diff --git a/modules/authentication-authorization-common-terms.adoc b/modules/authentication-authorization-common-terms.adoc index 2b5816da56a6..198aa021824f 100644 --- a/modules/authentication-authorization-common-terms.adoc +++ b/modules/authentication-authorization-common-terms.adoc @@ -49,10 +49,10 @@ manual mode:: In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). endif::openshift-dedicated,openshift-rosa[] -ifndef::openshift-dedicated,openshift-rosa[] +ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] mint mode:: Mint mode is the default and recommended best practice setting for the Cloud Credential Operator (CCO) to use on the platforms for which it is supported. In this mode, the CCO uses the provided administrator-level cloud credential to create new credentials for components in the cluster with only the specific permissions that are required. -endif::openshift-dedicated,openshift-rosa[] +endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] namespace:: A namespace isolates specific system resources that are visible to all processes. Inside a namespace, only processes that are members of that namespace can see those resources. diff --git a/modules/config-github-idp.adoc b/modules/config-github-idp.adoc index 1c889c8d70a8..2f2652a712cc 100644 --- a/modules/config-github-idp.adoc +++ b/modules/config-github-idp.adoc @@ -45,9 +45,16 @@ https://oauth-openshift.apps../oauth2callback/./oauth2callback/ +---- +endif::openshift-rosa-hcp[] . link:https://docs.github.com/en/developers/apps/creating-an-oauth-app[Register an application on GitHub]. diff --git a/modules/config-gitlab-idp.adoc b/modules/config-gitlab-idp.adoc index c1e91bbc1c04..e43570feba7f 100644 --- a/modules/config-gitlab-idp.adoc +++ b/modules/config-gitlab-idp.adoc @@ -33,9 +33,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to GitLab. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- +endif::openshift-rosa-hcp[] + For example: + diff --git a/modules/config-google-idp.adoc b/modules/config-google-idp.adoc index d59f7e5242d2..e0f5d2e5cc3a 100644 --- a/modules/config-google-idp.adoc +++ b/modules/config-google-idp.adoc @@ -36,9 +36,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to Google. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- +endif::openshift-rosa-hcp[] + For example: + diff --git a/modules/config-openid-idp.adoc b/modules/config-openid-idp.adoc index 9a68973b6c15..bb945e7cd202 100644 --- a/modules/config-openid-idp.adoc +++ b/modules/config-openid-idp.adoc @@ -73,9 +73,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. + +ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps../oauth2callback/ ---- +endif::openshift-rosa-hcp[] +ifdef::openshift-rosa-hcp[] +---- +https://oauth../oauth2callback/ +---- +endif::openshift-rosa-hcp[] + For example: + diff --git a/modules/ldap-syncing-nesting.adoc b/modules/ldap-syncing-nesting.adoc index 0d71219ab3b1..29e70d8ff0d1 100644 --- a/modules/ldap-syncing-nesting.adoc +++ b/modules/ldap-syncing-nesting.adoc @@ -7,10 +7,7 @@ == LDAP nested membership sync example Groups in {product-title} do not nest. The LDAP server must flatten group -membership before the data can be consumed. Microsoft's Active Directory Server -supports this feature via the -link:https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`] -rule, which has the OID `1.2.840.113556.1.4.1941`. Furthermore, only explicitly +membership before the data can be consumed. Microsoft's Active Directory Server supports this feature via the `LDAP_MATCHING_RULE_IN_CHAIN` rule, which has the OID `1.2.840.113556.1.4.1941`. Furthermore, only explicitly whitelisted groups can be synced when using this matching rule. This section has an example for the augmented Active Directory schema, which @@ -86,10 +83,7 @@ with which to represent them in the internal {product-title} group records. Furthermore, certain changes are required in this configuration: - The `oc adm groups sync` command must explicitly whitelist groups. -- The user's `groupMembershipAttributes` must include -`"memberOf:1.2.840.113556.1.4.1941:"` to comply with the -https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`] -rule. +- The user's `groupMembershipAttributes` must include `"memberOf:1.2.840.113556.1.4.1941:"` to comply with the `LDAP_MATCHING_RULE_IN_CHAIN` rule. - The `groupUIDAttribute` must be set to `dn`. - The `groupsQuery`: * Must not set `filter`. @@ -130,8 +124,7 @@ values are ignored. `groupsQuery` must set a valid `derefAliases`. <3> The attribute to use as the name of the group. <4> The attribute to use as the name of the user in the {product-title} group record. `mail` or `sAMAccountName` are preferred choices in most installations. -<5> The attribute on the user that stores the membership information. Note the use -of https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`]. +<5> The attribute on the user that stores the membership information. Note the use of `LDAP_MATCHING_RULE_IN_CHAIN`. .Prerequisites diff --git a/modules/oauth-server-overview.adoc b/modules/oauth-server-overview.adoc index ea50ca16e5e8..d4bca9a4b9c5 100644 --- a/modules/oauth-server-overview.adoc +++ b/modules/oauth-server-overview.adoc @@ -7,7 +7,7 @@ [id="oauth-server-overview_{context}"] = {product-title} OAuth server -The {product-title} master includes a built-in OAuth server. Users obtain OAuth +The {product-title} Control Plane includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API. When a person requests a new OAuth token, the OAuth server uses the configured diff --git a/modules/oauth-token-requests.adoc b/modules/oauth-token-requests.adoc index 491f34d3699a..1e8c1fc7990b 100644 --- a/modules/oauth-token-requests.adoc +++ b/modules/oauth-token-requests.adoc @@ -41,11 +41,13 @@ cannot display interactive login pages, such as the CLI. Therefore, {product-title} supports authenticating using a `WWW-Authenticate` challenge in addition to interactive login flows. +ifndef::openshift-rosa-hcp[] If an authenticating proxy is placed in front of the `/oauth/authorize` endpoint, it sends unauthenticated, non-browser user-agents `WWW-Authenticate` challenges rather than displaying an interactive login page or redirecting to an interactive login flow. +endif::openshift-rosa-hcp[] [NOTE] ==== diff --git a/modules/rosa-create-cluster-admins.adoc b/modules/rosa-create-cluster-admins.adoc index 42d35b667925..828d9ae6d779 100644 --- a/modules/rosa-create-cluster-admins.adoc +++ b/modules/rosa-create-cluster-admins.adoc @@ -43,6 +43,7 @@ cluster-admins rh-rosa-test-user dedicated-admins rh-rosa-test-user ---- + +ifndef::openshift-rosa-hcp[] . Enter the following command to verify that your user now has `cluster-admin` access. A cluster administrator can run this command without errors, but a dedicated administrator cannot. + [source,terminal] @@ -62,3 +63,4 @@ service/api ClusterIP 172.30.23.241 443/TCP 18h NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/apiserver 3 3 3 3 3 node-role.kubernetes.io/master= 18h ---- +endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/modules/setting-up-an-aws-iam-role-a-service-account.adoc b/modules/setting-up-an-aws-iam-role-a-service-account.adoc index 4232e15b13c4..6857532449b8 100644 --- a/modules/setting-up-an-aws-iam-role-a-service-account.adoc +++ b/modules/setting-up-an-aws-iam-role-a-service-account.adoc @@ -45,7 +45,7 @@ In {product-title} with STS clusters, the OIDC provider is created during instal ] } ---- -<1> Replace `` with the ARN of your OIDC provider, for example `arn:aws:iam:::oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. +<1> Replace `` with the ARN of your OIDC provider, for example, `arn:aws:iam:::oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. You can retrieve the ARN by using the `rosa describe cluster` CLI command. <2> Limits the role to the specified project and service account. Replace `` with the name of your OIDC provider, for example `rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. Replace `:` with your project name and service account name, for example `my-project:test-service-account`. + [NOTE]