fixup! fixup! New troubleshooting section for the namespace offloadin…

…g logic.
liqotech · Jul 29, 2021 · a0f65be · a0f65be
1 parent 147110b
commit a0f65be
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 46 deletions.
diff --git a/docs/pages/User/Install/_index.md b/docs/pages/User/Install/_index.md
@@ -45,6 +45,8 @@ Create an AWS IAM user for Liqo, it will use it to grant access on the required
 ```bash
 LIQO_USER_NAME=liqo
 LIQO_POLICY_NAME=liqo
+LIQO_CLUSTER_NAME=liqo-cluster
+LIQO_CLUSTER_REGION=eu-west-1
 ```
 
 ```bash
@@ -94,7 +96,7 @@ aws iam attach-user-policy --policy-arn "$POLICY_ARN" --user-name "$LIQO_USER_NA
 
 Retrieve information about your clusters, typing:
 ```bash
-POD_CIDR=$(aws eks describe-cluster --name liqo-cluster --region eu-central-1 | jq -r '.cluster.resourcesVpcConfig.vpcId' | xargs aws ec2 describe-vpcs --vpc-ids --region eu-central-1 | jq '.Vpcs[0].CidrBlock')
+POD_CIDR=$(aws eks describe-cluster --name ${LIQO_CLUSTER_NAME} --region ${LIQO_CLUSTER_REGION} | jq -r '.cluster.resourcesVpcConfig.vpcId' | xargs aws ec2 describe-vpcs --vpc-ids --region ${LIQO_CLUSTER_REGION} | jq -r '.Vpcs[0].CidrBlock')
 ```
 {{% /expand%}}
 
@@ -123,8 +125,8 @@ SERVICE_CIDR=$(az aks list --query="[?name=='__YOUR_CLUSTER_NAME__']" | jq -r ".
 {{%expand " Google Kubernetes Engine (GKE)" %}}
 
 ```bash
-SERVICE_CIDR=$(gcloud container clusters describe __YOUR_CLUSTER_NAME__ --zone -__YOUR_ZONE__ --project __YOUR_PROJECT_ID__ --format="json" | jq -r `.servicesIpv4Cidr`)
-POD_CIDR=$(gcloud container clusters describe __YOUR_CLUSTER_NAME__ --zone -__YOUR_ZONE__ --project __YOUR_PROJECT_ID__ --format="json" | jq -r `.clusterIpv4Cidr`)
+SERVICE_CIDR=$(gcloud container clusters describe ${LIQO_CLUSTER_NAME} --zone -__YOUR_ZONE__ --project __YOUR_PROJECT_ID__ --format="json" | jq -r `.servicesIpv4Cidr`)
+POD_CIDR=$(gcloud container clusters describe ${LIQO_CLUSTER_NAME} --zone -__YOUR_ZONE__ --project __YOUR_PROJECT_ID__ --format="json" | jq -r `.clusterIpv4Cidr`)
 ```
 
 {{% /expand%}}

diff --git a/docs/pages/User/Troubleshooting/Namespaces/_index.md b/docs/pages/User/Troubleshooting/Namespaces/_index.md
@@ -3,30 +3,3 @@ title: Liqo Namespace Model
 weight: 4
 ---
 
-### Remote namespace conditions
-
-If you want more detailed information about the offloading status, you can check the **remoteNamespaceConditions**
-inside the NamespaceOffloading resource:
-
-```bash
-   kubectl get namespaceoffloading offloading -n test-namespace -o yaml
-```
-
-The **remoteNamespaceConditions** field is a map which has as its key the ***remote cluster-id*** and as its value
-a ***vector of conditions for the namespace*** created inside that remote cluster. There are two types of conditions:
-
-#### `Ready` field
-
-   | Value   | Description |
-   | ------- | ----------- |
-   | **True**  |  The remote namespace is successfully created. |
-   | **False** |  There was a problems during the remote namespace creation. |
-
-#### `OffloadingRequired` field
-
-   | Value   | Description |
-   | ------- | ----------- |
-   | **True**  |  The creation of a remote namespace inside this cluster is required (the condition ***OffloadingRequired = true*** is removed when the remote namespace acquires a ***Ready*** condition). |
-   | **False** |  The creation of a remote namespace inside this cluster is not required. |
-
-> __NOTE__: The **RemoteNamespaceCondition** syntax is the same of the standard [NamespaceCondition](https://pkg.go.dev/k8s.io/api/core/v1@v0.21.0#NamespaceCondition).
diff --git a/docs/pages/User/Use/authentication.md b/docs/pages/User/Use/authentication.md
@@ -1,6 +1,6 @@
 ---
-title: Authentication
-weight: 3
+title: Set up the authentication
+weight: 2
 ---
 
 ## Introduction
@@ -10,21 +10,43 @@ if your cluster exposes its services to the Internet, hence avoiding that unknow
 your cluster. The Authentication is similar to the bootstrap TLS: a unique secret is used to get an identity to be 
 authenticated with.
 
-<<<<<<< Updated upstream
-##  Disable the authentication
-=======
-## Disable the authentication
->>>>>>> Stashed changes
+### Peer with a new cluster
 
-The authentication in Liqo is enabled by default; in some environments, such as playgrounds or development contexts, you
-may want to disable it. To do so, use the following command:
+To peer with a new cluster, you have to create a ForeignCluster CR.
 
-```bash
-kubectl patch clusterconfig liqo-configuration --patch '{"spec":{"authConfig":{"allowEmptyToken": true}}}' --type 'merge'
+#### Add a new ForeignCluster
+
+A `ForeignCluster` resource needs the authentication service URL and the port to be set: it is the backend of the
+authentication server (mandatory to peer with another cluster).
+
+The address is or the __hostname__ or the __IP address__ where it is reachable.
+If you specified a name during the installation, it is reachable through an Ingress (you can get it with `kubectl get
+ingress -n liqo`), if an ingress is not configured, the other cluster is exposed with a NodePort Service, you can get 
+one if the IPs of your cluster's nodes (`kubectl get nodes -o wide`).
+
+The __port__ where the remote cluster's auth service is reachable, if you are
+using an Ingress, it should be `443` by default. Otherwise, if you are using a NodePort Service you 
+can get the port executing `kubectl get service -n liqo liqo-auth`, an output example could be:
+
+```txt
+NAME           TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
+liqo-auth   NodePort   10.81.20.99   <none>        443:30740/TCP   2m7s
+```
+
+An example of `ForeignCluster` resource can be:
+
+```yaml
+apiVersion: discovery.liqo.io/v1alpha1
+kind: ForeignCluster
+metadata:
+  name: my-cluster
+spec:
+  outgoingPeeringEnabled: "Yes"
+  foreignAuthUrl: "https://<ADDRESS>:<PORT>"
 ```
 
-> __NOTE__: Disabling authentication will automatically accept peering with any other Liqo instances in the network your 
-cluster is exposed to.
+When you create the ForeignCluster, the Liqo control plane will contact the `foreignAuthUrl` (i.e. the public URL of a cluster 
+authentication server) to retrieve all the required cluster information.
 
 ## Authentication mechanism
 
@@ -43,7 +65,7 @@ on its resources. It will be used for any future request to the API Server once
 
 Below, the 2 steps are detailed:
 
-### 1. Get the foreign cluster token
+### 1. Get the home secure token
 
 > __NOTE__: Since a secret token is required for peering, you can authenticate with another cluster if and only if you
 > have access to that cluster. Keep the secret confidential! Everyone with that token can peer with your cluster and use
@@ -62,15 +84,15 @@ The output should be similar to:
 Token: 502da93c20bb07ff289e4db7f0a9e12e2254a071f37ef6d580070715d38271c2429a4cbe2610202c79062f260eb0de96a881bb3b88eb3cd5222f8238f3e9928e
 ```
 
-### 2. Create a secret in the home cluster
+### 2. Add the secure token for a foreign cluster
 
 In the home cluster you have to provide the token to Liqo.
 
 To perform this operation:
 1. fetch the cluster-id from the ForeignCluster resource
 2. Create the secret resource in the home cluster and label it.
 
-#### 1.1 Fetch the foreign cluster-id
+#### 2.1 Fetch the foreign cluster-id
 
 Each Liqo cluster is uniquely identified by a cluster-id. Once a new Liqo cluster has been discovered, a new 
 ForeignCluster resource is created in your cluster. The cluster-id of the foreign cluster is part of the specific