[feature-725]: Remove tenant service ingress (#552)

dell · May 23, 2023 · a54013f · a54013f
1 parent 5c7b88d
commit a54013f
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 126 deletions.
diff --git a/content/docs/authorization/cli.md b/content/docs/authorization/cli.md
@@ -242,19 +242,18 @@ karavictl generate token [flags]
 ##### Options
 
 ```
-  -h, --help                              help for token
-  -t, --tenant                 string     Tenant name
-   --access-token-expiration   duration   Expiration time of the access token, e.g. 1m30s (default 1m0s)
-   --refresh-token-expiration  duration   Expiration time of the refresh token, e.g. 48h (default 720h0m0s)
+  -h, --help                   help for token
+  -t, --tenant string          Tenant name 
+   --access-token-expiration duration    Expiration time of the access token, e.g. 1m30s (default 1m0s)
+   --refresh-token-expiration duration   Expiration time of the refresh token, e.g. 48h (default 720h0m0s)
 ```
 
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --insecure             Skip certificate validation
-      --config      string   config file (default is $HOME/.karavictl.yaml)
+      --addr string     Address of the server (default "localhost")
+      --insecure        Skip certificate validation
+      --config string   config file (default is $HOME/.karavictl.yaml)
 ```
 
 ##### Output
@@ -633,10 +632,9 @@ karavictl rolebinding create [flags]
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --insecure             Skip certificate validation
-      --config      string   config file (default is $HOME/.karavictl.yaml)
+      --addr string     Address of the server (default "localhost")
+      --insecure        Skip certificate validation
+      --config string   config file (default is $HOME/.karavictl.yaml)
 ```
 
 ##### Output
@@ -675,10 +673,9 @@ karavictl rolebinding delete [flags]
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --insecure             Skip certificate validation
-      --config      string   config file (default is $HOME/.karavictl.yaml)
+      --addr string     Address of the server (default "localhost")
+      --insecure        Skip certificate validation
+      --config string   config file (default is $HOME/.karavictl.yaml)
 ```
 
 ##### Output
@@ -1026,10 +1023,9 @@ karavictl tenant create [flags]
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --insecure             Skip certificate validation
-      --config      string   config file (default is $HOME/.karavictl.yaml)
+      --addr string     Address of the server (default "localhost")
+      --insecure        Skip certificate validation
+      --config string   config file (default is $HOME/.karavictl.yaml)
 ```
 
 ##### Output
@@ -1060,17 +1056,16 @@ karavictl tenant get [flags]
 ##### Options
 
 ```
-  -h, --help          help for get
+  -h, --help   help for get
   -n, --name string   Tenant name
 ```
 
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --config      string   config file (default is $HOME/.karavictl.yaml)
-      --insecure             Skip certificate validation
+      --addr string     Address of the server (default "localhost")
+      --config string   config file (default is $HOME/.karavictl.yaml)
+      --insecure        Skip certificate validation
 ```
 
 ##### Output
@@ -1112,10 +1107,9 @@ karavictl tenant list [flags]
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --insecure             Skip certificate validation
-      --config      string   config file (default is $HOME/.karavictl.yaml)
+      --addr string     Address of the server (default "localhost")
+      --insecure        Skip certificate validation
+      --config string   config file (default is $HOME/.karavictl.yaml)
 ```
 
 ##### Output
@@ -1162,10 +1156,9 @@ karavictl tenant revoke [flags]
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --insecure             Skip certificate validation
-      --config      string   config file (default is $HOME/.karavictl.yaml)
+      --addr string     Address of the server (default "localhost")
+      --insecure        Skip certificate validation
+      --config string   config file (default is $HOME/.karavictl.yaml)
 ```
 
 ##### Output
@@ -1202,10 +1195,9 @@ karavictl tenant delete [flags]
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --config      string   config file (default is $HOME/.karavictl.yaml)
-      --insecure             Skip certificate validation
+      --addr string     Address of the server (default "localhost")
+      --config string   config file (default is $HOME/.karavictl.yaml)
+      --insecure        Skip certificate validation
 ```
 
 ##### Output
@@ -1243,10 +1235,9 @@ karavictl tenant update [flags]
 ##### Options inherited from parent commands
 
 ```
-  -f, --admin-token string   Specify the admin token file
-      --addr        string   Address of the server (default "localhost")
-      --config      string   config file (default is $HOME/.karavictl.yaml)
-      --insecure             Skip certificate validation
+      --addr string     Address of the server (default "localhost")
+      --config string   config file (default is $HOME/.karavictl.yaml)
+      --insecure        Skip certificate validation
 ```
 
 ##### Output

diff --git a/content/docs/authorization/configuration/proxy-server/_index.md b/content/docs/authorization/configuration/proxy-server/_index.md
@@ -15,39 +15,8 @@ The storage administrator must first configure Authorization with the following
 - Role bindings
 
 >__Note__:
-> - The address of the Authorization proxy-server must be specified when executing `karavictl`. For the `RPM deployment`, the address is the DNS-hostname of the machine where the RPM
-is installed. For the `Helm/Operator deployment`, the address is the Ingress host of the `proxy-server` with the port of the exposed Ingress Controller.
-
-### Configuring Admin Token
-
-An admin token is required for executing `karavictl` commands, with the exception of `admin token` and `cluster-info`. For example, to generate an admin token and redirect the output to a file:
-
-```bash
-
-$ karavictl admin token --name admin --access-token-expiration 30s --refresh-token-expiration 120m > admintoken.yaml
-$ Enter JWT Signing Secret:
-$ cat admintoken.yaml
-{
-  "Access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjc20iLCJleHAiOjE2ODIzNDg0MzEsImdyb3VwIjoiYWRtaW4iLCJpc3MiOiJjb20uZGVsbC5jc20iLCJyb2xlcyI6IiIsInN1YiI6ImNzbS1hZG1pbiJ9.OxTL48c1VLKSY6oVnYw_jmQ7XHX4UEfwIRkfLQh9beA",
-  "Refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjc20iLCJleHAiOjE2ODQ5NDAzNzEsImdyb3VwIjoiYWRtaW4iLCJpc3MiOiJjb20uZGVsbC5jc20iLCJyb2xlcyI6IiIsInN1YiI6ImNzbS1hZG1pbiJ9._ELmuc2qprZPeuW22wISiw0pvuM6rhyabDOybakqs68"
-}
-
-```
-Alternatively, the JWT signing secret can be specified with the CLI.
-
-```bash
-
-$ karavictl admin token --name admin  --jwt-signing-secret supersecret --access-token-expiration 30s --refresh-token-expiration 120m > admintoken.yaml
-$ cat admintoken.yaml
-{
-  "Access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjc20iLCJleHAiOjE2ODIzNDg2MTEsImdyb3VwIjoiYWRtaW4iLCJpc3MiOiJjb20uZGVsbC5jc20iLCJyb2xlcyI6IiIsInN1YiI6ImNzbS1hZG1pbiJ9.C6c9DrlOE95_soFm0YEyzs08ye2TL_koYsp4qJFEglI",
-  "Refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjc20iLCJleHAiOjE2ODIzNTU3ODEsImdyb3VwIjoiYWRtaW4iLCJpc3MiOiJjb20uZGVsbC5jc20iLCJyb2xlcyI6IiIsInN1YiI6ImNzbS1hZG1pbiJ9.XMcOVIuJ56JhuJrfGqQ_DUqXDyHLxrOrkvQJUxAOst4"
-}
-
-```
-
->__Note__:
-> - The `karavictl admin token` command is an exception where you do not need to specify the address of the proxy-server.
+> - The `RPM deployment` will use the address of the server.
+> - The `Helm deployment` will use the address and port of the Ingress hosts for the storage, tenant, and role services.
 
 ### Configuring Storage
 
@@ -78,12 +47,12 @@ A `tenant` is a Kubernetes cluster that a role will be bound to. For example, to
 #RPM Deployment
 ```bash
 
-karavictl tenant create --name Finance --insecure --addr DNS-hostname --admin-token admintoken.yaml
-```
-#Helm/Operator Deployment
-```bash
+```yaml
+# RPM Deployment
+karavictl tenant create --name Finance --insecure --addr DNS-hostname
 
-karavictl tenant create --name Finance --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
+# Helm Deployment
+karavictl tenant create --name Finance --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>
 ```
 
 >__Note__: 
@@ -93,15 +62,12 @@ karavictl tenant create --name Finance --insecure --addr csm-authorization.com:<
 
 > - For the Powerflex Pre-approved Guid feature, the `approvesdc` boolean flag is `true` by default. If the `approvesdc` flag is false for a tenant, the proxy server will deny the requests to approve SDC if the SDCs are already in not-approved state. Inorder to change this flag for an already created tenant, see `tenant update` command in CLI section.
 
-#RPM Deployment
-```bash
-
-karavictl tenant create --name Finance --approvesdc=false --insecure --addr DNS-hostname --admin-token admintoken.yaml
-```
-#Helm/Operator Deployment
-```bash
+```yaml
+# RPM Deployment
+karavictl tenant create --name Finance --approvesdc=false --insecure --addr DNS-hostname
 
-karavictl tenant create --name Finance --approvesdc=false --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
+# Helm Deployment
+karavictl tenant create --name Finance --approvesdc=false --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>
 ```
 
 ### Configuring Roles
@@ -127,40 +93,51 @@ karavictl role create --role=FinanceRole=powerflex=${systemID}=myStoragePool=100
 
 A `role binding` binds a role to a tenant. For example, to bind the `FinanceRole` to the `Finance` tenant:
 
-#RPM Deployment
-```bash
-
-karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr DNS-hostname --admin-token admintoken.yaml
-```
-#Helm/Operator Deployment
-```bash
+```yaml
+# RPM Deployment
+karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr DNS-hostname
 
-karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
+# Helm Deployment
+karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>
 ```
 
 >__Note__: 
-> - The `insecure` flag specifies to skip certificate validation when connecting to the Authorization proxy-server.
-> - The `addr` flag is the address of the Authorization proxy-server. 
-> - Run `karavictl rolebinding create --help` for help.
+> - The `insecure` flag specifies to skip certificate validation when connecting to CSM Authorization. Run `karavictl rolebinding create --help` for help.
 
 ### Generate a Token
 
 Once rolebindings are created, an access/refresh token pair can be created for the tenant. The storage admin is responsible for generating and sending the token to the Kubernetes tenant admin.
 
-#RPM Deployment
-```bash
+#### RPM
+After creating the role bindings, the next logical step is to generate the access token. The storage admin is responsible for generating and sending the token to the Kubernetes tenant admin.
+
+>__Note__: 
+> - The `--insecure` flag is required if certificates were not provided in `$HOME/.karavi/config.json`.
+> - This sample copies the token directly to the Kubernetes cluster master node. The requirement here is that the token must be copied and/or stored in any location accessible to the Kubernetes tenant admin.
+
+  ```
+  echo === Generating token ===
+  karavictl generate token --tenant ${tenantName} --insecure --addr DNS-hostname | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' > token.yaml
+
+  echo === Copy token to Driver Host ===
+  sshpass -p ${DriverHostPassword} scp token.yaml ${DriverHostVMUser}@{DriverHostVMIP}:/tmp/token.yaml 
+  ```
+
+#### Helm
+
+Now that the tenant is bound to a role, a JSON Web Token can be generated for the tenant. For example, to generate a token for the `Finance` tenant:
 
 karavictl generate token --tenant Finance --insecure --addr DNS-hostname --admin-token admintoken.yaml > token.yaml
 ```
-#Helm/Operator Deployment
-```bash
+karavictl generate token --tenant Finance --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>
 
 karavictl generate token --tenant Finance --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml > token.yaml
 ```
 
 `token.yaml` will have a Kubernetes secret manifest that looks like this:
 
-```yaml
+```
+karavictl generate token --tenant Finance --insecure --addr csm-authorization.com:<ingress-nginx-controller-port> | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g'
 apiVersion: v1
 data:
   access: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKamMyMGlMQ0psZUhBaU9qRTJPREl3TVRBeU5UTXNJbWR5YjNWd0lqb2labTl2SWl3aWFYTnpJam9pWTI5dExtUmxiR3d1WTNOdElpd2ljbTlzWlhNaU9pSmlZWElpTENKemRXSWlPaUpqYzIwdGRHVnVZVzUwSW4wLjlSYkJISzJUS2dZbVdDX0paazBoSXV0N0daSDV4NGVjQVk2ekdaUDNvUWs=

diff --git a/content/docs/authorization/deployment/helm/_index.md b/content/docs/authorization/deployment/helm/_index.md
@@ -72,7 +72,7 @@ The following third-party components are optionally installed in the specified n
 | authorization.images.storageService | The image to use for the storage-service. | Yes | dellemc/csm-authorization-storage:nightly |
 | authorization.images.opa | The image to use for Open Policy Agent. | Yes | openpolicyagent/opa |
 | authorization.images.opaKubeMgmt | The image to use for Open Policy Agent kube-mgmt. | Yes | openpolicyagent/kube-mgmt:0.11 |
-| authorization.hostname | The hostname to configure the self-signed certificate (if applicable) and the proxy Ingress. | Yes | csm-authorization.com |
+| authorization.hostname | The hostname to configure the self-signed certificate (if applicable) and the proxy, role, and storage service Ingresses. | Yes | csm-authorization.com |
 | authorization.logLevel | CSM Authorization log level. Allowed values: “error”, “warn”/“warning”, “info”, “debug”. | Yes | debug |
 | authorization.zipkin.collectoruri | The URI of the Zipkin instance to export traces. | No | - |
 | authorization.zipkin.probability | The ratio of traces to export. | No | - |
@@ -135,7 +135,7 @@ Karavictl commands and intended use can be found [here](../../cli/).
 
 The first part of CSM for Authorization deployment is to configure the proxy server. This is controlled by the Storage Administrator.
 
-Configuration is achieved by using `karavictl` to connect to the proxy service. In this example, we will be referencing an installation using `csm-authorization.com` as the authorization.hostname value and the NGINX Ingress Controller accessed via the cluster's master node.
+Configuration is achieved by using `karavictl` to connect to the proxy, storage, and role services. In this example, we will be referencing an installation using `csm-authorization.com` as the authorization.hostname value and the NGINX Ingress Controller accessed via the cluster's master node.
 
 Run `kubectl -n authorization get ingress` and `kubectl -n authorization get service` to see the Ingress rules for these services and the exposed port for accessing these services via the LoadBalancer. For example:
 
@@ -145,11 +145,10 @@ kubectl -n authorization get ingress
 ```
 NAME              CLASS   HOSTS                           ADDRESS   PORTS     AGE
 proxy-server      nginx   csm-authorization.com                     00, 000   86s
-```
-```bash
-kubectl -n auth get service
-```
-```
+role-service      nginx   role.csm-authorization.com                00, 000   86s
+storage-service   nginx   storage.csm-authorization.com             00, 000   86s
+
+# kubectl -n auth get service
 NAME                                               TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
 authorization-cert-manager                         ClusterIP      00.000.000.000    <none>        000/TCP                     28s
 authorization-cert-manager-webhook                 ClusterIP      00.000.000.000    <none>        000/TCP                      27s
@@ -168,6 +167,12 @@ On the machine running `karavictl`, the `/etc/hosts` file needs to be updated wi
 ```bash
 <master_node_ip> csm-authorization.com
 ```
+<master_node_ip> csm-authorization.com
+<master_node_ip> role.csm-authorization.com
+<master_node_ip> storage.csm-authorization.com
+```
+
+The port that exposes these services is `30016`.
 
 Please continue following the steps outlined in the [proxy server](../../configuration/proxy-server) configuration.
 

diff --git a/content/docs/authorization/deployment/rpm/_index.md b/content/docs/authorization/deployment/rpm/_index.md
@@ -173,10 +173,7 @@ Replace the data in `config.yaml` under the `data` field with your new, encoded
 
 >__Note__: If you are updating the signing secret, the tenants need to be updated with new tokens via the `karavictl generate token` command like so. The `--insecure` flag is required if certificates were not provided in `$HOME/.karavi/config.json`
 
-```bash
-
-karavictl generate token --tenant $TenantName --insecure --addr DNS-hostname | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' | kubectl -n $namespace apply -f -
-```
+`karavictl generate token --tenant $TenantName --insecure --addr DNS-hostname | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' | kubectl -n $namespace apply -f -`
 
 ## CSM for Authorization Proxy Server Dynamic Configuration Settings
 

diff --git a/content/docs/authorization/troubleshooting.md b/content/docs/authorization/troubleshooting.md
@@ -54,10 +54,8 @@ For OPA related logs, run:
 
 ### Running "karavictl tenant" commands result in an HTTP 504 error
 This situation may occur if there are Iptables or other firewall rules preventing communication with the provided `DNS-hostname`:
-```bash
-karavictl tenant list --addr <DNS-hostname>
-```
 ```
+$ karavictl tenant list --addr <DNS-hostname>
 {
   "ErrorMsg": "rpc error: code = Unavailable desc = Gateway Timeout: HTTP status code 504; 
   transport: received the unexpected content-type \"text/plain; charset=utf-8\""