From 898887d4e8c0e83c9b81f64cf00eca2bdf335ea0 Mon Sep 17 00:00:00 2001
From: Kathryn Alexander <kalexand@redhat.com>
Date: Fri, 30 Nov 2018 11:33:14 -0500
Subject: [PATCH] bug 1633137 request header changes

---
 install/configuring_inventory_file.adoc       |  2 +-
 .../configuring_authentication.adoc           | 59 +++++++++++++++----
 2 files changed, 47 insertions(+), 14 deletions(-)

diff --git a/install/configuring_inventory_file.adoc b/install/configuring_inventory_file.adoc
index 9690a1772a2a..a2cd791ee28a 100644
--- a/install/configuring_inventory_file.adoc
+++ b/install/configuring_inventory_file.adoc
@@ -163,7 +163,7 @@ xref:../install_config/configuring_authentication.adoc#install-config-configurin
 The default value is
 xref:../install_config/configuring_authentication.adoc#DenyAllPasswordIdentityProvider[Deny
 All]. If you use a supported identity provider, configure {product-title} to
-use it.
+use it. You can configure multiple identity providers.
 
 |`openshift_master_named_certificates`
 .2+.^|These variables are used to configure xref:../install_config/certificate_customization.adoc#install-config-certificate-customization[custom certificates] which are deployed as part of the installation. See xref:advanced-install-custom-certificates[Configuring Custom Certificates] for more information.
diff --git a/install_config/configuring_authentication.adoc b/install_config/configuring_authentication.adoc
index af5ba90bb9d5..fc8d549f4b00 100644
--- a/install_config/configuring_authentication.adoc
+++ b/install_config/configuring_authentication.adoc
@@ -156,22 +156,58 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
 
 # LDAP auth
-#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
+#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
 # Configuring the ldap ca certificate <1>
 #openshift_master_ldap_ca=<ca text>
 # or
-#openshift_master_ldap_ca_file=<path to local ca file to use>
+#openshift_master_ldap_ca_file=<path to local ca file to use> <2>
 
-# Available variables for configuring certificates for other identity providers:
+# Available variables for configuring certificates for other identity providers: <3>
 #openshift_master_openid_ca
-#openshift_master_openid_ca_file
+#openshift_master_openid_ca_file <2>
 #openshift_master_request_header_ca
-#openshift_master_request_header_ca_file
-----
-<1> If you specify your CA certificate location in the
-`openshift_master_identity_providers` parameter, do not specify a certificate
-value in the `openshift_master_ldap_ca` parameter or path in the
-`openshift_master_ldap_ca_file` parameter.
+#openshift_master_request_header_ca_file <2>
+----
+<1> If you specified `'insecure': 'false'`
+in the `openshift_master_identity_providers` parameter for only an LDAP identity
+provider, you can omit the CA certificate.
+<2> If you specify a file on the host you run the playbook on, its contents are
+copied to the
+*_/etc/origin/master/<identity_provider_name>_<identity_provider_type>_ca.crt_*
+file. The
+identity provider name is the value of the `openshift_master_identity_providers`
+parameter, `ldap`, `openid`, or `request_header`. If you do not
+specify the CA text or the path to the local CA file, you must place the CA
+certificate in this location. If you specify multiple identity providers, you 
+must manually place the CA certificate for each provider in this location. You cannot change this location.
+
+You can specify multiple identity providers. If you do, you must place the
+CA certificate for each identity provider in the *_/etc/origin/master/_* directory. 
+For example, you include the following providers in your
+`openshift_master_identity_providers` value:
+
+----
+openshift_master_identity_providers:
+- name: foo
+  provider:
+    kind: OpenIDIdentityProvider
+    ...
+- name: bar
+  provider:
+    kind: OpenIDIdentityProvider
+    ...
+- name: baz
+  provider:
+    kind: RequestHeaderIdentityProvider
+    ...
+----
+
+You must place the CA certificates for these identity providers in the following
+files:
+
+* *_/etc/origin/master/foo_openid_ca.crt_*
+* *_/etc/origin/master/bar_openid_ca.crt_*
+* *_/etc/origin/master/baz_requestheader_ca.crt_*
 
 [[identity_providers_master_config]]
 
@@ -199,9 +235,6 @@ oauthConfig:
 When set to the default `claim` value, OAuth will fail if the identity is
 mapped to a previously-existing user name.
 
-[[identity_providers_methods]]
-=== Configuring an identity provider or method
-
 [[LookupMappingMethod]]
 ==== Manually provisioning a user when using the lookup mapping method