From cd057fe1b9d3cf4913abbc5e9a13f616ac2cff4e Mon Sep 17 00:00:00 2001 From: Janelle Neczypor Date: Thu, 17 Jul 2025 15:21:22 -0700 Subject: [PATCH] OSDOCS-14108 --- .../authentication-authorization-common-terms.adoc | 4 ++-- modules/config-github-idp.adoc | 7 +++++++ modules/config-gitlab-idp.adoc | 7 +++++++ modules/config-google-idp.adoc | 7 +++++++ modules/config-openid-idp.adoc | 7 +++++++ modules/ldap-syncing-nesting.adoc | 13 +++---------- modules/oauth-server-overview.adoc | 2 +- modules/oauth-token-requests.adoc | 2 ++ modules/rosa-create-cluster-admins.adoc | 2 ++ ...etting-up-an-aws-iam-role-a-service-account.adoc | 2 +- 10 files changed, 39 insertions(+), 14 deletions(-) diff --git a/modules/authentication-authorization-common-terms.adoc b/modules/authentication-authorization-common-terms.adoc index 2b5816da56..198aa02182 100644 --- a/modules/authentication-authorization-common-terms.adoc +++ b/modules/authentication-authorization-common-terms.adoc @@ -49,10 +49,10 @@ manual mode:: In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). endif::openshift-dedicated,openshift-rosa[] -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] mint mode:: Mint mode is the default and recommended best practice setting for the Cloud Credential Operator (CCO) to use on the platforms for which it is supported. In this mode, the CCO uses the provided administrator-level cloud credential to create new credentials for components in the cluster with only the specific permissions that are required. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] namespace:: A namespace isolates specific system resources that are visible to all processes. Inside a namespace, only processes that are members of that namespace can see those resources. diff --git a/modules/config-github-idp.adoc b/modules/config-github-idp.adoc index 1c889c8d70..2f2652a712 100644 --- a/modules/config-github-idp.adoc +++ b/modules/config-github-idp.adoc @@ -45,9 +45,16 @@ https://oauth-openshift.apps../oauth2callback/./oauth2callback/ +---- +endif::openshift-rosa-hcp[] . link:https://docs.github.com/en/developers/apps/creating-an-oauth-app[Register an application on GitHub]. diff --git a/modules/config-gitlab-idp.adoc b/modules/config-gitlab-idp.adoc index c1e91bbc1c..e43570feba 100644 --- a/modules/config-gitlab-idp.adoc +++ b/modules/config-gitlab-idp.adoc @@ -33,9 +33,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to GitLab. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- +endif::openshift-rosa-hcp[] + For example: + diff --git a/modules/config-google-idp.adoc b/modules/config-google-idp.adoc index d59f7e5242..e0f5d2e5cc 100644 --- a/modules/config-google-idp.adoc +++ b/modules/config-google-idp.adoc @@ -36,9 +36,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to Google. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- +endif::openshift-rosa-hcp[] + For example: + diff --git a/modules/config-openid-idp.adoc b/modules/config-openid-idp.adoc index 9a68973b6c..bb945e7cd2 100644 --- a/modules/config-openid-idp.adoc +++ b/modules/config-openid-idp.adoc @@ -73,9 +73,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- +endif::openshift-rosa-hcp[] + For example: + diff --git a/modules/ldap-syncing-nesting.adoc b/modules/ldap-syncing-nesting.adoc index 0d71219ab3..29e70d8ff0 100644 --- a/modules/ldap-syncing-nesting.adoc +++ b/modules/ldap-syncing-nesting.adoc @@ -7,10 +7,7 @@ == LDAP nested membership sync example Groups in {product-title} do not nest. The LDAP server must flatten group -membership before the data can be consumed. Microsoft's Active Directory Server -supports this feature via the -link:https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`] -rule, which has the OID `1.2.840.113556.1.4.1941`. Furthermore, only explicitly +membership before the data can be consumed. Microsoft's Active Directory Server supports this feature via the `LDAP_MATCHING_RULE_IN_CHAIN` rule, which has the OID `1.2.840.113556.1.4.1941`. Furthermore, only explicitly whitelisted groups can be synced when using this matching rule. This section has an example for the augmented Active Directory schema, which @@ -86,10 +83,7 @@ with which to represent them in the internal {product-title} group records. Furthermore, certain changes are required in this configuration: - The `oc adm groups sync` command must explicitly whitelist groups. -- The user's `groupMembershipAttributes` must include -`"memberOf:1.2.840.113556.1.4.1941:"` to comply with the -https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`] -rule. +- The user's `groupMembershipAttributes` must include `"memberOf:1.2.840.113556.1.4.1941:"` to comply with the `LDAP_MATCHING_RULE_IN_CHAIN` rule. - The `groupUIDAttribute` must be set to `dn`. - The `groupsQuery`: * Must not set `filter`. @@ -130,8 +124,7 @@ values are ignored. `groupsQuery` must set a valid `derefAliases`. <3> The attribute to use as the name of the group. <4> The attribute to use as the name of the user in the {product-title} group record. `mail` or `sAMAccountName` are preferred choices in most installations. -<5> The attribute on the user that stores the membership information. Note the use -of https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`]. +<5> The attribute on the user that stores the membership information. Note the use of `LDAP_MATCHING_RULE_IN_CHAIN`. .Prerequisites diff --git a/modules/oauth-server-overview.adoc b/modules/oauth-server-overview.adoc index ea50ca16e5..d4bca9a4b9 100644 --- a/modules/oauth-server-overview.adoc +++ b/modules/oauth-server-overview.adoc @@ -7,7 +7,7 @@ [id="oauth-server-overview_{context}"] = {product-title} OAuth server -The {product-title} master includes a built-in OAuth server. Users obtain OAuth +The {product-title} Control Plane includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API. When a person requests a new OAuth token, the OAuth server uses the configured diff --git a/modules/oauth-token-requests.adoc b/modules/oauth-token-requests.adoc index 491f34d369..1e8c1fc799 100644 --- a/modules/oauth-token-requests.adoc +++ b/modules/oauth-token-requests.adoc @@ -41,11 +41,13 @@ cannot display interactive login pages, such as the CLI. Therefore, {product-title} supports authenticating using a `WWW-Authenticate` challenge in addition to interactive login flows. +ifndef::openshift-rosa-hcp[] If an authenticating proxy is placed in front of the `/oauth/authorize` endpoint, it sends unauthenticated, non-browser user-agents `WWW-Authenticate` challenges rather than displaying an interactive login page or redirecting to an interactive login flow. +endif::openshift-rosa-hcp[] [NOTE] ==== diff --git a/modules/rosa-create-cluster-admins.adoc b/modules/rosa-create-cluster-admins.adoc index 42d35b6679..828d9ae6d7 100644 --- a/modules/rosa-create-cluster-admins.adoc +++ b/modules/rosa-create-cluster-admins.adoc @@ -43,6 +43,7 @@ cluster-admins rh-rosa-test-user dedicated-admins rh-rosa-test-user ---- + +ifndef::openshift-rosa-hcp[] . Enter the following command to verify that your user now has `cluster-admin` access. A cluster administrator can run this command without errors, but a dedicated administrator cannot. + [source,terminal] @@ -62,3 +63,4 @@ service/api ClusterIP 172.30.23.241 443/TCP 18h NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/apiserver 3 3 3 3 3 node-role.kubernetes.io/master= 18h ---- +endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/modules/setting-up-an-aws-iam-role-a-service-account.adoc b/modules/setting-up-an-aws-iam-role-a-service-account.adoc index 4232e15b13..6857532449 100644 --- a/modules/setting-up-an-aws-iam-role-a-service-account.adoc +++ b/modules/setting-up-an-aws-iam-role-a-service-account.adoc @@ -45,7 +45,7 @@ In {product-title} with STS clusters, the OIDC provider is created during instal ] } ---- -<1> Replace `` with the ARN of your OIDC provider, for example `arn:aws:iam:::oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. +<1> Replace `` with the ARN of your OIDC provider, for example, `arn:aws:iam:::oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. You can retrieve the ARN by using the `rosa describe cluster` CLI command. <2> Limits the role to the specified project and service account. Replace `` with the name of your OIDC provider, for example `rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. Replace `:` with your project name and service account name, for example `my-project:test-service-account`. + [NOTE]