[enterprise-4.16] OSDOCS#10947: Support for CCO in HCP

hosted_control_planes/hcp-authentication-authorization.adoc

@@ -9,9 +9,28 @@ toc::[]
 The {product-title} control plane includes a built-in OAuth server. You can obtain OAuth access tokens to authenticate to the {product-title} API. After you create your hosted cluster, you can configure OAuth by specifying an identity provider.
 
 include::modules/hcp-configuring-oauth.adoc[leveloffset=+1]
+
 include::modules/hcp-configuring-oauth-console.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
 * To know more about supported identity providers, see xref:../authentication/understanding-identity-provider.adoc#understanding-identity-provider["Understanding identity provider configuration"] in _Authentication and authorization_.
+
+[id="hcp-cco-aws-sts_{context}"]
+== Assigning components IAM roles by using the CCO in a hosted cluster on {aws-short}
+
+You can assign components IAM roles that provide short-term, limited-privilege security credentials by using the Cloud Credential Operator (CCO) in hosted clusters on {aws-first}. By default, the CCO runs in a hosted control plane.
+
+[NOTE]
+====
+The CCO supports a manual mode only for hosted clusters on {aws-short}. By default, hosted clusters are configured in a manual mode. The management cluster might use modes other than manual.
+====
+
+include::modules/hcp-cco-verify-aws-sts.adoc[leveloffset=+1]
+include::modules/osdk-cco-aws-sts-enabling.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../operators/operator-reference.adoc#cloud-credential-operator_cluster-operators-ref[Cluster Operators reference page for the Cloud Credential Operator]

modules/hcp-cco-verify-aws-sts.adoc

@@ -0,0 +1,42 @@
+// Module included in the following assemblies:
+//
+// Hosted control plane assemblies
+// * hosted_control_planes/hcp-authentication-authorization.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="hcp-cco-verify-aws-sts_{context}"]
+= Verifying the CCO installation in a hosted cluster on {aws-short}
+
+You can verify that the Cloud Credential Operator (CCO) is running correctly in your hosted control plane.
+
+.Prerequisites
+
+* You configured the hosted cluster on {aws-first}.
+
+.Procedure
+
+. Verify that the CCO is configured in a manual mode in your hosted cluster by running the following command:
++
+[source,terminal]
+----
+$ oc get cloudcredentials <hosted_cluster_name> -n <hosted_cluster_namespace> -o=jsonpath={.spec.credentialsMode}
+----
++
+.Expected output
+[source,terminal]
+----
+Manual
+----
+
+. Verify that the value for the `serviceAccountIssuer` resource is not empty by running the following command:
++
+[source,terminal]
+----
+$ oc get authentication cluster --kubeconfig <hosted_cluster_name>.kubeconfig -o jsonpath --template '{.spec.serviceAccountIssuer }'
+----
++
+.Example output
+[source,terminal]
+----
+https://aos-hypershift-ci-oidc-29999.s3.us-east-2.amazonaws.com/hypershift-ci-29999
+----

modules/osdk-cco-aws-sts-enabling.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * operators/operator_sdk/osdk-token-auth.adoc
+// * hosted_control_planes/hcp-authentication-authorization.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="osdk-cco-aws-sts-enabling_{context}"]
@@ -318,4 +319,4 @@ options := session.Options{
    SharedConfigFiles: []string{sharedCredentialsFile},
 }
 ----
-====
+====