Update docs according to the new credential system

K0rdent · Oct 8, 2024 · 7947229 · 7947229
1 parent 2659c84
commit 7947229
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 55 deletions.
diff --git a/docs/aws/cluster-parameters.md b/docs/aws/cluster-parameters.md
@@ -3,8 +3,61 @@
 ## Software prerequisites
 
 1. `clusterawsadm` CLI installed locally.
-2. `AWS_B64ENCODED_CREDENTIALS` environment variable to be exported.
-See [AWS credentials](credentials.md#aws-credentials-configuration) (p. 1-3)
+
+## Cluster Identity
+
+To provide credentials for CAPI AWS provider (CAPA) `ClusterIdentity` object
+must be created.
+
+AWS provider supports 3 types of `ClusterIdentity`, which one to use depends on
+your specific use case. More information regarding CAPA `ClusterIdentity`
+resources could be found in [CRD Reference](https://cluster-api-aws.sigs.k8s.io/crd/)
+
+In this example we're using [`AWSClusterStaticIdentity`](https://cluster-api-aws.sigs.k8s.io/crd/#infrastructure.cluster.x-k8s.io/v1beta1.AWSClusterStaticIdentity).
+
+To create `ClusterIdentity` IAM user must be created and assigned with the
+following roles:
+
+- `control-plane.cluster-api-provider-aws.sigs.k8s.io`
+- `controllers.cluster-api-provider-aws.sigs.k8s.io`
+- `nodes.cluster-api-provider-aws.sigs.k8s.io`
+
+Follow the [IAM setup guide](cloudformation.md#aws-iam-setup) (if not already)
+to create these roles.
+
+Next the following secret should be created with the user's credentials:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aws-cred-secret
+  namespace: hmc-system
+type: Opaque
+stringData:
+  AccessKeyID: "AAAEXAMPLE"
+  SecretAccessKey: "++AQDEXAMPLE"
+```
+
+> [!NOTE]
+> The secret must be created in the same `Namespace` where CAPA provider is
+> running. In case of Project 2A it's currently `hmc-system`. Placing secret in
+> any other `Namespace` will result controller not able to read it.
+
+After the `Secret` was created the `AWSClusterStaticIdentity` must be create
+like so:
+
+```yaml
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+kind: AWSClusterStaticIdentity
+metadata:
+  name: aws-cluster-identity
+spec:
+  secretRef: aws-cred-secret
+```
+
+To use these newly created credentials the `Credential` object must be
+created. It is described in detail in the [credential section](../credential/main.md).
 
 ## AWS AMI
 
@@ -13,7 +66,7 @@ will be used).
 
 You can override lookup parameters to search your desired image automatically or
 use AMI ID directly.
-If both AMI ID and lookup paramters are defined AMI ID will have higher precedence.
+If both AMI ID and lookup parameters are defined AMI ID will have higher precedence.
 
 ### Image lookup
 
@@ -72,6 +125,7 @@ metadata:
   name: cluster-1
 spec:
   template: aws-standalone-cp
+  credential: aws-cred
   config:
     sshKeyName: foobar
     bastion:

diff --git a/docs/aws/credentials.md b/docs/aws/credentials.md
diff --git a/docs/aws/main.md b/docs/aws/main.md
@@ -9,10 +9,6 @@
 
 Follow the AWS IAM [setup quide](cloudformation.md#aws-iam-setup).
 
-## Configure AWS credentials
-
-Follow the AWS Credentials [configuration quide](credentials.md#aws-credentials-configuration).
-
 ## AWS cluster parameters
 
 Follow the [AWS Cluster Parameters guide](cluster-parameters.md#aws-cluster-parameters)
diff --git a/docs/azure/cluster-parameters.md b/docs/azure/cluster-parameters.md
@@ -74,9 +74,9 @@ spec:
   type: ServicePrincipal
 ```
 
-These objects then should be referenced in the `ManagedCluster` object in the
-`.spec.config.clusterIdentity` field.
-
 Subscription ID which was used to create service principal should be the
 same that will be used in the `.spec.config.subscriptionID` field of the
 `ManagedCluster` object.
+
+To use `AzureClusterIdentity` it should be referenced in the `Credential`
+object. For more details check the [credential section](../credential/main.md).
diff --git a/docs/credential/main.md b/docs/credential/main.md
@@ -0,0 +1,49 @@
+# Credential system
+
+In order for infrastructure provider to work properly a correct credentials
+should be passed to it. The following describes how it is implemented in 2A.
+
+## The process
+
+The following is the process of passing credentials to the system:
+
+1. Provider specific `ClusterIdentity` and `Secret` is created
+2. `Credential` object is created referencing `ClusterIdentity` from step 1.
+3. The `Credential` object is then referenced in the `ManagedCluster`.
+
+By design steps 1 and 2 should be executed by the platform lead engender who has
+access to the credentials. Thus credentials could be used by platform engineers
+without a need to have access to actual credentials or underlying resources,
+like `ClusterIndentity`.
+
+## Credential object
+
+The `Credential` object acts like a reference to the underlying credentials. It is
+namespace-scoped, which means that it must be in the same `Namespace` with the
+`ManagedCluster` it is referenced in.
+Actual credentials can be located in any namespace.
+
+### Example
+
+```yaml
+---
+apiVersion: hmc.mirantis.com/v1alpha1
+kind: Credential
+metadata:
+  name: azure-credential
+  namespace: dev
+spec:
+  description: "Main Azure credentials"
+  identityRef:
+    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+    kind: AzureClusterIdentity
+    name: azure-cluster-identity
+    namespace: hmc-system
+```
+
+In the example above `Credential` object is referencing `AzureClusterIdentity`
+which was created in the `hmc-system` namespace.
+
+The `.spec.description` field can be used to provide arbitrary description of the
+object, so user could make a decision which credentials to use if several are
+present.
diff --git a/docs/vsphere/cluster-parameters.md b/docs/vsphere/cluster-parameters.md
@@ -35,17 +35,18 @@ apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: VSphereClusterIdentity
 metadata:
   name: vsphere-cluster-identity
-  namespace: hmc-system
 spec:
   secretName: vsphere-cluster-identity-secret
   allowedNamespaces:
     selector:
       matchLabels: {}
 ```
 
-These objects then should be referenced in the `ManagedCluster` object in the
-`.spec.config.clusterIdentity` field.
+To be used for the cluster creation.`VsphereClusterIdentity` then should be
+referenced in the `Credential` object.
 
+For more details regarding the credential system check the [credential section](../credential/main.md)
+of the docs.
 
 ## ManagedCluster parameters
 
@@ -65,8 +66,6 @@ for successful cluster creation.
 | `.spec.config.vsphere.datastore`    | `/DC/datastore/DS`                    | Datastore path                     |
 | `.spec.config.vsphere.resourcePool` | `/DC/host/vCluster/Resources/ResPool` | Resource pool path                 |
 | `.spec.config.vsphere.folder`       | `/DC/vm/example`                      | vSphere folder path                |
-| `.spec.config.vsphere.username`     | `user`                                | Username for your vSphere instance |
-| `.spec.config.vsphere.password`     | `password`                            | Password for your vSphere instance |
 
 _You can check [machine parameters](machine-parameters.md) for machine specific
 parameters._
@@ -77,9 +76,6 @@ To obtain vSphere certificate thumbprint you can use the following command:
 curl -sw %{certs} https://vcenter.example.com | openssl x509 -sha256 -fingerprint -noout | awk -F '=' '{print $2}'
 ```
 
-Username and password currently must be passed once more in the `ManagedCluster`
-object to provide proper authentication for CCM and CSI driver.
-
 ## Example of ManagedCluster CR
 
 With all above parameters provided your `ManagedCluster` can look like this:
@@ -91,6 +87,7 @@ metadata:
   name: cluster-1
 spec:
   template: vsphere-standalone-cp
+  credential: vsphere-credential
   config:
     clusterIdentity:
       name: vsphere-cluster-identity
@@ -101,8 +98,6 @@ spec:
       datastore: "/DC/datastore/DC"
       resourcePool: "/DC/host/vCluster/Resources/ResPool"
       folder: "/DC/vm/example"
-      username: "user"
-      password: "Passw0rd"
     controlPlaneEndpointIP: "172.16.0.10"
 
     controlPlane: