documentation for amko true multitenancy

docs/amko_tenancy.md

@@ -1,25 +1,59 @@
 # Tenancy support in AMKO
 
-This feature allows AMKO to create GSLB object in a user-specified tenant in Avi.The expected isolation and administrative restrictions of a multi-tenant architecture in NSX Advanced Load Balancer GSLB extend to AMKO
+This feature allows AMKO to create GSLB objects in user-specified tenants in Avi.The expected isolation and administrative restrictions of a multi-tenant architecture in Avi Load Balancer GSLB extend to AMKO
 ## Steps to enable Tenancy in AMKO
 
-In this example we will run AMKO in `billing` tenant.
-
-### 1. Install AKO in required Tenant.
-* Follow the steps [here](https://avinetworks.com/docs/ako/1.10/ako-tenancy/) to run AKO in a specific Tenant `billing`.
-
-**Note:**  AKO in all sites should be running in same tenant as AMKO.
-### 2. Add required permissions to AMKO user.
+### 1. Add required permissions to AMKO user.
 * AMKO User need to have below permissions in order to ceate GSLB service :
 
 | **Permission** | **AccessRight** |
 | --------- | ----------- |
 | `GSLB configuration` | Read access to everything in the GSLB configuration relevant to the tenant |
 | `GSLB services` | Write access to all GSLB services in all tenants to which this user is assigned |
 | `GSLB geolocation database` | Read access to geolocation database |
-* To achieve this AMKO User can be assigned [`amko-tenant`](roles/amko-tenant.json) role in the `billing` tenant.
-### 3. AMKO installation
+* To achieve this AMKO User can be assigned [`amko-tenant`](roles/amko-tenant.json) role in all the tenants where we need to create GSLB services and [`amko-admin`](roles/amko-admin.json) role in the `admin` tenant.
+
+### 2. AMKO installation
+
+* In **AMKO**, Set the `configs.tenant` field in values.yaml to the tenant where you want to create GSLB services by default. If left empty GSLB objects will be created by default in `admin` tenant.
+
+### 3. Namespace relationship with tenant
+
+* AMKO will determine the tenant to create GSLB objects from `ako.vmware.com/tenant-name` annotation value specified in the namespace of Kubernetes/openshift objects.
+
+* If `ako.vmware.com/tenant-name` annotation is empty or missing AMKO will determine tenant from `gslbLeader.tenant` field of [GSLBConfig](crds/gslbconfig.md#gslbconfig-for-amko) CRD which is set in step 2.
 
-* In **AMKO**, Set the `configs.tenant` field in values.yaml  to the tenant `billing` created in the earlier steps.
+* The `ako.vmware.com/tenant-name` annotation must be same across corresponding namespaces of Kubernetes/openshift objects in the member clusters.
 
+* All references to AVI objects in GDP and GSLBHostRule CRD should be accessible in the tenant associated with the namespace by the AMKO User.If they are not accesible CRD would transition to error status and won't be applied to GSLB service.
 
+**Note:** In case of tenant update in namespace for already created GSLB objects, AMKO will create GSLB objects in new tenant only after tenant is updated in namespaces across all member clusters.
+
+
+## Example with GSLB services in multiple tenants in AMKO
+
+In this example AMKO will create GSLB Services in `tenant1` and `tenant2` tenant for Kubernetes/openshift objects in `n1` and `n2` namespace respectively. For namespace which are missing the annotation GSLB service will be created in the tenant where AMKO is installed.
+
+* Edit namespace in all member clusters to add the `ako.vmware.com/tenant-name` annotation
+```
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    ako.vmware.com/tenant-name: tenant1
+  name: n1
+  ---
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    ako.vmware.com/tenant-name: tenant2
+  name: n2
+  ```
+  * This will enable all the resources in a namespace to use the annotated tenant.With above configuration AMKO and AKO will create the corresponding avi-objects as per below table:
+
+  | **Namespace** | **Tenant** |
+| --------- | ----------- |
+| `n1` | `tenant1` |
+| `n2` | `tenant2` |
+| other | default AMKO tenant |

docs/crds/gslbhostrule.md

@@ -35,47 +35,45 @@ spec:
   ttl: 30
   controlPlaneHmOnly: false
 ```
-1. `namespace`: namespace of this object must be `avi-system`.
+1. `fqdn`: FQDN of the GslbService.
 
-2. `fqdn`: FQDN of the GslbService.
-
-3. `sitePersistence`: Enable Site Persistence for client requests. Set the `enabled` flag as `true` and add a `profileRef` for a pre-created Application Persistence Profile created on the Avi Controller. Please follow the steps [here](https://avinetworks.com/docs/20.1/gslb-site-cookie-persistence/#outline-of-steps-to-be-taken) to create a federated Application Persistence Profile on the Avi Controller.
+2. `sitePersistence`: Enable Site Persistence for client requests. Set the `enabled` flag as `true` and add a `profileRef` for a pre-created Application Persistence Profile created on the Avi Controller. Please follow the steps [here](https://avinetworks.com/docs/20.1/gslb-site-cookie-persistence/#outline-of-steps-to-be-taken) to create a federated Application Persistence Profile on the Avi Controller.
 
    `pkiProfileRef`: Provide an PKI Profile ref (pre-created in Avi Controller).This has to be a federated profile. It will be applied only if sitePersistence is enabled.
 
 **Note** that site persistence is **disabled** on GslbServices created for **insecure** ingresses/routes, irrespective of this field.
 If this field is not provided in `GSLBHostRule`, the site persistence property will be inherited from the GDP object.
 
-4. `thirdPartyMembers`: To add one or more third party members to a GS from a non-avi site (third party site) for the purpose of maintenance, specify a list of those members. For each member, provide the site name in `site` and IP address in `vip`. Please refer [here](https://avinetworks.com/docs/20.1/gslb-third-party-site-configuration-and-operations/#associating-third-party-services-with-third-party-sites) to see how to add third party sites to existing Gslb configuration. Optional `publicIP` in IPv4 format can be added if `vip` IP is private and not accesible by client network .Please check [here](https://avinetworks.com/docs/latest/nat-aware-public-private-configuration) for more details.   **Note** that, to add third party members, set the `enable` flag in `sitePersistence` to false for this object. If site persistence is enabled for a GSLB Service, third party members can't be added.
+3. `thirdPartyMembers`: To add one or more third party members to a GS from a non-avi site (third party site) for the purpose of maintenance, specify a list of those members. For each member, provide the site name in `site` and IP address in `vip`. Please refer [here](https://avinetworks.com/docs/20.1/gslb-third-party-site-configuration-and-operations/#associating-third-party-services-with-third-party-sites) to see how to add third party sites to existing Gslb configuration. Optional `publicIP` in IPv4 format can be added if `vip` IP is private and not accesible by client network .Please check [here](https://avinetworks.com/docs/latest/nat-aware-public-private-configuration) for more details.   **Note** that, to add third party members, set the `enable` flag in `sitePersistence` to false for this object. If site persistence is enabled for a GSLB Service, third party members can't be added.
 
 **Note** that the site must be added to the GSLB leader as a 3rd party site before adding the member here.
 
-5. `healthMonitorRefs`: If a GslbService requires some custom health monitoring, the user can create a federated custom health monitor in the Avi Controller and provide the ref(s) here. To add a custom health monitor, follow the steps [here](https://avinetworks.com/docs/20.1/avi-gslb-service-and-health-monitors/#configuring-health-monitoring). If no custom health monitor refs have been added, the `healthMonitorTemplate` from the `GDP`/`GSLBHostRule` object will be inherited or `healthMonitorRefs` from the GDP object will be inherited.
+4. `healthMonitorRefs`: If a GslbService requires some custom health monitoring, the user can create a federated custom health monitor in the Avi Controller and provide the ref(s) here. To add a custom health monitor, follow the steps [here](https://avinetworks.com/docs/20.1/avi-gslb-service-and-health-monitors/#configuring-health-monitoring). If no custom health monitor refs have been added, the `healthMonitorTemplate` from the `GDP`/`GSLBHostRule` object will be inherited or `healthMonitorRefs` from the GDP object will be inherited.
 
    ```yaml
     healthMonitorRefs:
     - my-health-monitor1
    ```
 
-6. `healthMonitorTemplate`: If a GslbService requires customization of the health monitor settings, the user can create a federated custom health monitor template in the Avi Controller and provide the name of it here. To add a health monitor template, follow the steps [here](https://avinetworks.com/docs/20.1/avi-gslb-service-and-health-monitors/#configuring-health-monitoring). Currently, the `Client Request Header` and `Response Code` of the health monitor template are inherited. If no custom health monitor template has been added, the `healthMonitorRefs` from the `GDP`/`GSLBHostRule` object will be inherited or `healthMonitorTemplate` from the GDP object will be inherited.
+5. `healthMonitorTemplate`: If a GslbService requires customization of the health monitor settings, the user can create a federated custom health monitor template in the Avi Controller and provide the name of it here. To add a health monitor template, follow the steps [here](https://avinetworks.com/docs/20.1/avi-gslb-service-and-health-monitors/#configuring-health-monitoring). Currently, the `Client Request Header` and `Response Code` of the health monitor template are inherited. If no custom health monitor template has been added, the `healthMonitorRefs` from the `GDP`/`GSLBHostRule` object will be inherited or `healthMonitorTemplate` from the GDP object will be inherited.
 
    ```yaml
     healthMonitorTemplate: my-health-monitor-template-1
    ```
 
    **Note** User can provide either `healthMonitorRefs` or `healthMonitorTemplate` in the `GSLBHostRule` objects. The health monitor template added in the controller must be of type HTTP/HTTPS.
 
-7. `trafficSplit`: Specify traffic steering to member clusters/sites. The traffic is then split proportionately between two different clusters. Weight for each cluster must be provided between 1 to 20. If not added, GDP object's traffic split applies on this GslbService.`trafficSplit` can also be used to prioritize certain clusters before others. Maximum value for priority is 100 and default is 10. Let's say two clusters are given a priority of 20 and a third cluster is added with a priority of 10. The third cluster won't be routed any traffic unless both cluster1 and cluster2 (with priority 20) are down.
+6. `trafficSplit`: Specify traffic steering to member clusters/sites. The traffic is then split proportionately between two different clusters. Weight for each cluster must be provided between 1 to 20. If not added, GDP object's traffic split applies on this GslbService.`trafficSplit` can also be used to prioritize certain clusters before others. Maximum value for priority is 100 and default is 10. Let's say two clusters are given a priority of 20 and a third cluster is added with a priority of 10. The third cluster won't be routed any traffic unless both cluster1 and cluster2 (with priority 20) are down.
 
-8. `publicIP`: An optional public IP address (IPv4) can be specified for each site. This field is used to host the public IP address for the VIP, which gets NAT’ed to the private IP by a firewall. Please check [here](https://avinetworks.com/docs/latest/nat-aware-public-private-configuration) for more details.
+7. `publicIP`: An optional public IP address (IPv4) can be specified for each site. This field is used to host the public IP address for the VIP, which gets NAT’ed to the private IP by a firewall. Please check [here](https://avinetworks.com/docs/latest/nat-aware-public-private-configuration) for more details.
 
-9. `ttl`: Override the default `ttl` value specified on the GDP object using this field.
+8. `ttl`: Override the default `ttl` value specified on the GDP object using this field.
 
-10. `poolAlgorithmSettings`: Override the default GslbService algorithm provided in the GDP object. Refer to [pool algorithm settings](#pool-algorithm-settings) for details. If this field is absent, GDP's pool algorithm's settings apply on this GslbService.
+9. `poolAlgorithmSettings`: Override the default GslbService algorithm provided in the GDP object. Refer to [pool algorithm settings](#pool-algorithm-settings) for details. If this field is absent, GDP's pool algorithm's settings apply on this GslbService.
 
-11. `downResponse`: Specifies the response to the client query when the GSLB service is DOWN. If this field is absent, GDP's down response settings would get applied on the GslbService. Refer to [down response settings](#down-response-settings) for details.
+10. `downResponse`: Specifies the response to the client query when the GSLB service is DOWN. If this field is absent, GDP's down response settings would get applied on the GslbService. Refer to [down response settings](#down-response-settings) for details.
 
-12. `controlPlaneHmOnly`: If this boolean flag is set to `true`, only control plane health monitoring will be done. AMKO will not add any `healthMonitorRefs` or create any data plane health monitors. It is `false` by default.
+11. `controlPlaneHmOnly`: If this boolean flag is set to `true`, only control plane health monitoring will be done. AMKO will not add any `healthMonitorRefs` or create any data plane health monitors. It is `false` by default.
 
 
 ## Pool Algorithm Settings

docs/roles/amko-admin.json

@@ -0,0 +1,106 @@
+{
+    "name": "amko-admin",
+    "allow_unlabelled_access": true,
+    "privileges": [
+      {
+        "resource": "PERMISSION_VIRTUALSERVICE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_POOL",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_POOLGROUP",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_GSLBSERVICE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_GSLB",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_CLOUD",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_SERVICEENGINE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_SERVICEENGINEGROUP",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_NETWORK",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_GSLBGEODBPROFILE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_APPLICATIONPERSISTENCEPROFILE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_HEALTHMONITOR",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_DNSPOLICY",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_SSLKEYANDCERTIFICATE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_SSLPROFILE",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_PKIPROFILE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_CERTIFICATEMANAGEMENTPROFILE",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_VSDATASCRIPTSET",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_ERRORPAGEPROFILE",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_ERRORPAGEBODY",
+        "type": "WRITE_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_TENANT",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_TENANT_SYSTEM_CONFIGURATION",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_SYSTEMCONFIGURATION",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_CONTROLLER",
+        "type": "READ_ACCESS"
+      },
+      {
+        "resource": "PERMISSION_CONTROLLERSITE",
+        "type": "READ_ACCESS"
+      }
+    ]
+  }