OSDOCS-9614: Created documentation to create a ROSA with HCP cluster that uses external auth for OIDC

Author: EricPonvelle

_topic_maps/_topic_map_rosa.yml

@@ -216,6 +216,8 @@ Topics:
   File: rosa-hcp-creating-cluster-with-aws-kms-key
 - Name: Creating a private cluster on ROSA with HCP
   File: rosa-hcp-aws-private-creating-cluster
+- Name: Creating ROSA with HCP clusters with external authentication
+  File: rosa-hcp-sts-creating-a-cluster-ext-auth
 - Name: Using the Node Tuning Operator on ROSA with HCP
   File: rosa-tuning-config
 ---

modules/rosa-hcp-sts-creating-a-cluster-ext-auth-cli.adoc

@@ -0,0 +1,60 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-hcp-sts-creating-a-cluster-external-auth-cli_{context}"]
+= Creating a {hcp-title} cluster using the CLI
+
+Use the ROSA CLI's `--external-auth-providers-enabled` flag to create your cluster that uses an external authentication service.
+
+.Procedure
+
+. You can create your {hcp-title} cluster with the following command:
++
+[NOTE]
+====
+When creating a {hcp-title} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr <address_block>` to the following commands. To learn more about the default CIDR ranges for {product-title}, see xref:../networking/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions].
+====
++
+[source,terminal]
+----
+$ rosa create cluster --cluster-name=<cluster_name> \
+    --sts --mode=auto --hosted-cp --operator-roles-prefix <operator-role-prefix> \
+    --oidc-config-id <ID-of-OIDC-configuration> --external-auth-providers-enabled \
+    --subnet-ids=<public-subnet-id>,<private-subnet-id>
+----
+
+** If you used the `OIDC_ID`, `SUBNET_IDS`, and `OPERATOR_ROLES_PREFIX` variables to prepare your environment, you can continue to use those variables when creating your cluster. For example, run the following command:
++
+[source,terminal]
+----
+$ rosa create cluster --hosted-cp --subnet-ids=$SUBNET_IDS --oidc-config-id=$OIDC_ID --cluster-name=<cluster_name> --operator-roles-prefix=$OPERATOR_ROLES_PREFIX --external-auth-providers-enabled
+----
+
+. Check the status of your cluster by running the following command:
++
+[source,terminal]
+----
+$ rosa describe cluster --cluster=<cluster_name>
+----
++
+The following `State` field changes are listed in the output as the cluster installation progresses:
++
+* `pending (Preparing account)`
+* `installing (DNS setup in progress)`
+* `installing`
+* `ready`
++
+[NOTE]
+====
+If the installation fails or the `State` field does not change to `ready` after more than 10 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red Hat Support for assistance, see _Getting support for Red Hat OpenShift Service on AWS_.
+====
+
+. Track the progress of the cluster creation by watching the {product-title} installation program logs. To check the logs, run the following command:
++
+[source,terminal]
+----
+$ rosa logs install --cluster=<cluster_name> --watch <1>
+----
+<1> Optional: To watch for new log messages as the installation progresses, use the `--watch` argument.

rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc

@@ -0,0 +1,62 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-hcp-sts-creating-a-cluster-ext-auth"]
+= Creating ROSA with HCP clusters with external authentication
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-hcp-sts-creating-a-cluster-ext-auth
+
+toc::[]
+
+You can create {hcp-title-first} clusters that use an external authentication to issue your access tokens.
+
+[IMPORTANT]
+====
+Since it is not possible to upgrade or convert existing ROSA clusters to a {hcp} architecture, you must create a new cluster to use {hcp-title} functionality.
+====
+
+[NOTE]
+====
+{hcp-title} clusters only support AWS Security Token Service (STS) authentication.
+====
+
+.Further reading
+* For a comparison between {hcp-title} and ROSA Classic, see the xref:../rosa_architecture/rosa_architecture_sub/rosa-architecture-models.adoc#rosa-hcp-classic-comparison_rosa-architecture-models[Comparing architecture models] documentation.
+* See the AWS documentation for information about link:https://docs.aws.amazon.com/rosa/latest/userguide/getting-started-hcp.html[Getting started with ROSA with HCP using the ROSA CLI in auto mode].
+
+.Additional resources
+
+For a full list of the supported certificates, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red Hat OpenShift Service on AWS".
+
+[id="next-steps-hcp-ext-auth_{context}"]
+.Next steps
+
+* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites].
+
+[id="rosa-hcp-external-auth-prereqs"]
+== {hcp-title} Prerequisites
+
+To create a {hcp-title} cluster, you must have the following items:
+
+* A xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[configured virtual private cloud (VPC)]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Account-wide roles]
+* An xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-byo-oidc_rosa-hcp-sts-creating-a-cluster-quickly[OIDC configuration]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-operator-config_rosa-hcp-sts-creating-a-cluster-quickly[Operator roles]
+
+include::modules/rosa-hcp-sts-creating-a-cluster-ext-auth-cli.adoc[leveloffset=+1]
+
+[id="next-steps-2_{context}"]
+== Next steps
+
+* xref:../rosa_install_access_delete_clusters/rosa-sts-accessing-cluster.adoc#rosa-sts-accessing-cluster[Accessing a ROSA cluster]
+
+[role="_additional-resources"]
+[id="additional-resources_rosa-sts-creating-a-cluster-ext-auth"]
+== Additional resources
+
+* For steps to deploy a ROSA cluster using manual mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations].
+* For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS].
+* For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes].
+* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS].
+* For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
+* For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
+* For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations].
+* For steps to contact Red Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].