docs - add Microsoft Entra Workload ID cluster installation procedure

Author: huangmingxia

docs/aws-sts-provisioning.md

@@ -1,6 +1,6 @@
 # Provisioning AWS STS Clusters
 
-It is possible to use Hive to provision clusters configured to use Amazon's Security Token Service, where cluster components use short lived credentials that are rotated frequently, and the cluster does not have an admin level AWS credential. This feature was added to the in-cluster OpenShift components in 4.7, see documentation [here](https://docs.openshift.com/container-platform/4.7/authentication/managing_cloud_provider_credentials/cco-mode-sts.html).
+It is possible to use Hive to provision clusters configured to use Amazon's Security Token Service, where cluster components use short lived credentials that are rotated frequently, and the cluster does not have an admin level AWS credential. This feature was added to the in-cluster OpenShift components in 4.20, see documentation [here](https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/authentication_and_authorization/managing-cloud-provider-credentials#cco-short-term-creds).
 
 At present Hive does not automate the STS setup, rather we assume the user configures STS components manually and provides information to Hive. The following instructions refer to the `ccoctl` tool. This tool can be extracted from the OpenShift release image. See steps below.
 
@@ -31,7 +31,7 @@ chmod u+x ccoctl
 
 ## Setup STS Infrastructure
 
-Create AWS resources using the [ccoctl](ccoctl.md#steps-create) tool (you will need aws credentials with sufficient permissions). The command below will generate public/private ServiceAccount signing keys, create the S3 bucket (with public read-only access), upload the OIDC config into the bucket, set up an IAM Identity Provider that trusts that bucket configuration, and create IAM Roles for each AWS CredentialsRequest extracted above. It will also dump the files needed by the installer in the `_output` directory. Installation secret manifests will be found within `_output/manifests`.
+Create AWS resources using the ccoctl tool (you will need aws credentials with sufficient permissions). The command below will generate public/private ServiceAccount signing keys, create the S3 bucket (with public read-only access), upload the OIDC config into the bucket, set up an IAM Identity Provider that trusts that bucket configuration, and create IAM Roles for each AWS CredentialsRequest extracted above. It will also dump the files needed by the installer in the `_output` directory. Installation secret manifests will be found within `_output/manifests`.
 ```
 ./ccoctl aws create-all --name <aws_infra_name> --region <aws_region> --credentials-requests-dir ./credrequests --output-dir _output/
 ```
@@ -54,3 +54,10 @@ Create a ClusterDeployment normally with the following changes:
   1. In your ClusterDeployment set `spec.boundServiceAccountSigningKeySecretRef.name` to point to the Secret created above (`bound-service-account-signing-key`).
   1. In your ClusterDeployment set `spec.provisioning.manifestsSecretRef` to point to the Secret created above (`cluster-manifests`).
   1. Create your ClusterDeployment + InstallConfig to provision your STS cluster.
+
+## Note: Cleanup AWS resources after uninstalling the cluster
+Make sure you clean up the following resources after you uninstall your cluster. To delete resources created by ccoctl, run
+```bash
+$ ./ccoctl aws delete --name=<name> --region=<aws-region>
+```
+where name is the name used to tag and account any cloud resources that were created, and region is the aws region in which cloud resources were created.

docs/hiveutil.md

@@ -15,6 +15,38 @@ To view what `create-cluster` generates, *without* submitting it to the API serv
 
 `--release-image` can be specified to control which OpenShift release image to use.
 
+#### Pull Secret
+
+OpenShift installation requires a pull secret obtained from https://console.redhat.com/openshift/install/pull-secret. 
+
+Save it to `~/.pull-secret` and `hiveutil` will automatically use it:
+
+```bash
+# Save your pull secret to the default location
+cat > ~/.pull-secret << 'EOF'
+{"auths":{"xxx":{"auth":"...","email":"..."}}}
+EOF
+
+# Now hiveutil will automatically find and use it
+bin/hiveutil create-cluster mycluster --cloud=aws
+```
+
+Other options:
+
+```bash
+# Option 1: Specify the file location
+bin/hiveutil create-cluster mycluster --pull-secret-file=/path/to/pull-secret
+
+# Option 2: Set as environment variable
+export PULL_SECRET='{"auths":{...}}'
+bin/hiveutil create-cluster mycluster --cloud=cloud
+
+# Option 3: Pass directly as parameter
+bin/hiveutil create-cluster mycluster --pull-secret '{"auths":{...}}'
+
+# Option 4: You can configure a global pull secret in HiveConfig instead of providing one for each cluster. See the Pull Secret section in using-hive.md for details.
+```
+
 #### Create Cluster on AWS
 
 Credentials will be read from your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. If the environment variables are missing or empty, then `create-cluster` will look for creds at `~/.aws/credentials`. Alternatively you can specify an AWS credentials file with `--creds-file`.

docs/install.md

@@ -44,12 +44,12 @@ Sample output:
 
 ```bash
 $ oc get pods -n hive
-NAME                                READY   STATUS    RESTARTS   AGE
-hive-clustersync-0                  1/1     Running   0          16m
-hive-controllers-6fcbf74864-hdn27   1/1     Running   0          17m
-hive-operator-7b877b996b-ndlpj      1/1     Running   0          17m
-hiveadmission-7969fd9dd-l24jb       1/1     Running   0          17m
-hiveadmission-7969fd9dd-pl2ml       1/1     Running   0          17m
+hive-clustersync-0                  1/1     Running   0          34s
+hive-controllers-5d67988cc8-97r5p   1/1     Running   0          35s
+hive-machinepool-0                  1/1     Running   0          34s
+hive-operator-5c7fdd6df8-jrxvt      1/1     Running   0          3m30s
+hiveadmission-5bf565bd7-nqq9h       1/1     Running   0          32s
+hiveadmission-5bf565bd7-tkf4c       1/1     Running   0          32s
 ```
 
 # Next Step