support multi subaccount documentation #369
Conversation
UA changes
UA edits
UA changes
README.md
Outdated
| The association between a namespace and a subaccount is based on a different set of credentials configured for different namespaces. | ||
| ## Working with Multiple Subaccounts | ||
|
|
||
| By default, a Kubernetes cluster is related to one subaccount (see step 4 of the [Setup](#setup) section. |
README.md
Outdated
| ## Working with Multiple Subaccounts | ||
|
|
||
| By default, a Kubernetes cluster is related to one subaccount (see step 4 of the [Setup](#setup) section. | ||
| The SAP BTP service operator can also be configured to manage multiple subaccounts within a single Kubernetes cluster. In this more complex use case, each resource is linked to a specific subaccount using a unique set of credentials. To connect a resource to a subaccount: |
There was a problem hiding this comment.
the operator does not 'manage' subaccounts, but 'work with'. as described in the header of this section.
README.md
Outdated
| ## Working with Multiple Subaccounts | ||
|
|
||
| By default, a Kubernetes cluster is related to one subaccount (see step 4 of the [Setup](#setup) section. | ||
| The SAP BTP service operator can also be configured to manage multiple subaccounts within a single Kubernetes cluster. In this more complex use case, each resource is linked to a specific subaccount using a unique set of credentials. To connect a resource to a subaccount: |
There was a problem hiding this comment.
here we ignore the second level - associating an entire namespace to a subaccount.
e.g.,
"however, it is also possible to configure the SAP BTP service operator to work with more than one subaccount, either to connect an different namespaces to work with different subaccounts, and in more complex use cases, to create within the same namespace service instances in different subaccounts."
The configuration of working with multiple subaccounts is based on using a unique set of credentials, to connect with each subaccount:"
README.md
Outdated
|
|
||
| * Store these credentials securely in a secret. | ||
|
|
||
| You have several options at your disposal to manage multiple subaccounts in a cluster by configuring secrets on several levels: |
There was a problem hiding this comment.
work with instead of manage.
BTW, this sentence is in a way redundant with the previous one. let's consider if it can be rearranged.
README.md
Outdated
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: sap-btp-service-operator-tls |
There was a problem hiding this comment.
@I065450 @kerenlahav shall the secret name contain '-tls' suffix??
There was a problem hiding this comment.
the name must be sap-btp-service-operator-tls
README.md
Outdated
|
|
||
| **Note:** | ||
| The system's centrally-managed namespace is set by the value in `.Values.manager.management_namespace`. You can provide this value during installation (refer to step 4 in the [Setup](#setup) section). | ||
| If you don't specify this value, the system will use the installation namespace as the default. |
There was a problem hiding this comment.
add the name of the installation namespace
There was a problem hiding this comment.
it is given in the installation:
helm upgrade --install sap-btp-operator sap-btp-operator/sap-btp-operator
--create-namespace
--namespace=sap-btp-operator \
README.md
Outdated
| kind: Secret | ||
| metadata: | ||
| name: <namespace>-sap-btp-service-operator | ||
| namespace: centrally managed namespace |
| sm_url: "<sm_url>" | ||
| tokenurl: "<auth_url>" | ||
| tokenurlsuffix: "/oauth/token" | ||
| ``` |
There was a problem hiding this comment.
add a note that this is a sample with client secret credentials, but it can also be tls-based.
other option is to 'generalize' the sample
apiVersion: v1
kind: Secret
metadata:
name: -sap-btp-service-operator
namespace:
type: Opaque
data:
...
< credentials details here >
...
README.md
Outdated
|
|
||
| There are two options to maintain namespace-specific credentials, and they differ between default and TLS-based access credentials types: | ||
| You can associate a subaccount with a random or a centrally-managed namespace: |
There was a problem hiding this comment.
To associate namespace to a specific subaccount you have to maintain the access credentials to the subaccount in a secret which is dedicated for the specific namespace. Such secret can be located either in the namespace itself or in a centrally-managed namespace:
README.md
Outdated
| ``` | ||
| ### 2. Explicit Secret Configuration | ||
|
|
||
| You can specify on the `ServiceInstance` level to which subaccount it should be associated: |
There was a problem hiding this comment.
"...in which subaccount it shall be created"
UA changes
Added some changes - still not final.
No description provided.