add docs

On-behalf-of: @SAP [email protected]

Author: xrstf

config/crd/bases/operator.kcp.io_frontproxies.yaml

@@ -210,7 +210,7 @@ spec:
                             DNS names determined automatically by the kcp-operator.
                             If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
                             If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
-                            trying to guess what DNSNames configued issuer might support.
+                            trying to guess what DNSNames configured issuer might support.
                           items:
                             type: string
                           type: array

config/crd/bases/operator.kcp.io_kubeconfigs.yaml

@@ -98,7 +98,7 @@ spec:
                           DNS names determined automatically by the kcp-operator.
                           If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
                           If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
-                          trying to guess what DNSNames configued issuer might support.
+                          trying to guess what DNSNames configured issuer might support.
                         items:
                           type: string
                         type: array

config/crd/bases/operator.kcp.io_rootshards.yaml

@@ -296,7 +296,7 @@ spec:
                             DNS names determined automatically by the kcp-operator.
                             If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
                             If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
-                            trying to guess what DNSNames configued issuer might support.
+                            trying to guess what DNSNames configured issuer might support.
                           items:
                             type: string
                           type: array
@@ -1766,7 +1766,7 @@ spec:
                                 DNS names determined automatically by the kcp-operator.
                                 If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
                                 If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
-                                trying to guess what DNSNames configued issuer might support.
+                                trying to guess what DNSNames configured issuer might support.
                               items:
                                 type: string
                               type: array

config/crd/bases/operator.kcp.io_shards.yaml

@@ -280,7 +280,7 @@ spec:
                             DNS names determined automatically by the kcp-operator.
                             If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
                             If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
-                            trying to guess what DNSNames configued issuer might support.
+                            trying to guess what DNSNames configured issuer might support.
                           items:
                             type: string
                           type: array

docs/content/architecture/.pages

@@ -2,4 +2,5 @@ nav:
   - index.md
   - basics.md
   - front-proxy.md
+  - kubeconfig.md
   - Certificate Management: pki.md

docs/content/architecture/index.md

@@ -7,7 +7,7 @@ This section describes how the kcp-operator is designed and meant to be used.
 - [Basics](basics.md) – A general overview over the resources provided by the kcp-operator.
 - [front-proxy](front-proxy.md) – Explains how the kcp front-proxy can be used to ingest traffic.
 - [Certificate Management](pki.md) – This page describes the various CAs and certificates used in a kcp installation.
+- [Kubeconfig](kubeconfig.md) – Shows how `Kubeconfig` objects can be used to provide credentials to kcp.
 <!--
 - [Sharding](sharding.md) – How `RootShards` and `Shards` work together to create a scalable kcp setup.
-- [Kubeconfigs](kubeconfigs.md) – Shows how `Kubeconfig` objects can be used to provide credentials to kcp.
 -->

docs/content/architecture/kubeconfig.md

@@ -0,0 +1,84 @@
+---
+description: >
+    Shows how `Kubeconfig` objects can be used to provide credentials to kcp.
+---
+
+# Kubeconfigs
+
+Besides provisioning kcp itself, the kcp-operator can also provide [kubeconfigs](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) to access kcp. Each kubeconfig will internally be backed by a dedicated client certificate.
+
+## Basics
+
+A minimal `Kubeconfig` object typically looks like this:
+
+```yaml
+apiVersion: operator.kcp.io/v1alpha1
+kind: Kubeconfig
+metadata:
+  name: susan
+  namespace: my-kcp
+spec:
+  # Required: the username inside Kubernetes;
+  # this will be the client certificate's common name.
+  username: susan
+
+  # required: groups to attach to the user;
+  # this will be the organizations in the client cert.
+  groups:
+    - system:kcp:admin
+
+  # Required: in what Secret the generated kubeconfig should be stored.
+  secretRef:
+    name: susan-kubeconfig
+
+  # Required: a Kubeconfig must target either a FrontProxy, Shard or RootShard.
+  target:
+    frontProxyRef:
+      name: my-front-proxy
+
+  # Required: how long the certificate should be valid for;
+  # the operator will automatically renew the certificate, after which the
+  # Secret will be renewed and have to be re-downloaded.
+  validity: 8766h
+```
+
+`Kubeconfig` objects must exist in the same namespace as the kcp installation they are meant for.
+
+Once the `Kubeconfig` has been created, you can observe its status to wait for it to be ready. After that, retrieve the Secret mentioned in the `secretRef` to find the finished kubeconfig, ready to use.
+
+!!! warning
+    Deleting a `Kubeconfig` will also delete the underlying Secret from the hosting cluster, however this will not invalidate the existing certificate that is embedded in the kubeconfig. This means anyone with a copy of the kubeconfig can keep using it until the certificate expires.
+
+    To disarm an old kubeconfig, make sure to revoke any permissions granted through RBAC for the user and/or their groups.
+
+!!! note
+    The `Kubeconfig`'s name is embedded into the certificate in form of a group (organization) named `kubeconfig:<name>`. This is to allow a unique mapping from RBAC rules to `Kubeconfig` objects for the authorization (see further down). Take note that this means the `Kubeconfig`' name is leaked to whoever gets the kubeconfig.
+
+## Authorization
+
+Without any further configuration than shown in the basics section above, the created identity (username + groups) will not get any permissions in kcp. So while the kubeconfig is valid and allows proper authentication, pretty much no actions will be permitted yet.
+
+The administrator has to either rely on externally-managed RBAC rules to provide permissions, or use the kcp-operator to provision such RBAC in a workspace.
+
+To make the kcp-operator manage RBAC, use `spec.authorization` inside a `Kubeconfig`:
+
+```yaml
+apiVersion: operator.kcp.io/v1alpha1
+kind: Kubeconfig
+metadata:
+  name: susan
+  namespace: my-kcp
+spec:
+  #...snip...
+
+  authorization:
+    clusterRoleBindings:
+      # This can be a workspace path (root:something) or a cluster name (ID).
+      cluster: root:initech:teamgibbons
+      clusterRoles:
+        - cluster-admin
+```
+
+This configuration would bind the group `kubeconfig:susan` to the ClusterRole `cluster-admin` inside the given workspace. Note that this is specifically not bound to the user (common name), so that two `Kubeconfig` objects that both have the same `spec.name` to not have colliding RBAC.
+
+When deleting a `Kubeconfig` with authorization settings, the kcp-operator will first unprovision (delete) the `ClusterRoleBindings` before the `Kubeconfig` can be deleted.

internal/resources/utils/certificates.go

@@ -71,10 +71,10 @@ func applyCertificateSpecTemplate(cert *certmanagerv1.Certificate, tpl *operator
 		return cert
 	}
 
-	// If DNSNames is provided in the template and issuer is overrided,
+	// If DNSNames is provided in the template and issuer is overridden,
 	// it will replace any existing DNSNames.
 	// We don't merge as we don't know if issuer supports our default names.
-	// Its users responsibility to add them back if needed.
+	// It's user responsibility to add them back if needed.
 	if len(tpl.DNSNames) > 0 && tpl.IssuerRef != nil {
 		cert.Spec.DNSNames = tpl.DNSNames
 	} else if len(tpl.DNSNames) > 0 {

internal/resources/utils/logging_test.go

@@ -29,7 +29,7 @@ func TestGetLogLevelArgs(t *testing.T) {
 		expected []string
 	}{
 		{
-			name:     "no config at alll",
+			name:     "no config at all",
 			logging:  nil,
 			expected: []string{},
 		},

sdk/apis/operator/v1alpha1/common.go

@@ -146,7 +146,7 @@ type CertificateSpecTemplate struct {
 	// DNS names determined automatically by the kcp-operator.
 	// If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
 	// If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
-	// trying to guess what DNSNames configued issuer might support.
+	// trying to guess what DNSNames configured issuer might support.
 	//
 	// +optional
 	DNSNames []string `json:"dnsNames,omitempty"`