1. Proposed title of this feature request
Configure OAuth Behind a Proxy Server (e.g., WAF) in HCP cluster

2. What is the nature and description of the request?

In high-security enterprise environments, all web traffic must be inspected and authenticated by a Web Application Firewall (WAF) or Reverse Proxy before reaching the cluster.

In standard OpenShift, this is achieved by patching console.operator.openshift.io and ingress.config.openshift.io to set a custom consoleURL and componentRoutes. However, in HCP (HyperShift), users do not have direct access to modify the Console Operator or the Control Plane Ingress configuration in the same manner, as these are managed by the HyperShift Operator in the management cluster. This prevents customers from placing an HCP console behind a WAF with a custom hostname.

Similar to as possible in normal OpenShift cluster steps mentioned in the below kcs:

• https://access.redhat.com/solutions/7135543

3. Why does the customer need this? (List the business requirements here)

In high-security enterprise environments, all web traffic must be inspected and authenticated by a Web Application Firewall (WAF) or Reverse Proxy before reaching the cluster.

4. List any affected packages or components.