From 4caf6966b1e00f5f19ca2dd70cee204704cfbe7a Mon Sep 17 00:00:00 2001 From: Ekaterina Kazakova Date: Fri, 6 Dec 2024 16:42:04 +0400 Subject: [PATCH] Document Credential distribution system Closes: https://github.com/Mirantis/hmc/issues/719 --- docs/credential/distribution.md | 43 +++++++++++++++++++++++++++++++++ docs/template/main.md | 6 ++--- docs/usage/cluster-update.md | 2 +- mkdocs.yml | 1 + 4 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 docs/credential/distribution.md diff --git a/docs/credential/distribution.md b/docs/credential/distribution.md new file mode 100644 index 0000000..b4cbb52 --- /dev/null +++ b/docs/credential/distribution.md @@ -0,0 +1,43 @@ +# Credential Distribution System + +The 2A system provides a mechanism to distribute `Credential` objects across namespaces using the +`AccessManagement` object. This object defines a set of `accessRules` that determine how credentials are distributed. + +Each access rule specifies: + +1. The target namespaces where credentials should be delivered. +2. A list of `Credential` names to distribute to those namespaces. + +The HMC controller will copy the specified `Credential` objects from the **system** namespace to the target +namespaces based on the `accessRules` in the `AccessManagement` spec. + +> INFO: +> Access rules can also include `Cluster` and `Service` TemplateChains (`clusterTemplateChains` and +> `serviceTemplateChains`) to distribute templates to target namespaces. +> For more details, read: [Template Life Cycle Management](../template/main.md#template-life-cycle-management). + +## How to Configure Credential Distribution + +To configure the distribution of `Credential` objects: + +1. Edit the `AccessManagement` object. +2. Populate the `.spec.accessRules` field with the list of `Credential` names and the target namespaces. + +Here’s an example configuration: + +```yaml +spec: + accessRules: + - targetNamespaces: + list: + - dev + - test + credentials: + - aws-demo + - azure-demo +``` + +In this example, the `aws-demo` and `azure-demo` `Credential` objects will be distributed to the `dev` and `test` +namespaces. + + diff --git a/docs/template/main.md b/docs/template/main.md index 252d3cd..df86345 100644 --- a/docs/template/main.md +++ b/docs/template/main.md @@ -14,8 +14,8 @@ templates shipped with 2A. ## Template Life Cycle Management -Cluster and Service Templates can be delivered to target namespaces using the `TemplateManagement`, -`ClusterTemplateChain` and `ServiceTemplateChain` objects. `TemplateManagement` object contains the list of +Cluster and Service Templates can be delivered to target namespaces using the `AccessManagement`, +`ClusterTemplateChain` and `ServiceTemplateChain` objects. `AccessManagement` object contains the list of access rules to apply. Each access rule contains the namespaces' definition to deliver templates into and the template chains. Each `ClusterTemplateChain` and `ServiceTemplateChain` contains the supported templates and the upgrade sequences for them. @@ -39,7 +39,7 @@ spec: - name: aws-standalone-cp-0-0-2 ``` -2. Edit `TemplateManagement` object and configure the `.spec.accessRules`. +2. Edit `AccessManagement` object and configure the `.spec.accessRules`. For example, to apply all templates and upgrade sequences defined in the `aws` `ClusterTemplateChain` to the `default` namespace, the following `accessRule` should be added: diff --git a/docs/usage/cluster-update.md b/docs/usage/cluster-update.md index 6443a1f..149d3f4 100644 --- a/docs/usage/cluster-update.md +++ b/docs/usage/cluster-update.md @@ -24,7 +24,7 @@ check the `.status.conditions`. > NOTE: > The `ManagedCluster` is allowed to be updated to specific templates only. > The templates available for the update are defined in the -> `ClusterTemplateChain` objects. Also, the `TemplateManagement` object should +> `ClusterTemplateChain` objects. Also, the `AccessManagement` object should > contain properly configured `spec.accessRules` with the list of > `ClusterTemplateChain` object names and the namespaces where the supported > templates from the chain spec will be delivered. For details, see: diff --git a/mkdocs.yml b/mkdocs.yml index 0a64904..6ff6507 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -95,6 +95,7 @@ nav: - Hosted Control Plane: clustertemplates/vsphere/hosted-control-plane.md - Credentials: - Overview: credential/main.md + - Distribution: credential/distribution.md - RBAC: - Overview: rbac/roles.md - Architecture: architecture.md