OSDOCS-14108 auth book comment incorporation

modules/authentication-authorization-common-terms.adoc

@@ -18,10 +18,10 @@ bearer token::
 Bearer token is used to authenticate to API with the header `Authorization: Bearer <token>`.
 
 // In OSD and ROSA, the CCO is managed by Red Hat SRE.
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 Cloud Credential Operator::
 The Cloud Credential Operator (CCO) manages cloud provider credentials as custom resource definitions (CRDs).
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 config map::
 A config map provides a way to inject configuration data into the pods. You can reference the data stored in a config map in a volume of type `ConfigMap`. Applications running in a pod can use this data.
@@ -44,15 +44,15 @@ Keystone is an {rh-openstack-first} project that provides identity, token, catal
 Lightweight directory access protocol (LDAP)::
 LDAP is a protocol that queries user information.
 
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 manual mode::
 In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO).
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 mint mode::
 Mint mode is the default and recommended best practice setting for the Cloud Credential Operator (CCO) to use on the platforms for which it is supported. In this mode, the CCO uses the provided administrator-level cloud credential to create new credentials for components in the cluster with only the specific permissions that are required.
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 namespace::
 A namespace isolates specific system resources that are visible to all processes. Inside a namespace, only processes that are members of that namespace can see those resources.
@@ -69,10 +69,10 @@ The {product-title} control plane includes a built-in OAuth server that determin
 OpenID Connect::
 The OpenID Connect is a protocol to authenticate the users to use single sign-on (SSO) to access sites that use OpenID Providers.
 
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 passthrough mode::
 In passthrough mode, the Cloud Credential Operator (CCO) passes the provided cloud credential to the components that request cloud credentials.
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 pod::
 A pod is the smallest logical unit in Kubernetes. A pod is comprised of one or more containers to run in a worker node.

modules/config-github-idp.adoc

@@ -6,7 +6,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="config-github-idp_{context}"]
-= Configuring a GitHub identity provider
+= Configuring a GitHub identity provider via the OCM Console
 
 
 Configure a GitHub identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server and access your {product-title} cluster. OAuth facilitates a token exchange flow between {product-title} and GitHub or GitHub Enterprise.
@@ -39,9 +39,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis
 . Enter a unique name for the identity provider. This name cannot be changed later.
 ** An *OAuth callback URL* is automatically generated in the provided field. You will use this to register the GitHub application.
 +
+ifndef::openshift-rosa-hcp[]
 ----
 https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
 ----
+endif::openshift-rosa-hcp[]
+ifdef::openshift-rosa-hcp[]
+----
+https://oauth.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
+----
+endif::openshift-rosa-hcp[]
 +
 For example:
 +

modules/config-gitlab-idp.adoc

@@ -6,7 +6,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="config-gitlab-idp_{context}"]
-= Configuring a GitLab identity provider
+= Configuring a GitLab identity provider via the OCM Console
 
 
 Configure a GitLab identity provider to use link:https://gitlab.com/[GitLab.com] or any other GitLab instance as an identity provider.
@@ -33,6 +33,7 @@ You can also click the *Add Oauth configuration* link in the warning message dis
 . Enter a unique name for the identity provider. This name cannot be changed later.
 ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to GitLab.
 +
+ifndef::openshift-rosa-hcp[]
 ----
 https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
 ----
@@ -42,6 +43,18 @@ For example:
 ----
 https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/gitlab
 ----
+endif::openshift-rosa-hcp[]
+ifdef::openshift-rosa-hcp[]
+----
+https://oauth.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
+----
++
+For example:
++
+----
+https://oauth.mycluster.openshift-cluster.example.com/oauth2callback/gitlab
+----
+endif::openshift-rosa-hcp[]
 
 . link:https://docs.gitlab.com/ee/integration/oauth_provider.html[Add a new application in GitLab].
 

modules/config-google-idp.adoc

@@ -6,7 +6,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="config-google-idp_{context}"]
-= Configuring a Google identity provider
+= Configuring a Google identity provider via the OCM Console
 
 
 Configure a Google identity provider to allow users to authenticate with their Google credentials.
@@ -36,6 +36,7 @@ You can also click the *Add Oauth configuration* link in the warning message dis
 . Enter a unique name for the identity provider. This name cannot be changed later.
 ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to Google.
 +
+ifndef::openshift-rosa-hcp[]
 ----
 https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
 ----
@@ -45,6 +46,18 @@ For example:
 ----
 https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/google
 ----
+endif::openshift-rosa-hcp[]
+ifdef::openshift-rosa-hcp[]
+----
+https://oauth.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
+----
++
+For example:
++
+----
+https://oauth.mycluster.openshift-cluster.example.com/oauth2callback/google
+----
+endif::openshift-rosa-hcp[]
 
 . Configure a Google identity provider using link:https://developers.google.com/identity/protocols/OpenIDConnect[Google's OpenID Connect integration].
 

modules/config-ldap-idp.adoc

@@ -6,7 +6,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="config-ldap-idp_{context}"]
-= Configuring a LDAP identity provider
+= Configuring a LDAP identity provider via the OCM Console 
 
 
 Configure the LDAP identity provider to validate user names and passwords against an LDAPv3 server, using simple bind authentication.

modules/oauth-server-overview.adoc

@@ -7,7 +7,7 @@
 [id="oauth-server-overview_{context}"]
 = {product-title} OAuth server
 
-The {product-title} master includes a built-in OAuth server. Users obtain OAuth
+The {product-title} Control Plane includes a built-in OAuth server. Users obtain OAuth
 access tokens to authenticate themselves to the API.
 
 When a person requests a new OAuth token, the OAuth server uses the configured

modules/oauth-token-requests.adoc

@@ -41,11 +41,13 @@ cannot display interactive login pages, such as the CLI. Therefore,
 {product-title} supports authenticating using a `WWW-Authenticate`
 challenge in addition to interactive login flows.
 
+ifndef::openshift-rosa-hcp[]
 If an authenticating proxy is placed in front of the
 `<namespace_route>/oauth/authorize` endpoint, it sends unauthenticated,
 non-browser user-agents `WWW-Authenticate` challenges rather than
 displaying an interactive login page or redirecting to an interactive
 login flow.
+endif::openshift-rosa-hcp[]
 
 [NOTE]
 ====

modules/rosa-create-cluster-admins.adoc

@@ -42,6 +42,7 @@ GROUP             NAME
 cluster-admins    rh-rosa-test-user
 dedicated-admins  rh-rosa-test-user
 ----
+ifndef::openshift-rosa-hcp[]
 +
 . Enter the following command to verify that your user now has `cluster-admin` access. A cluster administrator can run this command without errors, but a dedicated administrator cannot.
 +
@@ -62,3 +63,4 @@ service/api   ClusterIP   172.30.23.241   <none>        443/TCP   18h
 NAME                       DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                     AGE
 daemonset.apps/apiserver   3         3         3       3            3           node-role.kubernetes.io/master=   18h
 ----
+endif::openshift-rosa-hcp[]

modules/setting-up-an-aws-iam-role-a-service-account.adoc

@@ -46,6 +46,9 @@ In {product-title} with STS clusters, the OIDC provider is created during instal
 }
 ----
 <1> Replace `<oidc_provider_arn>` with the ARN of your OIDC provider, for example `arn:aws:iam::<aws_account_id>:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`.
+ifndef::openshift-rosa-hcp[]
+You can retrieve this using the `rosa describe cluster $Your_cluster_name` command.
+endif::openshift-rosa-hcp[]
 <2> Limits the role to the specified project and service account. Replace `<oidc_provider_name>` with the name of your OIDC provider, for example `rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. Replace `<project_name>:<service_account_name>` with your project name and service account name, for example `my-project:test-service-account`.
 +
 [NOTE]