Merge branch 'main' into sync/cf232

Author: nads102896

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "github-enterprise.uri": "https://git.cwp.pnp-hcl.com"
+}

docs/deploy_dx/install/kubernetes_deployment/image_list.md

@@ -13,6 +13,45 @@ In future continuous delivery updates, entitled customers can obtain the HCL DX
 
 Video: [How to upload HCL DX 9.5 container images to a private repository](https://youtu.be/XJONRdpgCuo)
 
+## HCL DX 9.5 Compose CF232
+
+If you are deploying the HCL DX 9.5 Compose CF232 release, the following software packages are available in your MHS portal HCL DX Compose v9.5 entitlements:
+
+- HCL DX Compose v9.5
+- HCL DXClient
+- HCL Leap 9.3.x for use with DX Compose
+- HCL Volt Foundry 9.5.x for use with DX Compose
+
+## hcl-compose-kubernetes-CF232.zip
+
+```shell
+HCL DX Compose notices CF232.txt
+hcl-dx-content-composer-image-v1.45.0_20251204-1947.tar.gz
+hcl-dx-dam-plugin-google-vision-image-v1.0.0_20251204-1947.tar.gz
+hcl-dx-dam-plugin-kaltura-image-v1.0.0_20251204-1946.tar.gz
+hcl-dx-deployment-v2.43.0_20251211-1531.tgz
+hcl-dx-digital-asset-manager-image-v1.44.0_20251204-2000.tar.gz
+hcl-dx-file-processor-image-v2.0.0_20251204-1927.tar.gz
+hcl-dx-haproxy-image-v1.28.0_20251204-1927.tar.gz
+hcl-dx-image-processor-image-v1.45.0_20251204-1930.tar.gz
+hcl-dx-license-manager-image-v95_CF232_20251204-1943.tar.gz
+hcl-dx-logging-sidecar-image-v1.0.0_20251204-1942.tar.gz
+hcl-dx-openldap-image-v2.6.8_20251204-1957.tar.gz
+hcl-dx-opensearch-image-v2.0.0_20251204-1942.tar.gz
+hcl-dx-people-service-image-v1.0.0_20251204-1940.tar.gz
+hcl-dx-persistence-connection-pool-image-v1.42.0_20251204-1931.tar.gz
+hcl-dx-persistence-metrics-exporter-image-v1.40.0_20251204-1931.tar.gz
+hcl-dx-persistence-node-image-v1.32_20251204-1931.tar.gz
+hcl-dx-prereqs-checker-image-v1.0.0_20251204-1938.tar.gz
+hcl-dx-ringapi-image-v1.45.0_20251204-1932.tar.gz
+hcl-dx-runtime-controller-image-v95_CF232_20251204-1936.tar.gz
+hcl-dx-search-middleware-image-v2.0.0_20251204-1944.tar.gz
+hcl-dx-search-v2.30.0_20251211-1530.tgz
+hcl-dx-webengine-image-CF232_20251205-0057.tar.gz
+out.txt
+```
+
+<!--
 ## HCL DX 9.5 Compose CF231
 
 If you are deploying the HCL DX 9.5 Compose CF231 release, the following software packages are available in your MHS portal HCL DX Compose v9.5 entitlements:
@@ -50,7 +89,6 @@ hcl-dx-search-v2.29.0_20251027-1916.tgz
 hcl-dx-webengine-image-CF231_20251025-2351.tar.gz
 ```
 
-<!--
 ## HCL DX 9.5 Compose CF230
 
 If you are deploying the HCL DX 9.5 Compose CF230 release, the following software packages are available in your MHS portal HCL DX Compose v9.5 entitlements:

docs/deploy_dx/install/kubernetes_deployment/kubernetes_runtime.md

@@ -37,9 +37,9 @@ Review your chosen Kubernetes platform and ensure that it supports the following
 
 |CF Level|Kubernetes versions|
 |--------------|-----------------|
+|CF232| Kubernetes 1.34<br/>Kubernetes 1.33<br/>Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
 |CF231| Kubernetes 1.34<br/>Kubernetes 1.33<br/>Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
 |CF230| Kubernetes 1.34<br/>Kubernetes 1.33<br/>Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
-|CF229| Kubernetes 1.33<br/>Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
 
 !!!important
     To prevent a possible Kubernetes deployment failure in Kubernetes versions 1.28 and 1.29, it may be required to run the command `modprobe br_netfilter` before running `kubeadm init`. This is a potential solution to avoid a networking bridge/iptables issue.

docs/deploy_dx/install/kubernetes_deployment/preparation/get_the_code/configure_harbor_helm_repo.md

@@ -1,6 +1,6 @@
 # Configure Harbor Helm Repository
 
-The HCL Digital Experience (DX) Compose 9.5 container images and Helm charts can be accessed from the [HCL Harbor container repository](https://hclcr.io/){target="_blank"}. Customers with credentials to access entitled software on the HCL Software Licensing Portal can apply those credentials to access these HCL DX Compose 9.5 components.
+The HCL Digital Experience (DX) Compose 9.5 container images and Helm charts can be accessed from the [HCL Harbor container repository](https://hclcr.io/){target="_blank"}. Customers with credentials to access entitled software on the [My HCLSoftware (MHS) portal](https://my.hcltechsw.com/){target="blank"} can apply those credentials to access these HCL DX Compose 9.5 components.
 
 The Harbor repository is updated with a registry based on Open Container Initiative (OCI) standards. The Helm chart command is updated to be OCI-compliant.
 

docs/deploy_dx/install/kubernetes_deployment/preparation/mandatory_tasks/prepare_configure_networking.md

@@ -1,6 +1,6 @@
 # Configure Networking
 
-This section explains what must be configured from a networking perspective to get HCL Digital Experience Compose 9.5 running in your Kubernetes or OpenShift cluster, and to provide accessibility to your deployment from outside the Cluster.
+This section explains what must be configured from a networking perspective to get HCL Digital Experience (DX) Compose 9.5 running in your Kubernetes or OpenShift cluster, and to provide accessibility to your deployment from outside the Cluster.
 
 ## Full Kubernetes or OpenShift deployment
 
@@ -27,7 +27,7 @@ If you do not know the hostname beforehand, you can leave it blank and run an ad
 
 ## Configure Cross Origin Resource Sharing (CORS)
 
-The HCL Digital Experience Compose 9.5 Helm Chart allows you to configure CORS configuration for all the `addon` to WebEngine applications such as Digital Asset Management or Ring API. This allows you to access the APIs provided by those applications in other applications with ease.
+The HCL DX Compose 9.5 Helm chart allows you to configure CORS configuration for all the `addon` to WebEngine applications such as Digital Asset Management or Ring API. This allows you to access the APIs provided by those applications in other applications with ease.
 
 You can define a list of allowed hosts for a specific application using the following syntax in your `custom-values.yaml`:
 
@@ -51,7 +51,7 @@ For HAProxy to allow forward requests to your applications, you must provide it
 
 ## Configure HAProxy networking
 
-HAProxy is deployed with a `LoadBalancer` type service to handle the incoming traffic as well as the SSL offloading for HCL Digital Experience. In addition, the Helm deployment offers adjustability for HAProxy and its services to allow for more flexible deployment and use of custom `Ingress Controllers`.
+HAProxy is deployed with a `LoadBalancer` type service to handle the incoming traffic as well as the SSL offloading for HCL DX. In addition, the Helm deployment offers adjustability for HAProxy and its services to allow for more flexible deployment and use of custom `Ingress Controllers`.
 
 |Parameter|Description| Type | Default value|
 |---------|-----------|-------------|------|
@@ -127,7 +127,7 @@ To have your deployment and HAProxy to use the certificate, you must store it in
 The secret can be created using the following commands:
 
 !!!note
-    The secret name can be chosen by you and must be referenced in the next configuration step (the following example uses `dx-tls-cert`). The namespace is the Kubernetes namespace where you want to deploy HCL Digital Experience Compose 9.5 to (the example uses `digital-experience-compose`).
+    The secret name can be chosen by you and must be referenced in the next configuration step (the following example uses `dx-tls-cert`). The namespace is the Kubernetes namespace where you want to deploy HCL DX Compose 9.5 to (the example uses `digital-experience-compose`).
 
 ```sh
 # Create secret with the name "dx-tls-cert"
@@ -189,7 +189,7 @@ spec:
 
 ## Configuring Content-Security-Policy Frame Options
 
-The HCL Digital Experience Compose 9.5 Helm Chart allows you to configure **[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors){target="blank"}: frame-ancestors** for DX WebEngine and all other components, such as Digital Asset Management, Ring API, etc.
+The HCL DX Compose 9.5 Helm chart allows you to configure **[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors){target="blank"}: frame-ancestors** for DX WebEngine and all other components, such as Digital Asset Management, Ring API, etc.
 
 Setting `cspFrameAncestorsEnabled` to true adds `content-security-policy: frame-ancestor 'self'` headers to the responses, enabling you to frame DX and other add-on applications.
 
@@ -220,7 +220,7 @@ Refer to the HCL DX Compose 9.5 `values.yaml` detail for all possible applicatio
 
 ## Configuring SameSite Cookie Attribute
 
-The HCL Digital Experience Compose 9.5 Helm Chart allows you to configure **[SameSite Cookie Attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite){target="blank"}** for DX WebEngine. This configuration sets the `WASReqURL` Cookie Attributes `Secure` and `SameSite`.
+The HCL DX Compose 9.5 Helm chart allows you to configure **[SameSite Cookie Attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite){target="blank"}** for DX WebEngine. This configuration sets the `WASReqURL` Cookie Attributes `Secure` and `SameSite`.
 
 !!!note
     This should only be set in an HTTPS environment to prevent unwanted behaviors.
@@ -238,3 +238,41 @@ networking:
 ```
 
 Refer to the HCL DX Compose 9.5 `values.yaml` detail for all possible applications that can be configured.
+
+## HAProxy custom headers
+
+The HCL DX 9.5 Helm chart allows you to configure custom HTTP headers in the HAProxy configuration. You can both add new headers and remove existing headers from responses generated by HAProxy.
+
+### Adding custom headers
+
+You can add custom HTTP headers to all responses from HAProxy using the `customHeader` property. This is useful for implementing security best practices or adding specific information to responses.
+
+Each header entry supports the following properties:
+
+- `name`: The name of the HTTP header to be added
+- `value`: The value that should be set for the header
+
+Example configuration in your `custom-values.yaml` file:
+
+```yaml
+networking:
+  haproxy:
+    customHeader:
+      - name: X-Content-Type-Options
+        value: nosniff
+      - name: Referrer-Policy
+        value: no-referrer
+```
+
+### Removing headers
+
+You can specify header names that should be removed from HAProxy responses using the `deleteHeader` property. This is useful for removing headers that might reveal internal information or that you do not wish to forward.
+
+Example configuration in your `custom-values.yaml` file:
+
+```yaml
+networking:
+  haproxy:
+    deleteHeader:
+      - X-Powered-By
+```

docs/deploy_dx/manage/cfg_dx_compose/configure_sso/integrating_leap_sso/index.md

@@ -4,13 +4,13 @@ This page provides information on how to configure the Single Sign-On (SSO) laye
 
 ## Enabling SSO between HCL Leap and HCL DX Compose in Kubernetes
 
-This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the modern and natively supported OpenID Connect (OIDC) protocol since both applications run on Open Liberty. The protocol connects directly to the preferred Identity Provider (IdP), such as Azure AD, Keycloak or Okta. By configuring DX and Leap to trust your central IdP, users get a seamless, single log-in experience.
+This guide shows how you can enable SSO between HCL DX Compose and HCL Leap. You can use the modern and natively supported OpenID Connect (OIDC) protocol since both applications run on Open Liberty. The protocol connects directly to your preferred Identity Provider (IdP), such as Azure AD, Keycloak, Okta, or any OIDC-compliant provider. By configuring HCL DX Compose and Leap to trust your central IdP, users get a seamless, single log-in experience.
 
 ### Implementing OIDC SSO
 
-1. Install and configure your IdP.
+1. Choose and configure your IdP.
 
-    Create a client for each product. IdPs will serve as the single point of truth for credential inputs.
+    Create a client registration for each product (HCL DX Compose and HCL Leap). Your IdP serves as the single source of truth for credential input.
 
 2. Enable OIDC in HCL DX.
 
@@ -22,7 +22,7 @@ This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the
 
     1. Configure the OIDC IdP, which will serve as the OIDC provider.
 
-        As part of the configuration process for your identify provider, you will have created or obtained a digital certificate for configuring HTTPS. This certificate will also need to be deployed to Leap so that the two servers can communicate with each other.
+        As part of the configuration process for your identity provider, create or obtain a digital certificate for HTTPS. Deploy this certificate to Leap so the two servers can communicate securely.
 
         !!!note
             The SSL certificate (`.crt`) and public key (`.key`) should be in PKCS12 format.
@@ -39,7 +39,7 @@ This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the
         configuration:
             leap:
                 customCertificateSecrets:
-                    keycloakCert: <tls-secret>
+                    idpCert: <tls-secret>
         ```
 
     3. Add the OIDC definition as a server customization in the `values.yaml` file.
@@ -51,14 +51,13 @@ This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the
         Example of an OIDC definition:
 
         ```yaml
-        # Enter appropriate values for <your-oidc-id>, <your-client-id>, <your-client-secret>, <your-oidc-server>, <your-realm-name>. 
-        # You may have to refer to your identity provider's configuration.
+        # Replace placeholder values with your actual OIDC configuration
         configuration:
             leap:
                 configOverrideFiles:
                     openIdConnect: |
                         <server description="leapServer">
-                        <openidConnectClient id="<your-oidc-id>"
+                        <openidConnectClient id="<unique-oidc-id>"
                             clientId="<your-client-id>"
                             clientSecret="<your-client-secret>"
                             signatureAlgorithm="RS256"
@@ -67,7 +66,7 @@ This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the
                             httpsRequired="true"
                             scope="openid"
                             userIdentityToCreateSubject="preferred_username"
-                            discoveryEndpointUrl="https://<your-oidc-server>/realms/<your-realm-name>/.well-known/openid-configuration">
+                            discoveryEndpointUrl="<your-discovery-endpoint-url>">
                         </openidConnectClient>
                         <authFilter id="interceptedAuthFilter">
                             <requestUrl id="authRequestUrl" matchType="contains" urlPattern="/apps/secure|/apps/secured"/>
@@ -92,23 +91,21 @@ This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the
 
         - `userLookups`: Set this to `false` to disable user lookups, which is not available when configured with OIDC.
         - `userGroups`: Set this to `false` to disable group lookups, which is not available when configured with OIDC.
-        - `postLogoutRedirectURL`: Set this to the URL to which Leap will redirect the browser after a user logs out. This is necessary to complete the loop with the OIDC IdP.
+        - `postLogoutRedirectURL`: Set this to the URL where Leap redirects the browser after a user logs out. This setting completes the sign-out flow with the OIDC IdP. The URL format varies by IdP. For more information, refer to your IdP documentation.
 
         ```yaml
         configuration:
             leap:
                 leapProperties: |
                     ibm.nitro.NitroConfig.userLookup=false
                     ibm.nitro.NitroConfig.userGroups=false
-                    ibm.nitro.LogoutServlet.postLogoutRedirectURL=https://myOIDCServer.com/realms/Leap/protocol/openid-connect/logout?client_id=hcl-leap-oidc-client&post_logout_redirect_uri=https://myLeapServer.com/apps/secure/org/ide/manager.html
+                    `ibm.nitro.LogoutServlet.postLogoutRedirectURL=<your-idp-logout-url>?client_id=<your-client-id>&post_logout_redirect_uri=<your-leap-url>`
         ```
 
-        For more details on setting Leap properties, refer to [Leap properties](https://opensource.hcltechsw.com/leap-doc/latest/helm_leap_properties.html).
+        For more information about setting Leap properties, see [Leap properties](https://opensource.hcltechsw.com/leap-doc/latest/helm_leap_properties.html).
 
     5. Perform a Helm upgrade to apply your changes.
 
-    6. Restart the Leap pod. After restarting the Leap pod, accessing Leap should redirect you to authenticate using your OIDC IdP.
+    6. Restart the Leap pod.
 
-        For example, the following screenshot shows an authentication page accessed using Keycloak:
-
-        ![](../../../../../assets/Keycloak-Login.png)
+        After restarting the Leap pod, accessing Leap should redirect you to authenticate using your OIDC IdP.