OSDOCS-9614: Created documentation to create a ROSA with HCP cluster that uses external auth for OIDC

Author: EricPonvelle

_topic_maps/_topic_map_rosa.yml

@@ -227,6 +227,8 @@ Topics:
   File: rosa-hcp-creating-cluster-with-aws-kms-key
 - Name: Creating a private cluster on ROSA with HCP
   File: rosa-hcp-aws-private-creating-cluster
+- Name: Creating ROSA with HCP clusters with external authentication
+  File: rosa-hcp-sts-creating-a-cluster-ext-auth
 - Name: Using the Node Tuning Operator on ROSA with HCP
   File: rosa-tuning-config
 ---
@@ -615,6 +617,8 @@ Topics:
 #   File: understanding-identity-provider
 - Name: Configuring identity providers
   File: sd-configuring-identity-providers
+- Name: Configuring identity providers for ROSA with HCP clusters
+  File: sd-hcp-configuring-identity-providers
 # - Name: Configuring identity providers
 #   Dir: identity_providers
 #   Topics:

authentication/sd-hcp-configuring-identity-providers.adoc

@@ -0,0 +1,15 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="sd-hcp-configuring-identity-providers"]
+= Configuring identity providers for {hcp-title} clusters
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: sd-hcp-configuring-identity-providers
+
+toc::[]
+
+After your {product-title} cluster is created, you must configure identity providers to determine how users log in to access the cluster.
+
+To use these external authentication providers, you must create a cluster with this feature enabled. For more information, see xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc#rosa-hcp-sts-creating-a-cluster-ext-auth[Creating ROSA with HCP clusters with external authentication].
+
+include::modules/understanding-idp.adoc[leveloffset=+1]
+include::modules/identity-provider-parameters.adoc[leveloffset=+2]
+include::modules/config-github-idp.adoc[leveloffset=+1]

modules/rosa-hcp-sts-creating-a-cluster-ext-auth-cluster-cli.adoc

@@ -0,0 +1,109 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli_{context}"]
+= Creating a {hcp-title} cluster that uses external authentication providers
+:source-highlighter: pygments
+:pygments-style: emacs
+:icons: font
+ 
+Use the ROSA CLI's `--external-auth-providers-enabled` flag to create your cluster that uses an external authentication service.
+
+.Procedure
+
+. Use one of the following commands to create your ROSA with HCP cluster:
++
+* If you did not set environmental variables, run the following command:
++
+[NOTE]
+====
+When creating a {hcp-title} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr <address_block>` to the following commands. To learn more about the default CIDR ranges for {product-title}, see xref:../networking/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions].
+====
++
+[source,terminal]
+----
+$ rosa create cluster --cluster-name=<cluster_name> \
+    --sts --mode=auto --hosted-cp --operator-roles-prefix <operator-role-prefix> \
+    --oidc-config-id <ID-of-OIDC-configuration> --external-auth-providers-enabled \
+    --subnet-ids=<public-subnet-id>,<private-subnet-id>
+----
++
+* If you used the `OIDC_ID`, `SUBNET_IDS`, and `OPERATOR_ROLES_PREFIX` variables to prepare your environment, you can continue to use those variables when creating your cluster. For example, run the following command:
++
+[source,terminal]
+----
+$ rosa create cluster --hosted-cp --subnet-ids=$SUBNET_IDS --oidc-config-id=$OIDC_ID --cluster-name=<cluster_name> --operator-roles-prefix=$OPERATOR_ROLES_PREFIX --external-auth-providers-enabled
+----
+
+.Verification
+. Verify that your external authentication is enabled in the cluster details by running the following command:
++
+[source,terminal]
+----
+$ rosa describe cluster --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal,highlight='50']
+----
+Name:                       rosa-ext-test
+Display Name:               rosa-ext-test
+ID:                         <cluster_id>
+External ID:                <cluster_ext_id>
+Control Plane:              ROSA Service Hosted
+OpenShift Version:          4.15.3
+Channel Group:              stable
+DNS:                        <dns>
+AWS Account:                <AWS_id>
+AWS Billing Account:        <AWS_id>
+API URL:                    <ocm_api>
+Console URL:
+Region:                     us-east-1
+Availability:
+ - Control Plane:           MultiAZ
+ - Data Plane:              SingleAZ
+
+Nodes:
+ - Compute (desired):       2
+ - Compute (current):       0
+Network:
+ - Type:                    OVNKubernetes
+ - Service CIDR:            <service_cidr>
+ - Machine CIDR:            <machine_cidr>
+ - Pod CIDR:                <pod_cidr>
+ - Host Prefix:             /23
+ - Subnets:                 <subnet_ids>
+EC2 Metadata Http Tokens:   optional
+Role (STS) ARN:             arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
+Support Role ARN:           arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
+Instance IAM Roles:
+ - Worker:                  arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
+Operator IAM Roles:
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-clo
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-kms-provider
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-kube-controller-manager
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
+ - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-crede
+Managed Policies:           Yes
+State:                      ready
+Private:                    No
+Created:                    Mar 29 2024 14:25:52 UTC
+User Workload Monitoring:   Enabled
+Details Page:               https://<url>
+OIDC Endpoint URL:          https://<endpoint> (Managed)
+Audit Log Forwarding:       Disabled
+External Authentication:    Enabled
+----
+
+. Track the progress of the cluster creation by watching the {product-title} installation program logs. To check the logs, run the following command:
++
+[source,terminal]
+----
+$ rosa logs install --cluster=<cluster_name> --watch <1>
+----
+<1> Optional: To watch for new log messages as the installation progresses, use the `--watch` argument.

modules/rosa-hcp-sts-creating-a-cluster-ext-auth-provider-cli.adoc

@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli_{context}"]
+= Creating an external authentication provider
+:source-highlighter: pygments
+:pygments-style: emacs
+:icons: font
+ 
+After you have created a {hcp-title} cluster with the enabled option for external authentication providers, you must create a provider using the ROSA CLI.
+
+.Procedure
+
+. Run the following command to create your external authentication provider:
++
+[source,terminal]
+----
+$ rosa create external-aut-provider -c <cluster_name>
+----
++
+This command starts an interactive CLI process:
++
+--
+[source,terminal]
+----
+I: Enabling interactive mode
+? Name: <.>
+? Issuer audiences: <.>
+? The serving url of the token issuer: <.>
+? CA file path (optional): <.>
+? Claim mapping username: <.>
+? Claim mapping groups: <.>
+? Claim validation rule (optional): <.>
+? Console client id (optional): <.>
+----
+<.> The name of your external authentication provider. This name should be a lower-case with numbers and dashes.
+<.> The issuer audiences field requires you to provide the audience IDs that this authentication provider issues tokens for.
+<.> This field uses the issuer's URL that serves the token.
+<.> Optional: This field takes the path of a certificate file to use when making requests.
+<.> The name of the claim that is used to construct the user names for cluster identity, such as using `email`.
+<.> This field specifies how to transform the ID token into a cluster identity, such as using `groups`.
+<.> Optional: These are rules that help validate token claims which authenticate your users. This field should be formatted as `<claim:<required_value>`.
+<.> Optional: This field is the application or client ID that your app registration uses for the console.
+--
+
+.Verification 
+
+. View the external authentication configuration on your cluster by running the following commands:
+
+* List the external authentication configuration on a specified cluster with the following command:
++ 
+[source,terminal]
+----
+$ rosa list external-auth-provider -c <cluster_name> 
+----  
++
+.Example output
++
+[source,terminal]
+----
+NAME        ISSUER URL
+m-entra-id  https://login.microsoftonline.com/<group_id>/v2.0
+----
+
+* Display the external authentication configuration on a specified cluster by using the following command:
++ 
+[source,terminal]
+----
+$ rosa describe external-auth-provider -c <cluster_name> --name <name_of_external_authentication>
+----  
++
+.Example output
++
+[source,terminal]
+----
+ID:                          ms-entra-id
+Cluster ID:                  <cluster_id>
+Issuer audiences:
+                             - <audience_id>
+Issuer Url:                  https://login.microsoftonline.com/<group_id>/v2.0
+Claim mappings group:        groups
+Claim mappings username:     email
+----

modules/rosa-hcp-sts-creating-a-cluster-ext-auth-provider-delete-cli.adoc

@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-cli_{context}"]
+= Deleting an external authentication provider
+:source-highlighter: pygments
+:pygments-style: emacs
+:icons: font
+ 
+Delete external authentication providers by using the ROSA CLI.
+
+.Procedure
+
+. Run the following command to display your external authentication provider on your cluster:
++
+[source,terminal]
+----
+$ rosa list external-auth-provider -c <cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+NAME        ISSUER URL
+entra-test  https://login.microsoftonline.com/<group_id>/v2.0
+----
+
+. Run the following command to delete the external authentication provider:
++
+[source,terminal]
+----
+$ rosa delete external-auth-provider <name_of_provider> -c <cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+? Are you sure you want to delete external authentication provider entra-test on cluster rosa-ext-test? Yes
+I: Successfully deleted external authentication provider 'entra-test' from cluster 'rosa-ext-test'
+----
+
+.Verification
+. Run the following command to query for any external authentication providers on your cluster:
++
+[source,terminal]
+----
+$ rosa list external-auth-provider -c <cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+E: there are no external authentication providers for this cluster
+----

rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc

@@ -0,0 +1,67 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-hcp-sts-creating-a-cluster-ext-auth"]
+= Creating ROSA with HCP clusters with external authentication
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-hcp-sts-creating-a-cluster-ext-auth
+
+toc::[]
+
+You can create {hcp-title-first} clusters that use an external authentication to issue your access tokens.
+
+[IMPORTANT]
+====
+Since it is not possible to upgrade or convert existing ROSA clusters to a {hcp} architecture, you must create a new cluster to use {hcp-title} functionality.
+====
+
+[NOTE]
+====
+{hcp-title} clusters only support AWS Security Token Service (STS) authentication.
+====
+
+.Further reading
+* For a comparison between {hcp-title} and ROSA Classic, see the xref:../rosa_architecture/rosa_architecture_sub/rosa-architecture-models.adoc#rosa-hcp-classic-comparison_rosa-architecture-models[Comparing architecture models] documentation.
+* See the AWS documentation for information about link:https://docs.aws.amazon.com/rosa/latest/userguide/getting-started-hcp.html[Getting started with ROSA with HCP using the ROSA CLI in auto mode].
+
+.Additional resources
+
+For a full list of the supported certificates, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red Hat OpenShift Service on AWS".
+
+[id="next-steps-hcp-ext-auth_{context}"]
+.Next steps
+
+* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites].
+
+[id="rosa-hcp-external-auth-prereqs"]
+== {hcp-title} Prerequisites
+
+To create a {hcp-title} cluster, you must have the following items:
+
+* A xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[configured virtual private cloud (VPC)]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Account-wide roles]
+* An xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-byo-oidc_rosa-hcp-sts-creating-a-cluster-quickly[OIDC configuration]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-operator-config_rosa-hcp-sts-creating-a-cluster-quickly[Operator roles]
+
+// Step 1 Prepare HCP cluster with  --external-auth-providers-enabled 	
+include::modules/rosa-hcp-sts-creating-a-cluster-ext-auth-cluster-cli.adoc[leveloffset=+1]
+//Step 2 Create/list/delete external_provider  to HCP cluster that external_auth_config is not enable
+include::modules/rosa-hcp-sts-creating-a-cluster-ext-auth-provider-cli.adoc[leveloffset=+1]
+//Step 3 delete external_provider  to HCP cluster that external_auth_config is not enable
+include::modules/rosa-hcp-sts-creating-a-cluster-ext-auth-provider-delete-cli.adoc[leveloffset=+1]
+
+[id="next-steps-2_{context}"]
+== Next steps
+
+* xref:../rosa_install_access_delete_clusters/rosa-sts-accessing-cluster.adoc#rosa-sts-accessing-cluster[Accessing a ROSA cluster]
+
+[role="_additional-resources"]
+[id="additional-resources_rosa-sts-creating-a-cluster-ext-auth"]
+== Additional resources
+
+* For steps to deploy a ROSA cluster using manual mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations].
+* For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS].
+* For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes].
+* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS].
+* For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
+* For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
+* For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations].
+* For steps to contact Red Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].