PCP-5305 - Additional requirements for EKS Pod Identity (#8725)

* docs: Additional requirements for EKS Pod Identity

* docs: cross-account guidance for EKS Pod Identity

* docs: architecture for EKS pod identity

* docs: Apply suggestions from Vale

* Optimised images with calibre/image-actions

* docs: Apply suggestions from code review

Co-authored-by: Linus Bourque <[email protected]>

* docs: architecture source note

* ci: auto-formatting prettier issues

* chore: Trigger CI

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Linus Bourque <[email protected]>

Author: 3 people

Makefile

@@ -326,6 +326,14 @@ format-images: ## Format images
 	@echo "formatting images in /static/assets/docs/images/ folder"
 	./scripts/compress-convert-images.sh
 
+###@ Ensure webpconvert is installed
+
+install-webpconvert:
+	@command -v webpconvert >/dev/null 2>&1 || ( \
+		echo "webpconvert not found — installing globally..."; \
+		npm install -g webpconvert >/dev/null 2>&1 || (echo "Failed to install webpconvert" && exit 127) \
+	)
+
 ###@ Find unused images assets
 
 find-unused-images:

_partials/eks-pod-identity/_eks-pod-identity-enablement.mdx

@@ -21,11 +21,15 @@ partial_name: eks-pod-identity-enablement
 
 6. In Palette, paste the role ARN into the **ARN** field.
 
-7. (Optional) To set a
+7. Click the **Validate** button to validate the credentials.
+
+   The **Add IAM Policies** option appears after successful validation. You can leave this blank for the purposes of EKS Pod Identity
+   enablement, as the required IAM policies should have already been assigned to the IAM role created for Palette (for
+   example, `SpectroCloudRole`).
+
+9. (Optional) To set a
    [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html), click the
    **Add Permission Boundary** toggle and provide the ARN of a IAM policy or role in the **Permission Boundary ARN**
    field.
 
-8. Click the **Validate** button to validate the credentials.
-
-9. Click **Confirm** to create your AWS account.
+10. Click **Confirm** to create your AWS account.

_partials/eks-pod-identity/_eks-pod-identity-intro.mdx

@@ -3,15 +3,5 @@ partial_category: eks-pod-identity
 partial_name: eks-pod-identity-intro
 ---
 
-[EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) is a secure authentication
-mechanism that allows Kubernetes pods to assume IAM roles with temporary, automatically refreshed credentials. This
-eliminates the need for long-lived AWS credentials, addressing security concerns in highly regulated environments where
-organizations cannot use long-lived credentials.
-
-:::info
-
-This authentication method is only available for
-[self-hosted Palette](/enterprise-version/) or [Palette VerteX](/vertex/)
-instances deployed on Amazon EKS clusters.
-
-:::
+Palette supports [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), which allows
+pods to securely access AWS services using short-lived credentials. This is achieved by associating an IAM role with a Kubernetes service account, enabling pods that use that service account to assume the IAM role and access AWS resources without needing to manage long-lived AWS credentials.

_partials/eks-pod-identity/_eks-pod-identity-limitations.mdx

@@ -0,0 +1,8 @@
+---
+partial_category: eks-pod-identity
+partial_name: eks-pod-identity-limitations
+---
+
+- This authentication option is only available for [self-hosted Palette](/enterprise-version/) or [Palette VerteX](/vertex/) instances deployed on Amazon EKS clusters.
+
+- Only Amazon EKS clusters can be deployed as workload clusters when using EKS Pod Identity for authentication.