📖 Single controller multitenancy proposal v3

Makefile

@@ -81,7 +81,7 @@ GOLANG_VERSION := 1.13.8
 
 # 'functional tests' as the ginkgo filter will run ALL tests ~ 2 hours @ 3 node concurrency.
 E2E_FOCUS := "functional tests"
-# Instead, you can run a quick smoke test, it should run fast (9 minutes)... 
+# Instead, you can run a quick smoke test, it should run fast (9 minutes)...
 # E2E_FOCUS := "Create cluster with name having"
 
 ## --------------------------------------
@@ -425,3 +425,7 @@ verify-gen: generate
 		git diff; \
 		echo "generated files are out of date, run make generate"; exit 1; \
 	fi
+
+.PHONY: docs
+docs: ## Build all documents and diagrams
+	$(MAKE) -C docs docs

docs/Dockerfile

@@ -0,0 +1,37 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Recommended usage:
+#
+# - Run an ephemeral container
+# - Mount the current working directory into the container.
+# - Run the entrypoint as the user invoking docker run. Otherwise the output
+#   files will be owned by root, the default user.
+#
+# - Example:
+# docker run \
+# 	--rm \
+# 	--volume ${PWD}:/figures \
+# 	--user $(shell id --user):$(shell id --group) \
+# 	${IMAGE_TAG} \
+# 	-v /figures/*.plantuml
+
+FROM maven:3-jdk-8
+
+RUN apt-get update && apt-get install -y --no-install-recommends graphviz fonts-symbola fonts-wqy-zenhei && rm -rf /var/lib/apt/lists/*
+RUN wget -O /plantuml.jar http://sourceforge.net/projects/plantuml/files/plantuml.1.2019.6.jar/download
+
+# By default, java writes a 'hsperfdata_<username>' directory in the work dir.
+# This directory is not needed; to ensure it is not written, we set `-XX:-UsePerfData`
+ENTRYPOINT [ "java", "-XX:-UsePerfData", "-jar", "/plantuml.jar" ]

docs/Makefile

@@ -0,0 +1,39 @@
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# If you update this file, please follow
+# https://suva.sh/posts/well-documented-makefiles
+
+
+# Hosts running SELinux need :z added to volume mounts
+SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0)
+
+ifeq ($(SELINUX_ENABLED),1)
+  DOCKER_VOL_OPTS?=:z
+endif
+
+.PHONY: docs
+docs: diagrams
+
+
+.PHONY: plantuml-image
+plantuml-image:
+	docker build . -t "plantuml-builder"
+
+.PHONY: diagrams
+diagrams: plantuml-image
+	-docker run -u $(UID):$(GID) -v $(abspath .):/docs$(DOCKER_VOL_OPTS) plantuml-builder -tsvg /docs/**/*.md
+	-docker run -u $(UID):$(GID) -v $(abspath .):/docs$(DOCKER_VOL_OPTS) plantuml-builder -tsvg /docs/**/*.plantuml
+
+

docs/README.md

@@ -14,7 +14,7 @@
 
 ## Project Documentation
 
-- [Initial feature model](proposal/features.md)
-- [MVP Architecture](proposal/mvp-architecture.md)
-- [Machine configuration proposal](proposal/machine-config.md)
+- [Initial feature model](proposal/20180827-feature-model.md)
+- [MVP Architecture](proposal/20180827-mvp-architecture.md)
+- [Machine configuration proposal](proposal/20180821-machine-config.md)
 - [Historical lessons learned](history/lessons-learned.md)

docs/proposal/mvp-architecture.md → docs/proposal/20180827-mvp-architecture.md

@@ -59,7 +59,7 @@ In order to limit scope of the project and to be able to deliver an MVP implemen
 
 Private Networking, Single AZ
 
-![Private Networking, Single AZ](mvp-Private.png)
+![Private Networking, Single AZ](20180827-mvp-architecture-private.png)
 
 #### Features Implemented for Private Networking, Single AZ
 
@@ -87,7 +87,7 @@ Private Networking, Single AZ
 
 ### Public Networking, Single AZ
 
-![Public Networking, Single AZ](mvp-Public.png)
+![Public Networking, Single AZ](20180827-mvp-architecture-public.png)
 
 #### Features Implemented for Public Networking, Single AZ
 

docs/proposal/20200506-single-controller-multitenancy-flow.plantuml

@@ -0,0 +1,36 @@
+@startuml 20200506-single-controller-multitenancy-flow
+!includeurl https://raw.githubusercontent.com/RicardoNiepel/C4-PlantUML/release/1-0/C4_Container.puml
+
+start
+:AWS controller;
+:enqueue AWSCluster/Machine for reconciliation;
+:fetch AWSCluster;
+if (AWSCluster has spec.IdentityRef?) then (yes)
+  if (Referenced object is cluster scoped CRD) then (yes)
+    :fetch cluster scoped resource;
+  else (no)
+    :fetch referenced resource in same namespace;
+  endif
+  :set or append referenced resource as OwnerReference to AWSCluster object;
+  if (error?) then (yes)
+    stop
+  else (no)
+    :construct new credential provider;
+    if (cache contains value for provider.Hash()) then (no)
+      :store credential provider in cache;
+    endif
+    :fetch cached credential provider;
+  endif
+else (no)
+  :current mechanism for checking session cache;
+endif
+:call STS::GetCallerIdentity():
+if (awscluster.AccountID != nil && awscluster.AccountID != GetCallerIdentity?) then (error)
+  stop
+endif
+:update awscluster.accountID;
+:create new service clients;
+:reconcile AWSCluster or AWSMachine;
+stop
+
+@enduml