diff --git a/modules/authentication-authorization-common-terms.adoc b/modules/authentication-authorization-common-terms.adoc index 2b5816da56a6..caf9f0119d6f 100644 --- a/modules/authentication-authorization-common-terms.adoc +++ b/modules/authentication-authorization-common-terms.adoc @@ -18,10 +18,10 @@ bearer token:: Bearer token is used to authenticate to API with the header `Authorization: Bearer `. // In OSD and ROSA, the CCO is managed by Red Hat SRE. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] Cloud Credential Operator:: The Cloud Credential Operator (CCO) manages cloud provider credentials as custom resource definitions (CRDs). -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] config map:: A config map provides a way to inject configuration data into the pods. You can reference the data stored in a config map in a volume of type `ConfigMap`. Applications running in a pod can use this data. @@ -44,15 +44,15 @@ Keystone is an {rh-openstack-first} project that provides identity, token, catal Lightweight directory access protocol (LDAP):: LDAP is a protocol that queries user information. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] manual mode:: In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] mint mode:: Mint mode is the default and recommended best practice setting for the Cloud Credential Operator (CCO) to use on the platforms for which it is supported. In this mode, the CCO uses the provided administrator-level cloud credential to create new credentials for components in the cluster with only the specific permissions that are required. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] namespace:: A namespace isolates specific system resources that are visible to all processes. Inside a namespace, only processes that are members of that namespace can see those resources. @@ -69,10 +69,10 @@ The {product-title} control plane includes a built-in OAuth server that determin OpenID Connect:: The OpenID Connect is a protocol to authenticate the users to use single sign-on (SSO) to access sites that use OpenID Providers. -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] passthrough mode:: In passthrough mode, the Cloud Credential Operator (CCO) passes the provided cloud credential to the components that request cloud credentials. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] pod:: A pod is the smallest logical unit in Kubernetes. A pod is comprised of one or more containers to run in a worker node. diff --git a/modules/config-github-idp.adoc b/modules/config-github-idp.adoc index 1c889c8d70a8..7e94472fd320 100644 --- a/modules/config-github-idp.adoc +++ b/modules/config-github-idp.adoc @@ -6,7 +6,7 @@ :_mod-docs-content-type: PROCEDURE [id="config-github-idp_{context}"] -= Configuring a GitHub identity provider += Configuring a GitHub identity provider via the OCM Console Configure a GitHub identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server and access your {product-title} cluster. OAuth facilitates a token exchange flow between {product-title} and GitHub or GitHub Enterprise. @@ -39,9 +39,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will use this to register the GitHub application. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- +endif::openshift-rosa-hcp[] + For example: + diff --git a/modules/config-gitlab-idp.adoc b/modules/config-gitlab-idp.adoc index c1e91bbc1c04..c33465626cb9 100644 --- a/modules/config-gitlab-idp.adoc +++ b/modules/config-gitlab-idp.adoc @@ -6,7 +6,7 @@ :_mod-docs-content-type: PROCEDURE [id="config-gitlab-idp_{context}"] -= Configuring a GitLab identity provider += Configuring a GitLab identity provider via the OCM Console Configure a GitLab identity provider to use link:https://gitlab.com/[GitLab.com] or any other GitLab instance as an identity provider. @@ -33,6 +33,7 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to GitLab. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- @@ -42,6 +43,18 @@ For example: ---- https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/gitlab ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- ++ +For example: ++ +---- +https://oauth.mycluster.openshift-cluster.example.com/oauth2callback/gitlab +---- +endif::openshift-rosa-hcp[] . link:https://docs.gitlab.com/ee/integration/oauth_provider.html[Add a new application in GitLab]. diff --git a/modules/config-google-idp.adoc b/modules/config-google-idp.adoc index d59f7e5242d2..5d506fbf52f2 100644 --- a/modules/config-google-idp.adoc +++ b/modules/config-google-idp.adoc @@ -6,7 +6,7 @@ :_mod-docs-content-type: PROCEDURE [id="config-google-idp_{context}"] -= Configuring a Google identity provider += Configuring a Google identity provider via the OCM Console Configure a Google identity provider to allow users to authenticate with their Google credentials. @@ -36,6 +36,7 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to Google. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- @@ -45,6 +46,18 @@ For example: ---- https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/google ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- ++ +For example: ++ +---- +https://oauth.mycluster.openshift-cluster.example.com/oauth2callback/google +---- +endif::openshift-rosa-hcp[] . Configure a Google identity provider using link:https://developers.google.com/identity/protocols/OpenIDConnect[Google's OpenID Connect integration]. diff --git a/modules/config-ldap-idp.adoc b/modules/config-ldap-idp.adoc index e8faf6787d50..0d10946b6d9a 100644 --- a/modules/config-ldap-idp.adoc +++ b/modules/config-ldap-idp.adoc @@ -6,7 +6,7 @@ :_mod-docs-content-type: PROCEDURE [id="config-ldap-idp_{context}"] -= Configuring a LDAP identity provider += Configuring a LDAP identity provider via the OCM Console Configure the LDAP identity provider to validate user names and passwords against an LDAPv3 server, using simple bind authentication. diff --git a/modules/oauth-server-overview.adoc b/modules/oauth-server-overview.adoc index ea50ca16e5e8..d4bca9a4b9c5 100644 --- a/modules/oauth-server-overview.adoc +++ b/modules/oauth-server-overview.adoc @@ -7,7 +7,7 @@ [id="oauth-server-overview_{context}"] = {product-title} OAuth server -The {product-title} master includes a built-in OAuth server. Users obtain OAuth +The {product-title} Control Plane includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API. When a person requests a new OAuth token, the OAuth server uses the configured diff --git a/modules/oauth-token-requests.adoc b/modules/oauth-token-requests.adoc index 491f34d3699a..1e8c1fc7990b 100644 --- a/modules/oauth-token-requests.adoc +++ b/modules/oauth-token-requests.adoc @@ -41,11 +41,13 @@ cannot display interactive login pages, such as the CLI. Therefore, {product-title} supports authenticating using a `WWW-Authenticate` challenge in addition to interactive login flows. +ifndef::openshift-rosa-hcp[] If an authenticating proxy is placed in front of the `/oauth/authorize` endpoint, it sends unauthenticated, non-browser user-agents `WWW-Authenticate` challenges rather than displaying an interactive login page or redirecting to an interactive login flow. +endif::openshift-rosa-hcp[] [NOTE] ==== diff --git a/modules/rosa-create-cluster-admins.adoc b/modules/rosa-create-cluster-admins.adoc index 42d35b667925..3fb2fa81bef8 100644 --- a/modules/rosa-create-cluster-admins.adoc +++ b/modules/rosa-create-cluster-admins.adoc @@ -42,6 +42,7 @@ GROUP NAME cluster-admins rh-rosa-test-user dedicated-admins rh-rosa-test-user ---- +ifndef::openshift-rosa-hcp[] + . Enter the following command to verify that your user now has `cluster-admin` access. A cluster administrator can run this command without errors, but a dedicated administrator cannot. + @@ -62,3 +63,4 @@ service/api ClusterIP 172.30.23.241 443/TCP 18h NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/apiserver 3 3 3 3 3 node-role.kubernetes.io/master= 18h ---- +endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/modules/setting-up-an-aws-iam-role-a-service-account.adoc b/modules/setting-up-an-aws-iam-role-a-service-account.adoc index 4232e15b13c4..32c920f2bec8 100644 --- a/modules/setting-up-an-aws-iam-role-a-service-account.adoc +++ b/modules/setting-up-an-aws-iam-role-a-service-account.adoc @@ -46,6 +46,9 @@ In {product-title} with STS clusters, the OIDC provider is created during instal } ---- <1> Replace `` with the ARN of your OIDC provider, for example `arn:aws:iam:::oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. +ifndef::openshift-rosa-hcp[] +You can retrieve this using the `rosa describe cluster $Your_cluster_name` command. +endif::openshift-rosa-hcp[] <2> Limits the role to the specified project and service account. Replace `` with the name of your OIDC provider, for example `rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. Replace `:` with your project name and service account name, for example `my-project:test-service-account`. + [NOTE]