From 796bb1a716e1604f239c207ae363fd5f363d8bed Mon Sep 17 00:00:00 2001
From: MCamp859 <maryx.camp@intel.com>
Date: Tue, 10 Mar 2020 11:32:30 -0400
Subject: [PATCH] Add Windows Active Dir Auth Support for K8s

Completed review feedback.
Additional feedback done.
Added cengn path.

Story: 2006711
Task: 38485

Change-Id: I8a3f6f8583accf3ab2eb5694a41b1750a7938252
Signed-off-by: MCamp859 <maryx.camp@intel.com>
---
 .../configuration/figures/k8s_auth_login.png  | Bin 0 -> 8175 bytes
 doc/source/configuration/index.rst            |   1 +
 .../configuration/k8s_auth_winactivedir.rst   | 317 ++++++++++++++++++
 .../r4_release/ansible_bootstrap_configs.rst  |   4 -
 4 files changed, 318 insertions(+), 4 deletions(-)
 create mode 100644 doc/source/configuration/figures/k8s_auth_login.png
 create mode 100644 doc/source/configuration/k8s_auth_winactivedir.rst

diff --git a/doc/source/configuration/figures/k8s_auth_login.png b/doc/source/configuration/figures/k8s_auth_login.png
new file mode 100644
index 0000000000000000000000000000000000000000..0795a209ea6b0bb009736fd7574a3f7f644ab9a9
GIT binary patch
literal 8175
zcmcI}cT`i`x^L7ipeU%Qh*U*Dnka|?rD#B+v?$W0C|wZZrV~h_(zc+WAYFnHsgZ<^
z7(!GO3^kO1)Tn?2NC+jNBnDm-_jz}`ao#!SjyvujYh=!~zWHT-^J~Ageh;o#f_Lvc
zyb}Nb?7n=-*a`sHvdX`X32o)yF|VzT;{R+3vI2tu*iNZw{^Squ3l<jufQn?{A2+x2
z=R59PatHzdM4EnHTUwyS9sq!B%w^*X*5NLUQ7ZKC+9>VM4Tx>QWJ0O$RgK3gf5rzN
z!zMWHn0``hEscE*B7EIBt=kj9iLO<d(HKE>205l4aA?TM<$b+~em5FJZ=QT0pPrfv
zzTTR?dm&(UX>I+Gq<c&A1K>8-F^#gm_V7c^9^qXXxR&W=<Sis`)^%lN#qh^`lc>S!
z^MTn>d>C_X6wf4Xth-k0mk9&xw-%BLyY~5#YK*V<sBg)5Xx6SUUC0m=6ik-UAEK>r
z!2rP2rLh9GsI0+A`23f9&VqnDe@%?;VgTo;MCia4fYi~54ZivUwqzJ{tY(&P_mhU4
zekh&67z_ab;xCO^%mU{|>fJX*Gy19cFzEO)V>nbA@b*Z`N<bYqgZRU9oUk%hwYfO#
ztn@8j^Eqb2?<LT>;jp=p!Ff0pyA7aYyx54xM{<`LkAT#u-pxA!0&GbfasAETdz%3|
zmZfh_oCVm-M($j5M-Gs27I4?-7_%;56vk!L0kb;_H$`~t0axT~S=|{IINJs<0{F6r
z#O>@%Vsa&c0VCzV4Z6j7WRib#(*`7?X26<OS6BC2<M*kG7#YAw@IH<qZyNI3F0ZP~
zv@LHP6j{)Q1p%}m0Js+hxFf|MwEX9TmIKv^3mqNS1>WLYUi|?gy1~*WzJK>BG$?P=
z7+}XXUQcJrU!58HI0a<bT2*v(c$DbZ`g#4~Vkx47T6z&t54x9;W@Ifmm^);n+M)5O
zE)~1XIGQetc0JV{htQ*i;0a$2`-b?VGx}CaZ|#7*_|jE?xYAYHJ|%h2dGC`8>iL=)
z-?md@d&D?tMl?I~YBbSc;1H}E=V?8&RF?H}#n1Op?(uePqA@OIXyoB!s{+sPQIJ9S
ztHU5-pb#&?;TUTiW!G7h`ey{N`5P%1Yt2MG7_Fv0_TRT)Z+?cfzm##lnOHfMXcX)<
zV}iSsjvq&0UW65)PF*Vw(HKfh`tdBh!k?%T-(R|4v&7h(q4uQppx^qJo<GZ_2~&F9
z++~akkL0G)N~CK`^z|&JMYWx9jDGX*qeAD`-dV2}&mzt+B{CH{hFFN|4OK?REtXY8
zB+%=TA>&vnR8$vdyZN!+LAL@*9<NYi_)Dd@KYen-rn4WCC)8`=(im&bSbh8+dgt&e
z1!Mw`o}skb@y1)GKXrXAI%Aeh#$}or$yO&^wy82MyrN>)8vDvI<=tG#Enf+S=|SN5
zbX18|$<xK@aJ8&9Qsj?%P~N9Wt;*<EdN=Ejb5lk?oH)#U6p6@xq108C7DuTZm9A^^
zl`)acmO`A$=n>2=W1sLN<R;r4sY%ssSy~ouP_z?*tEHyeX`osUBz$yhyn;U&IBt7^
z0Qy)<KU$3GI^^w=b&H5f^}BbrA?m6K&RWgm+Mo4DWBw!rM{jqj#>5z;t559vPHHUx
zDWXGjRWQu+e~hNv^^12$b*ztS{}{Wdv^yQZ4~>kNv0#OC?6X}ZMFdBavbMNrXKhXz
z(AO<=?yS#&_T$_LkRi4GjY<G0E;jUIL}%WctWdL=lOA%2K%Z?8o4NO@@e0(KA<b)_
zFtS~Rt;<Szi3G*Octn7!cnT)j_k}b&&!w{6K&+lqviC=~j!@p$%H0QH-PnDcHNTh$
z2k*{Zg#orA{EdjmBSx+$Tz*QYsd|hxe&sp<{g+3}vc7&_isdWoO>b@acti)ty5`C_
zfyz54u+-G<v9`E&ufo+@BiZs#`_fpKRMpt^_C^#*YK<g(CSY<>@)<$Ea`>Wi_qb|j
zLmSYZb`ftyyB4HTgMw$TwH;-t#`C?JXhgMPULsMV;)9djw-XRUR?yz6LHg{<YLLZf
zyJ$Q6rjuR-Jb=cv3E7d2yPBEzDy$pr5J*U|@MZ=$Ola3z(cIU@C(Sa)QR?6N?D9@{
zmELZgY|nzOeZDX0wEV*P){NKs#~#RD)z#1^WSk5?txt#$WJVM$5m<?y<Vx8_&luIn
zOI^EZHb*IY<|9Bz#cAOYtDreW{hGyRN!i`gKfE6YWic(AM?xbi1}03=8JNGE8$MT;
z6<WI$ZD8BGydd8P*t2)K3&wkPAB^nAt~S}@eFn+0M4cGK<Q~p}s)zC%KVhC*bgyvk
zZr%%dSQ=}sOyJF(C3GJ1%Ub&vp2K_d6FN7L3wsHux7pOzi99m?XS^pG5y??3t?#rB
zD70~coG0TQ-`i2v+j0^(8ilSxyVA6EbM!o42{v?z!<MQmtg$+{$4^uts|+Wq6i-1T
zJ86mTntPIqK#|+D_Hk@LG`seX=)C%-2^~Ma6DCXW0W6$&$GXbZJ?s0IJY&Z!)7mX`
zG6$17tZ#kKa1wmfP}+UpSyz(t(M3#hJ(xWaAQoZKS2`t3h<MbsVPPLRklHw@8THM$
z6HmwHc>9-sPCQ84X4>h*Y#vQ$R9>1v1Cc~;@22u<er-C1PA*!CjreG4MsQ_3O5vau
zObeW<S03hZrd;TwvA)1%15OMf8KLMqRo_UCUu!+smR4H4_I<UPQTYZKsP!i&eZGBi
zrCV|;22nBaVJsdumuy#;j8RG|SX}GHk=~<$OUhlGI{$VbL#ddqF+~k(m6YodCFBvM
zUbT#Xa&qFCWr}l3juMe6hn!mbLDy@vS7R+60fj0QnP1)*wV7q49@&<@kDmvMtSQsD
zEw;pqS;9!+(`bY+i!OPU=k=;IcAWxd=Tt;Dq6!QmfO%7gjWp~eaZf44){<wOj?X3v
zIHYQj*1>DU2?w^uM#pDzJz89tpt$^(hgigr72%x0Mtns^ybBSqB&MKM_}!?PB$)90
zy2dcmL6(|DeMq<+ebJ?Q`gy@dCq<?Yr%|^}3m7s<#$;64S`*_{!SX2HBe%<YV229z
z%^S9g9A(Yk(lgK>kql#NbQh@v%iIw~yP93lmjrIyF|Bc=1hITg<ZKL>)L_B#86lpd
zRaN&471Sp-;cE#@#hqTwC;@=~^Vay^>ZAWc*j0e%3%mAVXQT7pzAD&7?5P?*z?X=<
z9MAK#Em04Ic$%+|v3e2tPc0POd@b})=ALF{ZvzIf2Q^8rqZAH8yb{=RpI<T4_suNS
zC)l+rj>8P^6@_J~S*xy9(^U^bCjCOWx9}+zN@Bi-zTj!6dhL^Tha%-jZiIBmNB70&
zPBoIB7Ccfa?A4x}=!^VX;4@Mt-f^|mUD+BQ`4I5JgqHE{BU-fKS*f?CE7le>X>}y0
zlOj;r{o2{Iv}|9NTY*(;X?05v1qEx^O@LX~UQwG+MI7REbcDaTazec4Pxh4cMX15@
zV##gv%auGs_JK$_UvQSwnG)<DGj3uKuONw~{St7sUKfS3#^dL3)~)qVIYFf(-<O2S
zcWoNae#i-WV-H<rjJ*{ZD(EcT$XSSTKY8$iJZ`77M(LX&veM47JAU;}pPgYa8+>sj
z%1;XV+@feaK)0aLZL5sTrCMzBlz-JQAO408sT5BoA8_o=FLAwsPwn7v?4#g2Qko12
zVSp!cthO6ht|<dM`pk!c?hypH5$xx8)r#(1n5(mN@Z+iJWAWF3iZhNnA=mol+4%tu
z$itsz)bEGdK&IMFZ6<Z!lZU}<6|Dh4y=}45gULy^V7+-mb(^bPz@Aee;;zE72JG$9
z5lVq<9Sh*V8KSrjG+!VN1U%L9Z8I)`Yrep(F~ksd9oQW5uri`4Zp@POY$rjwxF`Wd
zoePz`$V<D1u1nr&<eDeSTllLnkYmqL>JpXHj6o=yGlKCC`+EmpNjtS@YU|6%02fK-
zjrQ1LW!AHj^1~|0@Z1S|&FfD!Z2IVMl_!*ZhH9LP_;rvgw5A~eMJKw^k_(-+z&M19
zT)czwfuL#QAp`NdKKvLwHIIok5BIY;nx-mE1!*yCmlhAeA?;p#9F*QLZ<}#mCOFE_
z@@N`qSi@PJRhg6UMi)GKB30ccks~NzCrr?(pEZ#-(@a(EA6h;K*rN;*1tiI{0AF<e
z)quEvJ#w*YgWXwtNB-0L`l*eDJogRK1NEZ1XA{f8EoNX^z7q5<l1r2Y!jQ<-g;nO=
zpotIbqhpsW107`#fMf|sWMuI8dbnnm9-PCPpPvtUdnC}b?Wcxn7t4^yp7F_}tnSn&
zol1EIYu^$z=$c=obP0laQMRw&Z7}Rl3&B~HM5LOL3?86kY8j|YVQh6d0g~0%<xYxW
zodHq`O1kLeo#<p4bjw*e)?U6Yd6vCki~%Ud02U)NdzTFUiwsUCyG!rk2<_$2)DLlP
zpYhxH<CPpp_6T1MC^_UjP2QN652jU!2*G3ce<!5hzXhGV=bx+OLzjW2(D=}W`L`>z
z=Qz~A&Pp+uXX*%L>RrRjD@vR;FgQOtNyE=`)N<-AR!?efI;65>Ft9JxvkKH79QQR^
zG+vqj9>mt;p&O)kO>$Ay4g~5fy;v!8)FkV(_o-P?hT|*UUwb2n@8<d7>T3vi*@q_i
zHx6Z%%ZP;45xl0(+loZ4FWUw|;=`+zkbQp9a*vB;Mc`dak(GOPt(>#y8s32u6RS}@
z#ifzfle|&K56v;cucLyaie*Y=2CI|xcAZ^p_rkz+g(6SAACmudXp!Ay!Q8C#lBq7e
zesi%H>*p321r~~k)NHmz8!A@}b<^#3^D?*9^wV4BY@n~~646pwxa8a4qvIT{#P^ws
z#{N2I=0zjq>6xsr?6C_vkfUEm&vp#k<hV$|;1RUx$Fi+HQ7z`g;`(f9UgkA)M%P}Y
zjEq!X(%Io<iDYS4k@Eh{^FJs`IBc9J2CF$Ou^gJCvJ!dE!zLC{1k7$HR}hY|xMx`L
zzA@OMaK+Ro*?*i>VsT1OO2Vov<j@)J<&e@`J?ValU+x?GhPKn9d%cM=U^RPCf$oTs
z`Tkm&ro7r4G>ba#gvM~1DCNk>xE6=aU`dR3=|~J;AG^2y^%mF>E2%Frmm~X3KoH+D
zJE2)#QwEeSk*yZ#n7rA&m!LPaemv~-;ZUsR3%fjl3AwPdGnwsLV({btP?g{deQ6zL
zbS5m6?VtJ%^@en{Y&c+Uxv%|EArw~)w49^u$c;79KuXQ6g%*u1hgNA>Cp#Qxy&rSA
zl|-9Jw|E8Ii~&rHjJ?gjh-TQ0g1x^2doS$OwtpYeV?^Fm%eYdEOcHmsw`;>&{>P+V
zgA+ehHrAJE8x4lF!gup0j%8dMJ@MsdT5_2rL(eN4c`NHjkmVRa{HM*tfA;n25tiA7
zF@WahC!)23RKxFv>p^rw-HJ(8;UYf;|4mK#PwLKpB9rXb)7o+d2z1|0J+aOHU<^Wn
zg}HTWqQYJ;t20BASHfHLm1DiFJj!a5+XX+G+csI5^-`r!?SP{@{+-J2CvW2n9!~UW
z9P0~oQePo}6x04{3BD*+a=W6xW=*z^UvM?C#66IgJ!_7TGSu?SNBY8y$Jy(*+Q8AF
zml>KaEJ{mEfUdIe1FP%)bK>JI!r)#6CIvDJZktLlN6(1%`I5pfFixUy{fX23SJq3m
zB95MH^GeU!k>b6u8<+W2{mxm|xQljvw(<g_^mtKky<3S@nXRcq??#kS!C2o}lya#?
zTH=~{=}Vb_<pXBotQjkV9F^jZqO$ul5tVA<(evAk-wYX^ow2c6Yzapz*xh~p1laYs
zQ#^6)DeSFRB@N@Pg%)41#$Hj|?>n0BqU|rDm8&tKWrd6-Z)=MuYebhf6n)Uro}Pa&
z9eg-kH|?6%vw+zr;hJ`AM@E35kP^%Pb(JS>GAuHBoRn7)al7!0P{ZxpT3IP=#<eoL
zd?g$t+afBzJ}(rNzZu5^kDIvY8>!81Z$U%S@n6NVggX`vFE#LE7{vEZ40<4lRqxbz
zr8JyzZ*HoZnO3Q+zc)xN9Xbt;h^>|hmV99DkW7fSRhDv5U9he|7rDNFIiN2wT%>}E
z(M?~Oxw-BstVO8GDlz+fV0g~@qQUmhB{^9SbF?d*nw}zCrS!{R@nMRNeu$Q8aU1RW
zZnCQ8ZDuV7Mv8OENfIPrT{URkH4n)U+ZDV&?&S)m$S0|VQ(_GgU@%HrVR~8C89Q?q
zv-T3Q`wYX3Wi@89qB@djjLs%OG1!f@J$zqXrBO~g#Wr^P_U%-*xh}~GP)Kb(XzHmg
z?%HR>4R6#=|Kim|vC%4#73Na4<wI+tn{}k_3v;9G^}#s9qsLfMgtga?GjsFvcEfeR
zvJi1hjqj=aIz`soef%K(GKe<JUT(Pmro&S!{gSxv0sU?_kfG1h%9-^;1e4JSSGG-8
z3qm2oQt>@Lpr<~t&3r4VF^acs@J^tKfjUiLDcatB2>NvC7SAVSz@l-V!Rj+|+YuT*
zfL@W-QM4N*swVxfI{iN~j<_FX0Ox#p7adSHEbvTTsrK1eV9Ic>w1zY~8P%}mY;Na`
zldBV{kaZCquq8cSRJQf9<!nBP4+NrflMOgNnpvNQzx@9jeNw~j#?^1a_+9+f%!Tj~
zMkqgz_#K@PithkB>OlVIJ^r7R!YL1$Qq$Pj9XD|RNLHEO_mzwcN7xOPH~yag6C7|*
zgy->jA!is>S2Gzgd=AgeH{!<T-{`_p`GtHd9;P|6L~$H^J$Oo0Nia9ppSwzUqK6&#
zXVBw^nc9S0_&J=xv^K#Dq9G+faIT5$^5ZBi&Ba%)%wL8t6*rx?omRTdIX8SgMyBd_
z-xJ~aKqE1Ox<Vhy>r|ikFCXh~{pxe*kNocApQ)o`L;d&kr8ua%D&W%^J{l<A2U!lY
zeoBd}G<8-K5%tJ-?saERsYAoU8*VIXrF@I*=xl^p)!!*5%nBQYpRB~3XX=k!N%DA&
zt3Afby!Z?Agr$)q5jyMr?sF%5loYw4$FLa0*_xRJ3+=~-=sHczeP?YS>Re`Q68*Zi
zYni^x_cn^rLEg3yp(0Teeb9TNc)+K=-QPF+kG?m*tFr0*9aGI`E*0xTU>G;`tLd@+
zuFaptxS6DThkY<MuwB@P%k<a_%l#v%T|2(spRRwC{aN^4Xn53G=DEx!_}cB0*Fr(b
zx|<EJOBOclqn$Z6HY#e8N;*#a)H<#SxxY;tLabrP#(3ua!SzMC1nT!iYM#se)On2N
z`{BfRSX$VUag5BsZ#<%FgzGIWwDT%-Z6B(ime9hyh+jXVwcS0mVC9WcuAQ^3sGV?1
z<dU8+Wc1Twf4jmxvb)G8c(4HxCmA%^u+~d(u)vIB!OWP1{tG)p51Xba%5YQnl{40u
zxX8eZS1b&6iS&s=C@K;wZ5Q8rI4VT?wOOuUFmY<njyb^t9xJ5@qSkKGOUP~VaCY}i
z2+!XBjQ?Vj{WH*}3kt|kW-%!|1o@JxTTi(<I#BGZK1-2K_eFUHKA(Hghk0)S=5pr1
zHNMLxmnn<m!~Vh3jOU{%gjwfYL|+ye<JWcpOeHIKm6tI$s$Bs>@RxiH`}6x*?N-eF
z{|Ej4BQprGMxw7y{(HRee^K>p@L5QnK@A@tp!6bo_(}T<h7$xuW%OXIPbUCLDXC7D
zA^5u)iDWP&Zb`FvgO;CsXrSqGpj+E?htdEad>6<;0TT32g2QL{5dVJ-D`3|$mLXqa
zvw}z{dwb8AG3i1k1f?hO$Rt_TP(~zPc1zbqOBvnR3FDMr(taw+!`>ohY;WOW9)dH?
zWfEQ04ib3`=!WQ*?Vps7DfRFvlF64Z*q9{pInY=_D(U6GEQz~>apldZ;u<P<Gypa=
zO^*>G1AR$5ydc{AHw)%g34i$d+LSEv$ATzgJ{lJ_sk)rIv*Dy}?!?QKYi5=w1=yHG
zGXDJ7J^q=(SLeUhHL}&Y0^6|<o>~7?V?whNM~B^udWBe=AVmv`9_kz)A}qG52Kr{@
zwGN4iVB&r)&Vw%x3d%;^pk}|V`K1;_d?Q2<Hm5Q9WDGUq=gmYi?lgZtpk$2$XxEUK
zvF$PILm!qN-59|XGLD`G5oh@F{kkk&Xw?3`s?h0Jg`H&!!B^ToU-XGVQ1-&a_wc_B
z>UZ+L_e-P0wxE?*t}2^rgn0F6h==N<xf^==*#ZPx^}K{Zwy9bgt`_#r+J!K!Lkqi3
zadJW)8OW4jGo;|9pM6#Y?$Iy!Q=kLFMavZiLcCIW)(JV5w~=fYMGy?WFo1b#I+<;l
zDf5Wu)`K|Zz-j^a-gCu0O(+PgQMkU``aQ7<ZHJTzo1ILdzxWo?0tQFJLZz=kes9fC
zjALC8_VT{8m#%{^gc9njo9_3}W?AgJSxyDWkJC<$N2Z&B(KXmA<G(Fi<0zW?OT4tR
z3cdP47-7%2t*?_^yVzp1wB3l9r52W)^y5X=HwV>!h?9#-d25Q^o=p`>lFf@f?7?%#
z#dpJB9JfmjRsJDYZt}NDc89w$@ec_jX<*i$ASgtK&w%hffb{zI<ApBA_-eLn`0^P^
z5K{N|>Fcw40|=*8mE_kF=iWT<qzp9cuQ^uOV{16Q-qa8y+V)My&B|~hLIYh!!8mAI
zo&cN}%8^<1zz)p}M$&n;9z-)*-Xk*ZEQonOM1-e(rB`pfndGdK3I2UN#BBRQYfQS?
zM-cjkcR)W&9DVTOKOPx3j?KkyRK9yYTs%Ra(C_?vQA<X`FO~l_d}RKP0CSqGUikbY
zXjD_9_C3EvHV)}*sSYCc@B?Z>dUb-7%0~tWW+b(WY565PYJ*G7_!;<{5xUNo)`xRW
z3vH#Y5Z5}OL%`$n?<ay`Ov1`UUy7KyrB>woo0L5;@lWUGm%0o$S`610Xx;hO>jK~_
zcq(sbpwWw3@;2znHQG7qTGBJiKr2#-g3=+ht1~~B7b_f_oyHf!PaYZ}A~(8_>p}R@
zv5!@RMDNs8u;mfmClkRbsiv0d-~DY5qr+kz)|$_H&a>-?JPQLqL&T5OjsIF9tWjTo
zn98%}PL^dPe_rg2;^(9HTj9soE?FMa%`I-&CPeU?(7%-++8`HnVo*#N^N_sl?zoUX
zKqu*cHt395?=QP9IXwI~Gnxa0?&EWY{g-KykK%q)l{Et{kxLywJ~8?FHyH`7aa3X9
z8abt#5^!(tmKEM3uc}+Wxk^5}NrlapJ>qK{`pL&;=6z`7Ee}hU*|z;8Pd}KGiQGB7
zq-J^DCez7nB;xV-BZS{m;!@{1MrfoFY@=BcI?@oa)ci;i`D0vmV?N&Sw!c5`JCL|W
z!69rg6vX;c-Uh44kVk?b7Wo3JU_(x~C~~!FLx+Lf253Bersl|l@|X7a)g01w%w8z;
zrT9IleR+NB35kqMvmOPymkyH8>h7K<Si736c6e2F`+PD%P4VW!h+GB~$(?oG;P8p!
z0{WylaW$4c=WWQ%qT5+(M;r#cHM>#jw^L0yUCu0Bp)<v2N6m!e3-#&ryJpQD9cNma
f*3N~^{Xp6}5%y0-W;OCjdcft2md04njr;!xZGmSr

literal 0
HcmV?d00001

diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst
index b39caaaf6..4baab1ec1 100644
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@@ -25,6 +25,7 @@ Kubernetes Configuration
    :maxdepth: 1
 
    k8s_persistent_vol
+   k8s_auth_winactivedir
 
 -----------------------
 OpenStack Configuration
diff --git a/doc/source/configuration/k8s_auth_winactivedir.rst b/doc/source/configuration/k8s_auth_winactivedir.rst
new file mode 100644
index 000000000..e8adf0fe7
--- /dev/null
+++ b/doc/source/configuration/k8s_auth_winactivedir.rst
@@ -0,0 +1,317 @@
+==================================================================
+Authenticate Kubernetes Users with Windows Active Directory Server
+==================================================================
+
+This guide describes how to authenticate users of the Kubernetes API via a
+remote Windows Active Directory server, using the oidc-auth-apps application.
+
+.. contents::
+   :local:
+   :depth: 1
+
+----------------------------
+Configure the kube-apiserver
+----------------------------
+
+Configure the Kubernetes cluster with a few extra parameters for the
+kube-apiserver. You can do this during bootstrap or after installation.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Configure as part of bootstrap
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add the following items to ``localhost.yml`` during bootstrap:
+
+::
+
+    apiserver_oidc:
+      client_id: stx-oidc-client-app
+      issuer_url: https://<oam-floating-ip>:30556/dex
+      username_claim: email
+      groups_claim: groups
+
+The ``username_claim`` and ``groups_claim`` parameter values can vary for
+different user and group configurations within your Windows Active Directory
+server.
+
+~~~~~~~~~~~~~~~~~~~~~~
+Configure post-install
+~~~~~~~~~~~~~~~~~~~~~~
+
+Execute the following commands to add the OIDC parameters to the kube-apiserver:
+
+::
+
+    system service-parameter-add kubernetes kube_apiserver oidc_client_id=value
+    system service-parameter-add kubernetes kube_apiserver oidc_groups_claim=value
+    system service-parameter-add kubernetes kube_apiserver oidc_issuer_url=value
+    system service-parameter-add kubernetes kube_apiserver oidc_username_claim=value
+    system service-parameter-apply kubernetes
+
+
+------------------------------------
+Configure oidc-auth-apps application
+------------------------------------
+
+The oidc-auth-apps application is a system managed application that is
+packaged in the ISO and uploaded by default. To use the oidc-auth-apps
+application for authentication, you must first configure and deploy the
+oidc-auth-apps application as described below.
+
+These commands assume the cert and key pem files for creating these secrets
+are in ``/home/sysadmin/ssl/``.
+
+#.  Create a secret with the certificate and key (``local-dex.tls``) to be used
+    by the oidc-auth-apps as well as a secret with the CA that signed this
+    certificate (``dex-client-secret``) for the client. The certificate should
+    be signed by a CA trusted by the system. If the certificate is signed by a
+    CA that is not trusted by default, you can make the system trust the CA
+    by specifying it during bootstrap by specifying ssl_ca_cert in
+    ``localhost.yml``, or through ``system certificate-install -m ssl_ca ...``
+    after bootstrap.
+
+    ::
+
+        kubectl create secret tls local-dex.tls --cert=ssl/dex-cert.pem --key=ssl/dex-key.pem -n kube-system
+        kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/ssl/dex-ca.pem  -n kube-system
+
+    Create a Kubernetes secret wadcert with the CA's certificate that signed the
+    Active Directory's certificate using the following command:
+
+    ::
+
+        kubectl create secret generic wadcert --from-file=ssl/AD_CA.cer -n kube-system
+
+#.  Specify user overrides for oidc-auth-apps.
+
+    ::
+
+        system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/dex-overrides.yaml
+
+    The only mandatory section is the "connectors" section, which will vary for
+    different Windows Active Directory deployments. Refer to the upstream dex
+    documentation for more details:
+    https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md
+
+    Here is an example ``dex-overrides.yaml`` file:
+
+    ::
+
+      config:
+        expiry:
+          idTokens: "10h"
+        connectors:
+        - type: ldap
+          name: OpenLDAP
+          id: ldap
+          config:
+            host: pv-windows-acti.cumulus.wrs.com:636
+            rootCA: /etc/ssl/certs/adcert/AD_CA.cer
+            insecureNoSSL: false
+            insecureSkipVerify: false
+            bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com
+            bindPW: Li69nux*
+            usernamePrompt: Username
+            userSearch:
+              baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com
+              filter: "(objectClass=user)"
+              username: sAMAccountName
+              idAttr: sAMAccountName
+              emailAttr: sAMAccountName
+              nameAttr: displayName
+            groupSearch:
+              baseDN: ou=Users,ou=Titanium,dc=corp,dc=cumulus,dc=wrs,dc=com
+              filter: "(objectClass=group)"
+              userAttr: DN
+              groupAttr: member
+              nameAttr: cn
+      extraVolumes:
+      - name: certdir
+        secret:
+          secretName: wadcert
+      extraVolumeMounts:
+      - name: certdir
+        mountPath: /etc/ssl/certs/adcert
+
+#.  Apply oidc-auth-apps:
+
+    ::
+
+        system application-apply oidc-auth-apps
+
+
+---------------------------------------
+Set up users, groups, and authorization
+---------------------------------------
+
+These steps assume there is a user called "testuser" who is a member of both a
+billingDeptGroup and a managerGroup set up in the Windows Active Directory
+deployments.
+
+On StarlingX, bind Kubernetes RBAC role(s) to this user and/or group(s). For
+example, give this user admin privileges by creating the following deployment
+file and deploy it with the ``kubectl apply -f filename`` command.
+
+::
+
+    kind: ClusterRoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: testuser-rolebinding
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: cluster-admin
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: User
+      name: testuser
+
+Alternatively, you can also bind Kubernetes RBAC role(s) for the group(s) of
+testuser. For example, give all members of the billingDeptGroup admin
+privileges by creating the following deployment file and deploy it with the
+:command:`kubectl apply -f filename` command.
+
+::
+
+    kind: ClusterRoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+     name: testuser-rolebinding
+    roleRef:
+     apiGroup: rbac.authorization.k8s.io
+     kind: ClusterRole
+     name: cluster-admin
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+     kind: Group
+     name: billingDeptGroup
+
+Set up kubectl with a Kubernetes user to authenticate through dex. This can be
+done locally on controller-0 or remotely on a workstation.
+
+::
+
+    # setup cluster if you haven’t already
+    kubectl config set-cluster mystxcluster –server=https://<oam-floating-ip>:6443
+    kubectl config set-context testuser@mystxcluster --cluster=mystxcluster --user=testuser
+
+---------------------------
+Obtain authentication token
+---------------------------
+
+You can get the authentication token using the ``oidc-auth`` CLI or using a
+browser.
+
+~~~~~~~~~~~~~~~~~~~~~
+Use ``oidc-auth`` CLI
+~~~~~~~~~~~~~~~~~~~~~
+
+The ``oidc-auth`` CLI retrieves the ID token from Windows Active Directory using
+the OIDC client, and dex, and updates the Kubernetes credentials for the user in
+the kubectl config file.
+
+On controller-0, ``oidc-auth`` is installed as part of the base installation,
+and is ready to use.
+
+On a remote host with kubectl and helm client installed on the host, perform the
+following required setup:
+
+#.  Install the Python ``mechanize`` module:
+
+    ::
+
+      sudo pip2 install mechanize
+
+#.  Get the ``oidc-auth`` script from the public
+    `CENGN StarlingX mirror <http://mirror.starlingx.cengn.ca/mirror/starlingx/>`_.
+    For example,
+    ``http://mirror.starlingx.cengn.ca/mirror/starlingx/master/centos/latest_docker_image_build/outputs/remote-cli/``
+
+After setup is complete, run the ``oidc-auth`` script to authenticate and update
+user credentials in the kubectl config file with the retrieved token.
+
+::
+
+  oidc-auth -c <OAM ip address> -u testuser
+  Password:
+  Login succeeded.
+  Updating kubectl config ...
+  User testuser set.
+
+Switch to the context for this user:
+
+::
+
+  kubectl config use-context testuser@mystxcluster
+
+Run a kubectl command to ensure the token works:
+
+::
+
+  kubectl get pods --all-namespaces
+
+~~~~~~~~~~~
+Use browser
+~~~~~~~~~~~
+
+#.  From a browser, enter the following:
+
+    ::
+
+        https://oam-floating-ip-address:30555
+
+#.  In the dialog box, enter your username, password and click Login.
+
+    .. figure:: figures/k8s_auth_login.png
+       :scale: 100%
+       :alt: Login dialog box
+
+    An ID token is displayed as shown below:
+
+    ::
+
+        ID Token:
+
+        eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwYTcyYmIwZTRjNTJhZDhiNGYxMmYxNzc3NTVmNDdmODc5M2ZkYTAifQ.eyJpc3MiOiJodHRwczovLzEwLjEwLjEwLjM6MzA1NTYvZGV4Iiwic3ViIjoiQ2dkbmQyRnBibVZ6RWdSc1pHRnciLCJhdWQiOiJzdHgtb2lkYy1jbGllbnQtYXBwIiwiZXhwIjoxNTgwODQ4NTkzLCJpYXQiOjE1ODA3NjIxOTMsImF0X2hhc2giOiJNU0YtNDBpOWVuM1QyVjdUMWdSZW5RIiwiZW1haWwiOiJnd2FpbmVzIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJHcmVnb3J5IEEuIFdhaW5lcyJ9.oNIabUhd5wx3tFCIuewtzsbYfx1OsrGXtEUEPL0l5Y944WE2c1HP6YUHWxvYTMw1_Ldl-jx-koiYbiE8Eztgy9anfJqclUFa6xlxP666Z7AYxndsULylqzfT0dvySaddIEEYDffx7aH6g7q2PKZjMHFierRyqmCu8WTPRSNy3NymLmQaGGjUmFHqbvpEBgg_ytpsDgbRIpk1EbyP63l79hBNlRvcffTRLi3LYYRaJLgSbx2tha43OX5rKxylF_GrzZHaqxxT6MjIHKHagUrcqa054RwPWUHKyV26ErkMg6gN5uyMm462UtnW7jJucYrWBpbaWaj0U0OTWv_1NnKlJw
+
+        Access Token:
+
+        jwcj46v3vmumpixr54wbyrstf
+
+        Claims:
+
+        {
+          "iss": "https://10.10.10.3:30556/dex",
+          "sub": "Cgdnd2FpbmVzEgRsZGFw",
+          "aud": "stx-oidc-client-app",
+          "exp": 1580848593,
+          "iat": 1580762193,
+          "at_hash": "MSF-40i9en3T2V7T1gRenQ",
+          "email": "testuser",
+          "email_verified": true,
+          "groups": [
+            "billingDeptGroup",
+            "managerGroup"
+            ],
+          "name": "testuser"
+        }
+
+
+#.  Set Kubernetes credentials with the above ID token:
+
+    ::
+
+        ~(keystone_admin)]$ TOKEN=<ID token string>
+        ~(keystone_admin)]$ kubectl config setcredentials testuser --token $TOKEN
+
+#.  Switch to the context for this user:
+
+    ::
+
+        ~(keystone_admin)]$ kubectl config use-context testuser@mystxcluster
+
+#.  Run the command ``kubectl get pods --all-namespaces``.
+
+This command should be successful because authentication is complete.
+
diff --git a/doc/source/deploy_install_guides/r4_release/ansible_bootstrap_configs.rst b/doc/source/deploy_install_guides/r4_release/ansible_bootstrap_configs.rst
index 6d1cbe5cc..f5a8e3dd0 100644
--- a/doc/source/deploy_install_guides/r4_release/ansible_bootstrap_configs.rst
+++ b/doc/source/deploy_install_guides/r4_release/ansible_bootstrap_configs.rst
@@ -118,10 +118,6 @@ Install-time-only parameters
 
 * ``apiserver_oidc``
 
-  * ``client_id``
-  * ``issuer_id``
-  * ``username_claim``
-
 ----
 IPv6
 ----