add docs for rosa external auth feature

Author: muraee

docs/book/src/SUMMARY_PREFIX.md

@@ -26,6 +26,7 @@
     - [Creating a cluster](./topics/rosa/creating-a-cluster.md)
     - [Creating MachinePools](./topics/rosa/creating-rosa-machinepools.md)
     - [Upgrades](./topics/rosa/upgrades.md)
+    - [External Auth Providers](./topics/rosa/external-auth.md)
   - [Bring Your Own AWS Infrastructure](./topics/bring-your-own-aws-infrastructure.md)
   - [Specifying the IAM Role to use for Management Components](./topics/specify-management-iam-role.md)
   - [Using external cloud provider with EBS CSI driver](./topics/external-cloud-provider-with-ebs-csi-driver.md)

docs/book/src/topics/rosa/external-auth.md

@@ -0,0 +1,113 @@
+# External Auth Providers (BYOI)
+
+ROSA allows you to Bring Your Own Identity (BYOI) to manage and authenticate cluster users.
+
+## Enabling
+
+To enable this feature, `enableExternalAuthProviders` field should be set to `true` on cluster creation. Changing this field afterwards will have no effect:
+```yaml
+---
+apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+kind: ROSAControlPlane
+metadata:
+  name: "capi-rosa-quickstart-control-plane"
+spec:
+  enableExternalAuthProviders: true
+  ....
+```
+
+Note: This feauture requires OpenShift version `4.15.5` or newer.
+
+## Usage
+
+After creating and configuring your OIDC provider of choice, the next step is to configure ROSAControlPlane `externalAuthProviders` as follows:
+```yaml
+---
+apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+kind: ROSAControlPlane
+metadata:
+  name: "capi-rosa-quickstart-control-plane"
+spec:
+  enableExternalAuthProviders: true
+  externalAuthProviders:
+  - name: my-oidc-provider
+    issuer:
+      issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Micorsoft Entra ID
+      audiences:  # audiences that will be trusted by the kube-apiserver
+      - "audience1" # usaully the client ID
+    claimMappings:
+      username:
+        claim: email
+        prefixPolicy: ""
+      groups:
+        claim: groups
+  ....
+```
+
+Note: `oidcProviders` only accepts one entry at the moment.
+
+## Accessing the cluster
+
+### Setting up RBAC
+
+When `enableExternalAuthProviders` is set to `true`, ROSA provider will generate a temporarily admin kubeconfig secert in the same namespace named `<cluster-name>-bootstrap-kubeconfig`. This kubeonconfig can be used to access the cluster to setup RBAC for oidc users/groups.
+
+For example, bind the `cluster-admin` to an oidc group, to give admin permissions to all users part of that group:
+```shell
+kubectl get secret <cluster-name>-bootstrap-kubeconfig -o jsonpath='{.data.value}' | base64 -d > /tmp/capi-admin-kubeconfig
+export KUBECONFIG=/tmp/capi-admin-kubeconfig
+
+kubectl create clusterrolebinding oidc-cluster-admins --clusterrole cluster-admin --group <group-id>
+```
+
+Note: The generated bootstrap kubeconfig is only valid for 24h, and will not be usable afterwards. However, users can opt to manually delete the secret object to trigger the generation of a new one which will be valid for another 24h.
+
+### Login using the cli
+
+The [kubelogin kubectl plugin](https://github.com/int128/kubelogin/tree/master) can be used to login with OIDC credentials using the cli. 
+
+### Configuring OpenShift Console
+
+The OpenShift Console needs to be configured before it can be used to authenticate and login to the cluster. 
+1. Setup a new client in your OIDC provider with the following Redirect URL `<console-url>/auth/callback`. You can find the console URL in the status field of the `ROSAControlPlane` once the cluster is ready:
+    ```shell
+    kubectl get rosacontrolplane <control-plane-name> -o jsonpath='{.status.consoleURL}'
+    ```
+
+2. Create a new client secret in your OIDC provider and store the value in a kubernetes secret in the same namespace as your cluster:
+    ```shell
+    kubectl create secret generic console-client-secret --from-literal=clientSecret='<client-secret-value>' 
+    ```
+
+3. Configure `ROSAControlPlane` external auth provider with the created client:
+    ```yaml
+    ---
+    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+    kind: ROSAControlPlane
+    metadata:
+      name: "capi-rosa-quickstart-control-plane"
+    spec:
+      enableExternalAuthProviders: true
+      externalAuthProviders:
+      - name: my-oidc-provider
+        issuer:
+          issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Micorsoft Entra ID
+          audiences:  # audiences that will be trusted by the kube-apiserver
+          - "audience1"
+          - <console-client-id> # <----New
+        claimMappings:
+          username:
+            claim: email
+            prefixPolicy: ""
+          groups:
+            claim: groups
+        oidcClients:  # <----New
+          - componentName: console
+            componentNamespace: openshift-console
+            clientID: <console-client-id>
+            clientSecret:
+              name: console-client-secret # secret name created in step 2
+      ....
+    ```
+
+see [ROSAControlPlane CRD Reference](https://cluster-api-aws.sigs.k8s.io/crd/#controlplane.cluster.x-k8s.io/v1beta2.ExternalAuthProvider) for all possible configurations.

docs/book/src/topics/rosa/index.md

@@ -21,4 +21,5 @@ A new template is available in the templates folder for creating a managed ROSA
 * [Enabling ROSA Support](enabling.md)
 * [Creating a cluster](creating-a-cluster.md)
 * [Creating MachinePools](creating-rosa-machinepools.md)
-* [Upgrades](upgrades.md)
+* [Upgrades](upgrades.md)
+* [External Auth Providers](external-auth.md)