From b564cef9e14bbd29c5131f54ba94f746bd7ab6d6 Mon Sep 17 00:00:00 2001
From: Kishor Joshi <joshikis@amazon.com>
Date: Fri, 18 Mar 2022 15:49:45 -0700
Subject: [PATCH] documentation updates for v2.4.1 (#2562)

---
 docs/deploy/configurations.md               |  3 +-
 docs/examples/secrets_access.md             | 58 +++++++++++++++++++++
 helm/aws-load-balancer-controller/README.md |  3 +-
 mkdocs.yml                                  |  1 +
 4 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 docs/examples/secrets_access.md

diff --git a/docs/deploy/configurations.md b/docs/deploy/configurations.md
index 0f308db14..12d3de685 100644
--- a/docs/deploy/configurations.md
+++ b/docs/deploy/configurations.md
@@ -143,4 +143,5 @@ They are a set of kye=value pairs that describe AWS load balance controller feat
 |---------------------------------------|---------------------------------|-----------------|-------------|
 | ListenerRulesTagging                  | string                          | true           | Enable or disable tagging AWS load balancer listeners and rules |
 | WeightedTargetGroups                  | string                          | true           | Enable or disable weighted target groups |
-| ServiceTypeLoadBalancerOnly           | string                          | false          | If enabled, controller will be limited to reconciling service of type `LoadBalancer`|
\ No newline at end of file
+| ServiceTypeLoadBalancerOnly           | string                          | false          | If enabled, controller will be limited to reconciling service of type `LoadBalancer`|
+| EndpointsFailOpen                     | string                          | false          | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
diff --git a/docs/examples/secrets_access.md b/docs/examples/secrets_access.md
new file mode 100644
index 000000000..ebc9d56e8
--- /dev/null
+++ b/docs/examples/secrets_access.md
@@ -0,0 +1,58 @@
+# RBAC configuration for secrets resources
+
+In this walkthrough, you will
+
+- configure RBAC permissions for the controller to access specific secrets resource in a particular namespace.
+
+# Create Role
+1. Prepare the role manifest with the appropriate name, namespace, and secretName, for example:
+
+    ```
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+        name: example-role
+        namespace: example-namespace
+    rules:
+      - apiGroups:
+           - ""
+        resourceNames:
+          - example-secret
+        resources:
+          - secrets
+        verbs:
+          - get
+          - list
+          - watch
+    ```
+
+2. Apply the role manifest
+
+    ```
+    kubectl apply -f role.yaml
+    ```
+
+# Create RoleBinding
+1. Prepare the rolebinding manifest with the appropriate name, namespace and role reference. For example:
+
+    ```
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+        name: example-rolebinding
+        namespace: example-namespace
+    roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: Role
+        name: example-role
+    subjects:
+      - kind: ServiceAccount
+        name: aws-load-balancer-controller
+        namespace: kube-system
+    ```
+
+2. Apply the rolebinding manifest
+
+    ```
+    kubectl apply -f rolebinding.yaml
+    ```
\ No newline at end of file
diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md
index 5b3df1d94..c51165d9c 100644
--- a/helm/aws-load-balancer-controller/README.md
+++ b/helm/aws-load-balancer-controller/README.md
@@ -86,6 +86,7 @@ If you are setting `serviceMonitor.enabled: true` you need to have installed the
 
 ## Installing the Chart
 **Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed.
+**Note**: Starting chart version 1.4.1, you need to explicitly set clusterSecretsPermissions.allowAllSecrets to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)].
 
 Add the EKS repository to Helm:
 ```shell script
@@ -234,4 +235,4 @@ The default values set by the application itself can be confirmed [here](https:/
 | `serviceMonitor.enabled`                       | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed   | `false`                                                                            |
 | `serviceMonitor.additionalLabels`              | Labels to add to the service account                                                                     | `{}`                                                                               |
 | `serviceMonitor.interval`                      | Prometheus scrape interval                                                                               | `1m`                                                                               |
-| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |
\ No newline at end of file
+| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |
diff --git a/mkdocs.yml b/mkdocs.yml
index abdc39307..50b3e1003 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -33,6 +33,7 @@ nav:
   - Examples:
     - EchoServer: examples/echo_server.md
     - gRPCServer: examples/grpc_server.md
+    - RBAC to access OIDC Secret: examples/secrets_access.md