Bundle namespace-credential-provisioner into management setup phase

[HiranAdikari]

Summary

• Add README.md for namespace-credential-provisioner documenting it as a required Phase 2e step, its deployment sequence, inputs/outputs, security model, and upgrade path
• Add README.md for harvester-cloud-credential marking it deprecated — retained only for brownfield clusters; all new deployments should use the provisioner
• Update docs/architecture.md to include Phase 2e with a clear note that it must run before tenant-space

Without this, operators following OCD docs have no guidance that the provisioner exists or that it's required before consumer teams can use the workloads/vm module. They would either hand out admin kubeconfigs or build their own credential distribution mechanism.

Test plan

• Docs render correctly on GitHub
• Phase 2e sequence note is clear: harvester-integration → namespace-credential-provisioner → tenant-space
• harvester-cloud-credential deprecation notice is visible without breaking any existing TF configs (README only, no code changes)

Closes #73

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

This pull request integrates the namespace-credential-provisioner into the management-phase setup sequence and marks modules for migration/usage guidance.

Changes Made

• docs/architecture.md

  • Adds Phase 2e (namespace-credential-provisioner) and enforces sequencing: harvester-integration → namespace-credential-provisioner → tenant-space.
  • Notes Phase 2e must run before tenant namespaces are created so per-namespace Harvester provider kubeconfig Secrets exist for consumers.
  • Updates the architecture flow to place Phase 2e between RBAC and identity/monitoring phases.

• modules/management/namespace-credential-provisioner/README.md

  • Adds a comprehensive README describing a long-running reconciler deployed to the Harvester cluster that watches tenant-labeled namespaces and provisions per-namespace artifacts: scoped ServiceAccount, namespace-scoped RoleBindings, a long-lived token Secret, and a namespace-scoped harvester-vm-kubeconfig Secret for the Harvester Terraform provider.
  • Documents operational behavior: startup backfill for existing namespaces, cleanup of cross-namespace RoleBindings on namespace deletion, required/optional inputs, outputs, HCL usage snippet, deployment ordering (depends on harvester-integration), security/isolation approach, and upgrade/migration guidance.
  • Clarifies the provisioner is intentionally separate from harvester-integration to preserve single-responsibility and allow operators to opt out.

• modules/workloads/harvester-cloud-credential/README.md

  • Marks the module as deprecated for new/greenfield deployments and retains it only for brownfield migration scenarios; updates descriptions and guidance for inputs/outputs accordingly.

Impact

• Ensures operators run the namespace-credential-provisioner before tenant-space so consumer teams automatically receive harvester-vm-kubeconfig Secrets and can provision VMs without manual kubeconfig handoffs.
• Standardizes credential distribution for new deployments while preserving the harvester-cloud-credential module for migration use-cases.
• Documentation-only changes: no Terraform code or exported/public entities modified.

Closes issue #73.

Walkthrough

The PR adds a management-phase module, namespace-credential-provisioner, documented as a long‑running reconciler deployed to the Harvester cluster. It backfills and continuously provisions per-tenant namespace authentication artifacts: a scoped ServiceAccount, namespace-scoped RoleBindings, and a harvester-vm-kubeconfig Secret for the Harvester Terraform provider. It removes cross-namespace harvester-public RoleBindings when namespaces are deleted. The module must be deployed after harvester-integration and before tenant-space. The legacy harvester-cloud-credential module is marked deprecated for greenfield deployments.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Operator
    participant Provisioner as Namespace-Credential-Provisioner
    participant HarvesterAPI as Harvester Kubernetes API
    participant Namespace as Tenant Namespace
    participant Provider as Harvester Terraform Provider

    Operator->>Provisioner: Deploy provisioner (after harvester-integration)
    Provisioner->>HarvesterAPI: List existing namespaces (startup backfill)
    HarvesterAPI-->>Provisioner: Namespace list
    loop For each namespace missing kubeconfig
        Provisioner->>HarvesterAPI: Create ServiceAccount
        HarvesterAPI-->>Provisioner: SA created
        Provisioner->>HarvesterAPI: Create namespace-scoped RoleBindings
        HarvesterAPI-->>Provisioner: RoleBindings created
        Provisioner->>HarvesterAPI: Create `harvester-vm-kubeconfig` Secret
        HarvesterAPI-->>Provisioner: Secret created
    end
    Note over Provider,Namespace: Consumers use namespace-scoped kubeconfig to provision VMs
    Provider->>HarvesterAPI: Authenticate using namespace kubeconfig
    HarvesterAPI-->>Provider: Authorized

Loading

sequenceDiagram
    autonumber
    participant HarvesterAPI as Harvester Kubernetes API
    participant Provisioner as Namespace-Credential-Provisioner
    participant Namespace as Tenant Namespace
    participant Provider as Harvester Terraform Provider

    Namespace->>HarvesterAPI: Create namespace (event)
    HarvesterAPI->>Provisioner: Notify about namespace creation
    Provisioner->>HarvesterAPI: Create SA, RoleBindings, kubeconfig Secret
    HarvesterAPI-->>Provisioner: Resources created

    Note right of Provisioner: On namespace deletion
    Namespace->>HarvesterAPI: Delete namespace (event)
    HarvesterAPI->>Provisioner: Notify about namespace deletion
    Provisioner->>HarvesterAPI: Remove cross-namespace `harvester-public` RoleBindings
    HarvesterAPI-->>Provisioner: RoleBindings removed

Loading

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides purpose, goals, and test plan, but omits many template sections (User stories, Release note, Documentation link, Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, Learning).	Expand description to address template sections relevant to documentation changes, particularly Release note, Documentation links, and Security checks to align with template expectations.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: introducing namespace-credential-provisioner into the management setup phase.
Linked Issues check	✅ Passed	The PR addresses all primary coding objectives from #73: documenting namespace-credential-provisioner as Phase 2e, marking harvester-cloud-credential deprecated, updating architecture.md with deployment ordering, and supporting the namespace-scoped RBAC model.
Out of Scope Changes check	✅ Passed	All changes are in-scope: three README files and one architecture documentation file directly address the #73 objectives of establishing provisioner as a required Phase 2e step and deprecating harvester-cloud-credential.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/73-bundle-provisioner-into-management

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/architecture.md (1)

191-239: ⚠️ Potential issue | 🟠 Major

Update the dependency graph to include Phase 2e.

The module dependency graph omits the namespace-credential-provisioner (Phase 2e) entirely, even though it's documented in the text above (lines 110-122) as a required step. The graph currently shows rbac (Phase 2d) flowing directly to identity (Phase 3a), skipping the provisioner.

Operators following the graph will miss this critical deployment step.

📊 Suggested graph update

Insert the provisioner between rbac and identity:

        └────────┘
            │
            │ projects/namespaces ready
            ▼
+   ┌───────────────────────────┐
+   │ namespace-credential-     │
+   │ provisioner (Phase 2e)    │
+   └─────────┬─────────────────┘
+             │ credentials ready
+             ▼
    ┌───────────────────┐ 
    │   identity        │

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/architecture.md` around lines 191 - 239, The ASCII dependency graph
omits the namespace-credential-provisioner (Phase 2e) between rbac (Phase 2d)
and identity (Phase 3a); update the diagram so the flow goes rbac (Phase 2d) →
namespace-credential-provisioner (Phase 2e) → identity (Phase 3a), adding a box
labeled "namespace-credential-provisioner (Phase 2e)" and adjusting the
connecting arrows so projects/namespaces ready from rbac feed into the new
provisioner, which then outputs the OIDC active input into identity.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/management/namespace-credential-provisioner/README.md`:
- Around line 32-41: The README's deployment sequence mislabels "tenant-space"
as "Phase 5" which doesn't match docs/architecture.md; either remove the phase
number in modules/management/namespace-credential-provisioner/README.md and
refer to it as "the tenant-space module" (or similar), or update
docs/architecture.md to add a corresponding numbered phase for "tenant-space" so
both files match; edit the line containing "Phase 5   tenant-space" (and any
nearby references to "Phase 5") or add a new phase entry in docs/architecture.md
to keep numbering consistent.

In `@modules/workloads/harvester-cloud-credential/README.md`:
- Around line 32-37: The Outputs section in README.md is out of sync with
outputs.tf: remove the non-existent `kubeconfig` entry, add the actual
`service_account_name` output (as defined in outputs.tf), and ensure the
`secret_name` description matches the Secret produced by the module;
specifically update the table to include `service_account_name` with a brief
description (e.g., name of the created ServiceAccount) and delete the
`kubeconfig` row so the README matches outputs.tf.

---

Outside diff comments:
In `@docs/architecture.md`:
- Around line 191-239: The ASCII dependency graph omits the
namespace-credential-provisioner (Phase 2e) between rbac (Phase 2d) and identity
(Phase 3a); update the diagram so the flow goes rbac (Phase 2d) →
namespace-credential-provisioner (Phase 2e) → identity (Phase 3a), adding a box
labeled "namespace-credential-provisioner (Phase 2e)" and adjusting the
connecting arrows so projects/namespaces ready from rbac feed into the new
provisioner, which then outputs the OIDC active input into identity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5c9abad9-65bf-4029-b609-5661938d0146

📥 Commits

Reviewing files that changed from the base of the PR and between b61386f and c3f89a6.

📒 Files selected for processing (3)

• docs/architecture.md
• modules/management/namespace-credential-provisioner/README.md
• modules/workloads/harvester-cloud-credential/README.md

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/architecture.md`:
- Line 224: Replace the ambiguous label "vm-access kubeconfig" in the dependency
graph with the canonical artifact name "harvester-vm-kubeconfig" so the diagram
matches the rest of the docs and avoids interpretation drift; search for the
literal "vm-access kubeconfig" and update it to "harvester-vm-kubeconfig"
wherever the dependency graph or related labels are defined (ensure any
references, captions, or alt text are updated consistently).
- Line 122: Update the documentation line that currently reads "Provider
dependencies: `hashicorp/kubernetes ~> 2.30`" to match the actual constraint
used by the module `namespace-credential-provisioner` in
`modules/management/namespace-credential-provisioner/versions.tf` by changing it
to `hashicorp/kubernetes >= 2.0`; ensure the text around the "Provider
dependencies" entry reflects this `>= 2.0` constraint for the
`namespace-credential-provisioner` module.

In `@modules/management/namespace-credential-provisioner/README.md`:
- Around line 34-38: The fenced code block in README.md triggers MD040; update
the triple-backtick fence that contains "Phase 2a  harvester-integration ..." to
include a language hint (e.g., add ```text) so the block is explicitly marked as
plaintext; modify the block surrounding the lines "Phase 2a 
harvester-integration   — registers Harvester with Rancher" and "Phase 2e 
namespace-credential-provisioner  ← deploy here" to use ```text instead of ```
to satisfy the markdown lint rule.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1378f1d9-b20d-48c7-84d8-c48199f7ee1a

📥 Commits

Reviewing files that changed from the base of the PR and between c3f89a6 and fe4dc86.

📒 Files selected for processing (3)

• docs/architecture.md
• modules/management/namespace-credential-provisioner/README.md
• modules/workloads/harvester-cloud-credential/README.md

[coderabbitai]

🧹 Nitpick comments (1)

modules/workloads/harvester-cloud-credential/README.md (1)

21-22: Clarify deployment phase as “Phase 2e” to avoid sequencing ambiguity.

Line 22 currently says “Phase 2,” but this PR introduces and depends on the explicit Phase 2e step. Please change this to “Phase 2e” so operators don’t mis-sequence deployment.

As per coding guidelines, “Provide concise, actionable feedback focused on correctness and best practices.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/workloads/harvester-cloud-credential/README.md` around lines 21 - 22,
Update the README text so it explicitly references Phase 2e instead of Phase 2
to avoid sequencing ambiguity: change the line that says "deploy
`management/namespace-credential-provisioner` as part of Phase 2" to "deploy
`management/namespace-credential-provisioner` as part of Phase 2e" (keep the
surrounding sentence and backticks for
`management/namespace-credential-provisioner` intact).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@modules/workloads/harvester-cloud-credential/README.md`:
- Around line 21-22: Update the README text so it explicitly references Phase 2e
instead of Phase 2 to avoid sequencing ambiguity: change the line that says
"deploy `management/namespace-credential-provisioner` as part of Phase 2" to
"deploy `management/namespace-credential-provisioner` as part of Phase 2e" (keep
the surrounding sentence and backticks for
`management/namespace-credential-provisioner` intact).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 670d77d2-8d30-4844-be65-4439367a481f

📥 Commits

Reviewing files that changed from the base of the PR and between 49c94ea and a9aa1a1.

📒 Files selected for processing (3)

• docs/architecture.md
• modules/management/namespace-credential-provisioner/README.md
• modules/workloads/harvester-cloud-credential/README.md

✅ Files skipped from review due to trivial changes (1)

• modules/management/namespace-credential-provisioner/README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/architecture.md