Merge "Centralized OIDC usecase lacks some clarity in StarlingX documentation"

doc/source/security/kubernetes/configure-kubernetes-client-access.rst

@@ -21,6 +21,11 @@ Configure Kubernetes Local Client Access
 Use the procedure below to configure Kubernetes access for a user logged in to
 the active controller either through SSH or by using the system console.
 
+.. note::
+
+    If the user ssh/console access is to be authenticated using an External
+    |WAD| or |LDAP| server, refer also to :ref:`sssd-support-5fb6c4b0320b`.
+
 .. rubric:: |proc|
 
 #.  Execute the commands below to create the Kubernetes configuration file for

doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst

@@ -52,10 +52,6 @@ Validation after Bootstrapping the System
         the **issuer_url** is, ``https://\[<oam-floating-ip>\]:30556/dex``
         (that is, in lower case, and wrapped in square brackets).
 
-
-.. rubric:: |result|
-
 For more information on |OIDC| Authentication for subclouds, see
 :ref:`Centralized vs Distributed OIDC Authentication Setup
-<centralized-vs-distributed-oidc-auth-setup>`.
-
+<centralized-vs-distributed-oidc-auth-setup>`.

doc/source/security/kubernetes/configure-oidc-auth-applications.rst

@@ -56,11 +56,11 @@ Configure OIDC Auth Applications
           bootstrap phase of system installation, by specifying ``ssl_ca_cert:
           <certificate_file>`` in the ansible bootstrap overrides
           ``localhost.yml`` file, or by using the
-          :command:`system ca-certificate-install <certificate_file>` command.
+          :command:`system ca-certificate-install` command.
 
       Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
       for installing a root |CA|, which includes instruction to `lock/unlock`
-      controller nodes when using :command:`system certificate-install`
+      controller nodes when using :command:`system ca-certificate-install`
       command.
 
       .. important::
@@ -235,12 +235,12 @@ Configure OIDC Auth Applications
           |CA|, you must ensure the system trusts the |CA| by specifying it
           either during the bootstrap phase of system installation, by
           specifying ``ssl_ca_cert: dex-ca.pem`` in the ansible bootstrap
-          overrides ``localhost.yml`` file, or by using the :command:`system
-          certificate-install -m ssl_ca dex-ca.pem` command.
+          overrides ``localhost.yml`` file, or by using the
+          :command:`system ca-certificate-install dex-ca.pem` command.
 
           Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
           for installing a root |CA|, which includes instruction to `lock/unlock`
-          controller nodes when using :command:`system certificate-install`
+          controller nodes when using :command:`system ca-certificate-install`
           command.
 
       -   Create the secret, ``local-dex.tls``, with the certificate and key,
@@ -310,7 +310,7 @@ Configure OIDC Auth Applications
 
     For the complete list of dex helm chart values supported, see `Dex Helm
     Chart Values
-    <https://github.com/dexidp/helm-charts/blob/dex-0.15.3/charts/dex/values.yaml>`__.
+    <https://github.com/dexidp/helm-charts/blob/dex-0.18.0/charts/dex/values.yaml>`__.
     For the complete list of parameters of the dex |LDAP| connector
     configuration, see `Authentication Through LDAP
     <https://dexidp.io/docs/connectors/ldap/>`__.

doc/source/security/kubernetes/configure-users-groups-and-authorization.rst

@@ -13,9 +13,12 @@ option, **testuser** user is directly bound to a role; in the second option,
 permissions.
 
 .. note::
-   For bigger environments, like a |DC| with many subclouds, or to minimize
-   Kubernetes custom cluster configurations, use the second option, where
-   permissions are granted through Kubernetes groups.
+
+    For larger environments, like a |DC| with many subclouds, or to minimize
+    Kubernetes custom cluster configurations, use the second option, where
+    permissions are granted through Kubernetes groups. Apply the kubernetes
+    |RBAC| policy to the central cloud and to each subcloud where kubernetes
+    permissions are required.
 
 .. _configure-users-groups-and-authorization-option-1-b2f-ck4-dlb: