terminal. This will log you in to the cluster using the CLI so you can start using the cluster.
++
+[source,terminal]
+----
+$ oc login https://api.my-rosa-cluster.abcd.p1.openshiftapps.com:6443 \
+>    --username cluster-admin \
+>    --password FWGYL-2mkJI-00000-00000
+----
++
+.Example output
++
+[source,terminal]
+----
+Login successful.
+
+You have access to 79 projects, the list has been suppressed. You can list all projects with ' projects'
+
+Using project "default".
+----
+
+. To check that you are logged in as the admin user, run one of the following commands:
++
+* Option 1:
++
+[source,terminal]
+----
+$ oc whoami
+----
++
+.Example output
++
+[source,terminal]
+----
+cluster-admin
+----
++
+* Option 2:
++
+[source,terminal]
+----
+oc get all -n openshift-apiserver
+----
++
+Only an admin user can run this command without errors.
+
+. You can now use the cluster as an admin user, which will suffice for this tutorial. For actual deployment, it is highly recommended to set up an identity provider, which is explained in the xref:../../cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-idp.adoc#cloud-experts-getting-started-idp[next tutorial].

rosa_learning/creating_cluster_workshop/cloud-experts-getting-started-idp.adoc

@@ -0,0 +1,107 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-getting-started-idp"]
+= Tutorial: Setting up an identity provider
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-getting-started-idp
+
+toc::[]
+
+//rosaworkshop.io content metadata
+//Brought into ROSA product docs 2023-11-28
+
+To log in to your cluster, set up an identity provider (IDP). This tutorial uses GitHub as an example IDP. See the full list of xref:../../rosa_install_access_delete_clusters/rosa-sts-config-identity-providers.adoc#understanding-idp-supported_rosa-sts-config-identity-providers[IDPs supported by ROSA].
+
+* To view all IDP options, run the following command:
++
+[source,terminal]
+----
+rosa create idp --help
+----
+
+== Setting up an IDP with GitHub
+. Log in to your GitHub account.
+. Create a new GitHub organization where you are an administrator.
++
+[TIP]
+====
+If you are already an administrator in an existing organization and you want to use that organization, skip to step 9.
+====
++
+Click the *+* icon, then click *New Organization*.
++
+image::cloud-experts-getting-started-idp-new-org.png[]
+
+. Choose the most applicable plan for your situation or click *Join for free*.
+
+. Enter an organization account name, an email, and whether it is a personal or business account. Then, click *Next*.
++
+image::cloud-experts-getting-started-idp-team.png[]
+
+. *Optional:* Add the GitHub IDs of other users to grant additional access to your ROSA cluster. You can also add them later.
+. Click *Complete Setup*.
+. *Optional:* Enter the requested information on the following page.
+. Click *Submit*.
+. Go back to the terminal and enter the following command to set up the GitHub IDP:
++
+[source,terminal]
+----
+rosa create idp --cluster=<cluster name> --interactive
+----
+
+. Enter the following values:
++
+[source,terminal]
+----
+Type of identity provider: github
+Identity Provider Name: <IDP-name>
+Restrict to members of: organizations
+GitHub organizations: <organization-account-name>
+----
+
+. The CLI will provide you with a link. Copy and paste the link into a browser and press *Enter*. This will fill the required information to register this application for OAuth. You do not need to modify any of the information.
++
+image::cloud-experts-getting-started-idp-link.png[]
+
+. Click *Register application*.
++
+image::cloud-experts-getting-started-idp-register.png[]
+
+. The next page displays a *Client ID*.  Copy the ID and paste it in the terminal where it asks for *Client ID*.
++
+[NOTE]
+====
+Do not close the tab.
+====
+
+. The CLI will ask for a *Client Secret*. Go back in your browser and click *Generate a new client secret*.
++
+image::cloud-experts-getting-started-idp-secret.png[]
+
+. A secret is generated for you. Copy your secret because it will never be visible again.
+
+. Paste your secret into the terminal and press *Enter*.
+. Leave *GitHub Enterprise Hostname* blank.
+. Select *claim*.
+. Wait approximately 1 minute for the IDP to be created and the configuration to land on your cluster.
++
+image::cloud-experts-getting-started-idp-inputs.png[]
+
+. Copy the returned link and paste it into your browser. The new IDP should be available under your chosen name. Click your IDP and use your GitHub credentials to access the cluster.
++
+image::cloud-experts-getting-started-idp-login.png[]
+
+== Granting other users access to the cluster
+To grant access to other cluster user you will need to add their GitHub user ID to the GitHub organization used for this cluster.
+
+. In GitHub, go to the *Your organizations* page.
+
+. Click your *profile icon*, then *Your organizations*. Then click *<your-organization-name>*.  In our example, it is `my-rosa-cluster`.
++
+image::cloud-experts-getting-started-idp-org.png[]
+
+. Click *Invite someone*.
++
+image::cloud-experts-getting-started-idp-invite.png[]
+
+. Enter the GitHub ID of the new user, select the correct user, and click *Invite*.
+. Once the new user accepts the invitation, they will be able to log in to the ROSA cluster using the {hybrid-console-second} link and their GitHub credentials.