Merge pull request #66488 from jeana-redhat/OSDOCS-6135-installing-azure-short-term-creds-revisions

jeana-redhat · web-flow · commit 85ec15acbcef · 2023-10-19T14:48:31.000-04:00
[OSDOCS-6135]: Additional feedback
diff --git a/authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc b/authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc
@@ -86,8 +86,8 @@ In manual mode with Azure AD Workload Identity, the individual {product-title} c
 .Additional resources
 * xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global Microsoft Azure cluster to use short-term credentials]
 
-//Azure AD Workload Identity authentication process (placeholder)
-//include::modules/cco-short-term-creds-auth-flow-azure.adoc[leveloffset=+2]
+//Azure AD Workload Identity authentication process
+include::modules/cco-short-term-creds-auth-flow-azure.adoc[leveloffset=+2]
 
 //Azure component secret formats
 include::modules/cco-short-term-creds-format-azure.adoc[leveloffset=+2]
diff --git a/images/347_OpenShift_credentials_with_STS_updates_1023_Azure.png b/images/347_OpenShift_credentials_with_STS_updates_1023_Azure.png
diff --git a/installing/installing_azure/installing-azure-user-infra.adoc b/installing/installing_azure/installing-azure-user-infra.adoc
@@ -22,8 +22,8 @@ The steps for performing a user-provisioned infrastructure installation are prov
 * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
 * You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster.
 * You downloaded the Azure CLI and installed it on your computer. See link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest[Install the Azure CLI] in the Azure documentation. The documentation below was last tested using version `2.38.0` of the Azure CLI. Azure CLI commands might perform differently based on the version you use.
+* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, see xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-manual-modes_installing-azure-customizations[Alternatives to storing administrator-level secrets in the kube-system project].
 * If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to.
-* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[manually create and maintain long-term credentials].
 +
 [NOTE]
 ====
diff --git a/modules/cco-ccoctl-creating-at-once.adoc b/modules/cco-ccoctl-creating-at-once.adoc
@@ -153,6 +153,9 @@ ifdef::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
 * Created a RAM user with sufficient permission to create the {product-title} cluster.
 * Added the AccessKeyID (`access_key_id`) and AccessKeySecret (`access_key_secret`) of that RAM user into the link:https://www.alibabacloud.com/help/en/doc-detail/311667.htm#h2-sls-mfm-3p3[`~/.alibabacloud/credentials` file] on your local computer.
 endif::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
+ifdef::azure-workload-id[]
+* Access to your Microsoft Azure account by using the Azure CLI.
+endif::azure-workload-id[]
 
 .Procedure
 
@@ -183,6 +186,15 @@ $ oc adm release extract \
 This command might take a few moments to run.
 ====
 
+ifdef::azure-workload-id[]
+. To enable the `ccoctl` utility to detect your Azure credentials automatically, log in to the Azure CLI by running the following command:
++
+[source,terminal]
+----
+$ az login
+----
+endif::azure-workload-id[]
+
 ifdef::aws-sts,google-cloud-platform,azure-workload-id[]
 . Use the `ccoctl` tool to process all `CredentialsRequest` objects by running the following command:
 +
@@ -250,6 +262,8 @@ $ ccoctl azure create-all \
 [NOTE]
 ====
 If your cluster uses Technology Preview features that are enabled by the `TechPreviewNoUpgrade` feature set, you must include the `--enable-tech-preview` parameter.
+
+To see additional optional parameters and explanations of how to use them, run the `azure create-all --help` command.
 ====
 endif::azure-workload-id[]
 
@@ -351,8 +365,21 @@ openshift-machine-api-aws-cloud-credentials-credentials.yaml
 You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles.
 endif::aws-sts[]
 ifdef::google-cloud-platform[]
++
+.Example output
+[source,text]
+----
+cluster-authentication-02-config.yaml
+openshift-cloud-controller-manager-gcp-ccm-cloud-credentials-credentials.yaml
+openshift-cloud-credential-operator-cloud-credential-operator-gcp-ro-creds-credentials.yaml
+openshift-cloud-network-config-controller-cloud-credentials-credentials.yaml
+openshift-cluster-csi-drivers-gcp-pd-cloud-credentials-credentials.yaml
+openshift-image-registry-installer-cloud-credentials-credentials.yaml
+openshift-ingress-operator-cloud-credentials-credentials.yaml
+openshift-machine-api-gcp-cloud-credentials-credentials.yaml
+----
++
 You can verify that the IAM service accounts are created by querying GCP. For more information, refer to GCP documentation on listing IAM service accounts.
-//to-do: include sample output for GCP when available.
 endif::google-cloud-platform[]
 ifdef::azure-workload-id[]
 +
diff --git a/modules/cco-short-term-creds-auth-flow-azure.adoc b/modules/cco-short-term-creds-auth-flow-azure.adoc
@@ -8,6 +8,5 @@
 
 The following diagram details the authentication flow between Azure and the {product-title} cluster when using Azure AD Workload Identity.
 
-//todo: work with dev and diagrams team to get a diagram for Azure
 .Azure AD Workload Identity authentication flow
-//image::azure_ad_workload_identity_flow.png[Detailed authentication flow between Azure and the cluster when using Azure AD Workload Identity]
+image::347_OpenShift_credentials_with_STS_updates_1023_Azure.png[Detailed authentication flow between Azure and the cluster when using Azure AD Workload Identity]
