clean up docs and dependencie

docs/service-principal.md

@@ -1,57 +1,64 @@
-# Service Principal Auth Support
+# Service Principal Authentication Support
 
-The app routing operator supports service-principal authentication for AKS clusters.
+App routing operator supports service-principal authentication for AKS clusters.
+
+
+> ⚠️ Warning ⚠️
+>
+> Service Principals are not recommended in any environment that supports Managed Identities, as they are less secure and more difficult to manage.
+
+When using a Service Principal AKS Cluster, the automatically created addon identity that uses MSI is no longer available.
+In this case, authentication with a provided service principal can be used instead, which requires users to provide a service principal credentials via manually creating kubernetes secrets to be read by app routing components.
 
-When using service principal auth, the automatically created addon identity that uses MSI is no longer available. Authentication with a provided service principal is used instead which requires users to provide a service principal appId and secret as a kubernetes secret.
 
 ## Manual Secrets
 The following Kubernetes secrets must be manually created when using a Service Principal configuration:
 
 ### Keyvault CSI Driver Secret
-A secret is needed for the placeholder pods to access keyvault, which allows mirroring of Key Vault secrets into Kubernetes secrets
+A secret is needed for the placeholder pods to access keyvault, which allows mirroring of Key Vault Secrets into Kubernetes Secrets
 
-Service Principal secrets and permissions must be configured as specified by the [keyvault csi driver documentation](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/#configure-service-principal-to-access-keyvault)
+Service Principal secrets and permissions must be configured as specified by the [Key Vault CSI driver documentation](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/identity-access-modes/service-principal-mode/#configure-service-principal-to-access-keyvault)
 
-The name of the created secret must be `keyvault-service-principal`, and it should be created in the same namespaces as the ingress.
+The name of the created secret must be `keyvault-service-principal`, and it must be created in the same namespaces as the ingress.
 
 The service principal used for this secret must have the following permissions:
 - `get` and `list` permissions on the keyvault for the secret
 
-The final secret should look like this:
+The Key Vault CSI driver secret has the following shape:
 ```yaml
-# keyvault-secret.yaml
+# keyvault-csi-driver-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
   name: keyvault-service-principal
   namespace: <namespace of the ingress>
 type: Opaque
 data:
-  clientid: <base64 encoded client id>
-  clientsecret: <base64 encoded client secret>
+  clientid: <base64 encoded service principal client id>
+  clientsecret: <base64 encoded service principal client secret>
 ```
 
 One secret must be created for each namespace that has an ingress.
 
 ### ExternalDNS Secret
-A secret is needed for the external dns pods to access Azure resources, which allows external dns to create dns records in Azure DNS Zones
-Only a single secret is needed per externaldns deployment, and it should be created in the same namespace as the externaldns deployments (usually `app-routing-system`)
+A secret is needed for the externaldns pods to access Azure resources, which allows external dns to create dns records in Azure DNS Zones.
+Only a single secret is needed per externaldns deployment, and it should be created in the same namespace as the externaldns deployments (normally `app-routing-system`)
 
 There are at most two secrets needed, one for public dns zones and one for private dns zones.
 
 The secrets are named `sp-creds-external-dns` and `sp-creds-external-dns-private`
 
 Both secrets should be set up following the [externaldns documentation](https://github.com/kubernetes-sigs/external-dns/blob/0725104c9e594ef6f91c380f8bdc0e21129eae70/docs/tutorials/azure.md#service-principal)
 
-The should each contain a single entry in their `data` field with the key `azure.json` which contains the basew64 encoded version of the following JSON schema
+The should each contain a single entry in their `data` field with the key `azure.json`, containing the base64 encoded version of the following JSON object 
 ```json
 // azure.json
 {
   "tenantId": "<tenant id>",
   "subscriptionId": "<subscription id>",
-  "resourceGroup": "<resource group of the related dns zones>",
-  "aadClientId": "<EXTERNALDNS_SP_APP_ID>",
-  "aadClientSecret": "<EXTERNALDNS_SP_PASSWORD>"
+  "resourceGroup": "<resource group of the relevant dns zones>",
+  "aadClientId": "<service principal application object client id>",
+  "aadClientSecret": "<service principal credential secret>"
 }
 ```
 

testing/e2e/suites/basic.go

@@ -95,7 +95,7 @@ var clientServerTest = func(ctx context.Context, config *rest.Config, operator m
 			zones = append(zones, zone{name: z.GetName(), nameserver: z.GetNameservers()[0]})
 		}
 	}
-	if prov.AuthType == infra.AuthTypeServicePrincipal && operator.Zones.Public != manifests.DnsZoneCountNone {
+	if prov.AuthType == clients.AKSAuthTypeServicePrincipal && operator.Zones.Public != manifests.DnsZoneCountNone {
 		lgr.Info("hydrating external dns secret")
 		externalDnsSecret := &corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
@@ -125,7 +125,7 @@ var clientServerTest = func(ctx context.Context, config *rest.Config, operator m
 			zones = append(zones, zone{name: z.GetName(), nameserver: prov.Cluster.GetDnsServiceIp()})
 		}
 	}
-	if prov.AuthType == infra.AuthTypeServicePrincipal && operator.Zones.Private != manifests.DnsZoneCountNone {
+	if prov.AuthType == clients.AKSAuthTypeServicePrincipal && operator.Zones.Private != manifests.DnsZoneCountNone {
 		lgr.Info("hydrating external dns private secret")
 		externalDnsSecret := &corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
@@ -171,7 +171,7 @@ var clientServerTest = func(ctx context.Context, config *rest.Config, operator m
 			}
 
 			// Populate Service Principal credentials if needed
-			if prov.AuthType == infra.AuthTypeServicePrincipal {
+			if prov.AuthType == clients.AKSAuthTypeServicePrincipal {
 				lgr.Info("creating service principal secrets")
 				sp := prov.ServicePrincipal
 				if err != nil {

testing/e2e/suites/operatorConfig.go

@@ -12,7 +12,7 @@ type cfgBuilder struct {
 	msi      string
 	tenantId string
 	location string
-	authType infra.AuthType
+	authType clients.AKSAuthType
 }
 
 func builderFromInfra(infra infra.Provisioned) cfgBuilder {
@@ -67,7 +67,7 @@ func (c cfgBuilderWithOsm) withVersions(in infra.Provisioned, versions ...manife
 		versions = []manifests.OperatorVersion{manifests.OperatorVersionLatest}
 	}
 
-	if in.AuthType == infra.AuthTypeServicePrincipal {
+	if in.AuthType == clients.AKSAuthTypeServicePrincipal {
 		// Filter for operator versions that support service principal auth
 		spVersions := []manifests.OperatorVersion{}
 		for _, v := range versions {
@@ -128,7 +128,7 @@ func (c cfgBuilderWithZones) build() operatorCfgs {
 					Msi:                        c.msi,
 					Zones:                      zones,
 					DisableOsm:                 !osmEnabled,
-					EnableServicePrincipalAuth: c.authType == infra.AuthTypeServicePrincipal,
+					EnableServicePrincipalAuth: c.authType == clients.AKSAuthTypeServicePrincipal,
 				})
 			}
 		}