Merge pull request #13 from HCL-TECH-SOFTWARE/sync/cf230

Sync/cf230

Author: nads102896

docs/assets/Keycloak-Login.png

@@ -12,6 +12,44 @@ The following software files are packaged and licensed for use with HCL DX Compo
 In future continuous delivery updates, entitled customers can obtain the HCL DX 9.5 Compose container updates from the download package entries in the [MHS portal](https://my.hcltechsw.com/downloads){target="blank"}.
 
 Video: [How to upload HCL DX 9.5 container images to a private repository](https://youtu.be/XJONRdpgCuo)
+
+## HCL DX 9.5 Compose CF230
+
+If you are deploying the HCL DX 9.5 Compose CF230 release, the following software packages are available in your MHS portal HCL DX Compose v9.5 entitlements:
+
+- HCL DX Compose v9.5
+- HCL DXClient
+- HCL Leap 9.3.x for use with DX Compose
+- HCL Volt Foundry 9.5.x for use with DX Compose
+
+## hcl-compose-kubernetes-CF230.zip
+
+```shell
+HCL DX Compose notices CF230.txt
+hcl-dx-content-composer-image-v1.43.0_20250922-1241.tar.gz
+hcl-dx-dam-plugin-google-vision-image-v1.0.0_20250922-1235.tar.gz
+hcl-dx-dam-plugin-kaltura-image-v1.0.0_20250922-1235.tar.gz
+hcl-dx-deployment-v2.41.0_20250924-1733.tgz
+hcl-dx-digital-asset-manager-image-v1.42.0_20250922-1244.tar.gz
+hcl-dx-file-processor-image-v2.0.0_20250922-1241.tar.gz
+hcl-dx-haproxy-image-v1.26.0_20250922-1242.tar.gz
+hcl-dx-image-processor-image-v1.43.0_20250922-1244.tar.gz
+hcl-dx-license-manager-image-v95_CF230_20250922-1237.tar.gz
+hcl-dx-logging-sidecar-image-v1.0.0_20250922-1237.tar.gz
+hcl-dx-openldap-image-v2.6.8_20250922-1237.tar.gz
+hcl-dx-opensearch-image-v2.0.0_20250922-1233.tar.gz
+hcl-dx-people-service-image-v1.0.0_20250922-1234.tar.gz
+hcl-dx-persistence-connection-pool-image-v1.40.0_20250922-1247.tar.gz
+hcl-dx-persistence-metrics-exporter-image-v1.38.0_20250922-1248.tar.gz
+hcl-dx-persistence-node-image-v1.30_20250922-1248.tar.gz
+hcl-dx-prereqs-checker-image-v1.0.0_20250922-1238.tar.gz
+hcl-dx-ringapi-image-v1.43.0_20250922-1249.tar.gz
+hcl-dx-runtime-controller-image-v95_CF230_20250922-1239.tar.gz
+hcl-dx-search-middleware-image-v2.0.0_20250922-1232.tar.gz
+hcl-dx-search-v2.28.0_20250923-1517.tgz
+hcl-dx-webengine-image-CF230_20250924-1550.tar.gz
+```
+<!--
 ## HCL DX 9.5 Compose CF229
 
 If you are deploying the HCL DX 9.5 Compose CF229 release, the following software packages are available in your MHS portal HCL DX Compose v9.5 entitlements:

docs/deploy_dx/install/kubernetes_deployment/image_list.md

@@ -37,10 +37,9 @@ Review your chosen Kubernetes platform and ensure that it supports the following
 
 |CF Level|Kubernetes versions|
 |--------------|-----------------|
+|CF229| Kubernetes 1.34<br/>Kubernetes 1.33<br/>Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
 |CF229| Kubernetes 1.33<br/>Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
 |CF228| Kubernetes 1.33<br/>Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
-|CF227| Kubernetes 1.32<br/>Kubernetes 1.31<br/>Kubernetes 1.30<br/>Kubernetes 1.29<br/>Kubernetes 1.28<br/>Kubernetes 1.27<br/>Kubernetes 1.26<br/>|
-
 
 !!!important
     To prevent a possible Kubernetes deployment failure in Kubernetes versions 1.28 and 1.29, it may be required to run the command `modprobe br_netfilter` before running `kubeadm init`. This is a potential solution to avoid a networking bridge/iptables issue.

docs/deploy_dx/install/kubernetes_deployment/kubernetes_runtime.md

@@ -8,3 +8,4 @@ nav:
   - enable_search.md
   - integrate_ddc
   - setup_cntnt_serv_pgs.md
+  - configure_sso

docs/deploy_dx/manage/cfg_dx_compose/.pages

@@ -0,0 +1,4 @@
+title: Integrating SSO in DX Compose
+nav:
+    - index.md
+    - integrating_leap_sso

docs/deploy_dx/manage/cfg_dx_compose/configure_sso/.pages

@@ -0,0 +1,6 @@
+# Configuring SSO in DX Compose
+
+This guide explains how to set up Single Sign-On (SSO) between HCL DX Compose and HCL Leap. Both applications can be connected to a central Identity Provider (IdP) using the OpenID Connect (OIDC) protocol. This setup allows users and administrators to log in once and then switch between creating pages in DX Compose and designing forms in Leap without logging in again. This improves workflow efficiency and security.
+
+- **[Configuring HCL DX Compose and HCL Leap SSO with OIDC](integrating_leap_sso/index.md)**  
+Learn how to use OIDC protocol to authenticate with the preferred Identity Provider.

docs/deploy_dx/manage/cfg_dx_compose/configure_sso/index.md

@@ -0,0 +1,4 @@
+title: Integrating SSO for HCL Leap using OIDC
+nav:
+    - index.md
+    

docs/deploy_dx/manage/cfg_dx_compose/configure_sso/integrating_leap_sso/.pages

@@ -0,0 +1,114 @@
+# Configuring HCL DX Compose and HCL Leap SSO with OIDC
+
+This page provides information on how to configure the Single Sign-On (SSO) layer between HCL DX Compose and HCL Leap.
+
+## Enabling SSO between HCL Leap and HCL DX Compose in Kubernetes
+
+This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the modern and natively supported OpenID Connect (OIDC) protocol since both applications run on Open Liberty. The protocol connects directly to the preferred Identity Provider (IdP), such as Azure AD, Keycloak or Okta. By configuring DX and Leap to trust your central IdP, users get a seamless, single log-in experience.
+
+### Implementing OIDC SSO
+
+1. Install and configure your IdP.
+
+    Create a client for each product. IdPs will serve as the single point of truth for credential inputs.
+
+2. Enable OIDC in HCL DX.
+
+    Refer to [Configuring DX Compose to use an OIDC identity provider](./../../../cfg_webengine/configure_compose_to_use_oidc.md) to enable and configure OIDC for DX Compose.
+
+3. Enable OIDC in HCL Leap.
+
+    Leap can be configured to leverage OIDC as the primary authentication mechanism, turning it into a Relying Party (RP) to the specific IdP. RP is an application that relies on a third-party (such as an IdP) for authentication. When OIDC is used, the user and group lookup feature of Leap is not available and must be disabled as part of the configuration.
+
+    1. Configure the OIDC IdP, which will serve as the OIDC provider.
+
+        As part of the configuration process for your identify provider, you will have created or obtained a digital certificate for configuring HTTPS. This certificate will also need to be deployed to Leap so that the two servers can communicate with each other.
+
+        !!!note
+            The SSL certificate (`.crt`) and public key (`.key`) should be in PKCS12 format.
+
+    2. After copying the `.key` and `.crt` to the Kubernetes image, create a secret using the following command:
+
+        ```bash
+        kubectl -n <namespace> create secret tls <tls-secret> --key="/tmp/oidc.key" --cert="/tmp/oidc.crt"
+        ```
+
+        This secret can be referenced in the `values.yaml` file using the following configuration:
+
+        ```yaml
+        configuration:
+            leap:
+                customCertificateSecrets:
+                    keycloakCert: <tls-secret>
+        ```
+
+    3. Add the OIDC definition as a server customization in the `values.yaml` file.
+
+        The properties that you need to specify may differ based on your identity provider. For additional information, refer to [Open Liberty documentation on OIDC](https://openliberty.io/docs/latest/reference/config/openidConnectClient.html)
+
+        Before moving on, verify that the `discoveryEndpointURL` property is valid by opening the URL in a browser prior to entering it in the `values.yaml` file and updating the `clientSecret` with the proper value obtained from your IdP.
+
+        Example of an OIDC definition:
+
+        ```yaml
+        # Enter appropriate values for <your-oidc-id>, <your-client-id>, <your-client-secret>, <your-oidc-server>, <your-realm-name>. 
+        # You may have to refer to your identity provider's configuration.
+        configuration:
+            leap:
+                configOverrideFiles:
+                    openIdConnect: |
+                        <server description="leapServer">
+                        <openidConnectClient id="<your-oidc-id>"
+                            clientId="<your-client-id>"
+                            clientSecret="<your-client-secret>"
+                            signatureAlgorithm="RS256"
+                            authFilterRef="interceptedAuthFilter"
+                            mapIdentityToRegistryUser="false"
+                            httpsRequired="true"
+                            scope="openid"
+                            userIdentityToCreateSubject="preferred_username"
+                            discoveryEndpointUrl="https://<your-oidc-server>/realms/<your-realm-name>/.well-known/openid-configuration">
+                        </openidConnectClient>
+                        <authFilter id="interceptedAuthFilter">
+                            <requestUrl id="authRequestUrl" matchType="contains" urlPattern="/apps/secure|/apps/secured"/>
+                        </authFilter>
+                        <httpEndpoint id="defaultHttpEndpoint"
+                            host="*"
+                            httpPort="9080"
+                            httpsPort="9443">
+                            <samesite none="*" />
+                        </httpEndpoint>
+                        </server>
+        ```
+
+        For more details on defining a server customization, refer to [Open Liberty server customizations](https://opensource.hcltechsw.com/leap-doc/latest/helm_open_liberty_custom.html){target="_blank"}.
+
+        !!!important
+            The openIdConnectClient redirects to `https://<your-domain>/oidcclient/redirect/<your-oidc-id>` after authentication. Make sure that your valid redirect URIs includes an entry that matches this, and that you're using a different id than what you're using for DX. You may also have to modify your Ingress/Gateway API configuration so that `/oidcclient/redirect/<your-oidc-id>` redirects to the Leap service.
+
+    4. Add the following config properties related to OIDC in the `values.yaml` file.
+
+        The following properties must be set to complete the OIDC configuration:
+
+        - `userLookups`: Set this to `false` to disable user lookups, which is not available when configured with OIDC.
+        - `userGroups`: Set this to `false` to disable group lookups, which is not available when configured with OIDC.
+        - `postLogoutRedirectURL`: Set this to the URL to which Leap will redirect the browser after a user logs out. This is necessary to complete the loop with the OIDC IdP.
+
+        ```yaml
+        configuration:
+            leap:
+                leapProperties: |
+                    ibm.nitro.NitroConfig.userLookup=false
+                    ibm.nitro.NitroConfig.userGroups=false
+                    ibm.nitro.LogoutServlet.postLogoutRedirectURL=https://myOIDCServer.com/realms/Leap/protocol/openid-connect/logout?client_id=hcl-leap-oidc-client&post_logout_redirect_uri=https://myLeapServer.com/apps/secure/org/ide/manager.html
+        ```
+
+        For more details on setting Leap properties, refer to [Leap properties](https://opensource.hcltechsw.com/leap-doc/latest/helm_leap_properties.html).
+
+    5. Perform a Helm upgrade to apply your changes.
+
+    6. Restart the Leap pod. After restarting the Leap pod, accessing Leap should redirect you to authenticate using your OIDC IdP.
+
+        For example, the following screenshot shows an authentication page accessed using Keycloak:
+
+        ![](../../../../../assets/Keycloak-Login.png)