docs: clarify usage in system-assigned mode

[aramase]

Signed-off-by: Anish Ramasekar anish.ramasekar@gmail.com

Reason for Change:

• Update system-assigned managed identity mode doc
  • The system-assigned managed identity created by AKS is not part of the node VM/VMSS. This means users can create their own system-assigned managed identity and use to access keyvault. Also, pinged @miwithro to update the AKS docs to say the same when creating a cluster with managed identity. Even though the cluster identity profile shows type: SystemAssignedIdentity, there is no system-assigned managed identity in the VM/VMSS.

Requirements

• squashed commits
• included documentation
• added unit tests and e2e tests (if applicable).

Issue Fixed:

fixes #388
fixes #389

Does this change contain code from or inspired by another project?

• Yes
• No

If "Yes," did you notify that project's maintainers and provide attribution?

Special Notes for Reviewers:

[ritazh]

This managed identity shouldn't be used to access Keyvault. You should consider using a User-assigned managed identity instead.

Is this guidance no longer valid?

[aramase]

I confirmed this was never the case. There is no system-assigned managed identity created in the cluster. I've added some context in the PR description.

[ritazh]

Yea I saw the PR description. I guess the key for this PR is to guide users to create system msi on the node and remove any reference about the cluster managed identity right?

[aramase]

yeah, that's right. The cluster managed identity is a user-assigned managed identity, so we're stubbing that out of the doc. I've added a doc ref on how to enable system-assigned managed identity. The rest of the doc shows how to verify the system-assigned managed identity exists and role assignments.