Authorization tech preview (#1101)

* Update Authorization deployment for CSM Operator (#1094)

* update auth deployment for operator

* update defaults

* Restructure authorization documentation

* Add stateless authorization content

* Add use cases for authorization

* Improve authorization tech preview documentation

* Address PR comments

* Add note during authorization installation

* Address PR comments

---------

Co-authored-by: shaynafinocchiaro <shayna_finocchiaro@dell.com>

content/docs/authorization/_index.md

@@ -6,63 +6,12 @@ Description: >
   Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization
 ---
 
-[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the  open-source suite of Kubernetes storage enablers for Dell products. 
+[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products. 
 
 CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. It does this by deploying a proxy between the CSI driver and the storage system to enforce role-based access and usage rules.
 
 Storage administrators of compatible storage platforms will be able to apply quota and RBAC rules that instantly and automatically restrict cluster tenants usage of storage resources. Users of storage through CSM for Authorization do not need to have storage admin root credentials to access the storage system.
 
 Kubernetes administrators will have an interface to create, delete, and manage roles/groups that storage rules may be applied. Administrators and/or users may then generate authentication tokens that may be used by tenants to use storage with proper access policies being automatically enforced.
 
-The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
-
-![CSM for Authorization](./karavi-authorization-example.png "CSM for Authorization")
-
-## CSM for Authorization Capabilities
-{{<table "table table-striped table-bordered table-sm">}}
-| Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
-| - | - | - | - | - | - |
-| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
-| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
-| Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
-{{</table>}}
-
-**NOTE:** PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS [documentation](https://www.dell.com/support/home/en-us/product-support/product/isilon-onefs/docs).
-
-## Authorization Components Support Matrix
-CSM for Authorization consists of 2 components - The authorization sidecar, bundled with the driver, communicates with the Authorization proxy server to validate access to Storage platforms. The authorization sidecar is backward compatible with older Authorization proxy server versions. However, it is highly recommended to have the Authorization proxy server and sidecar installed from the same release of CSM.
-
-**NOTE:** If the deployed CSI driver has a number of controller pods equal to the number of schedulable nodes in your cluster, CSM for Authorization may not be able to inject properly into the driver's controller pod.
-To resolve this, please refer to our [troubleshooting guide](./troubleshooting) on the topic.
-
-## Roles and Responsibilities
-
-The CSM for Authorization CLI can be executed in the context of the following roles:
-- Storage Administrators
-- Kubernetes Tenant Administrators
-
-### Storage Administrators
-
-Storage Administrators can perform the following operations within CSM for Authorization
-
-- Tenant Management (create, get, list, delete, bind roles, unbind roles)
-- Token Management (generate, revoke)
-- Storage System Management (create, get, list, update, delete)
-- Storage Access Roles Management (assign to a storage system with an optional quota)
-
-### Tenant Administrators
-
-Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
-
-### Workflow
-
-1) Tenant Admin requests storage from a Storage Admin.
-2) Storage Admin uses CSM Authorization CLI to:<br>
-    a) Create a tenant resource.<br>
-    b) Create a role permitting desired storage access.<br>
-    c) Assign the role to the tenant and generate a token.<br>
-3) Storage Admin returns a token to the Tenant Admin.
-4) Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
-5) Tenant Admin updates CSI driver with CSM Authorization sidecar module.
-
-![CSM for Authorization Workflow](./design2.png "CSM for Authorization Workflow")
+Currently, we have two versions of Authorization, **v1.x GA** and **v2.0 Tech Preview**.

content/docs/authorization/v1.x GA/_index.md

@@ -0,0 +1,62 @@
+---
+title: Authorization - v1.x GA
+linktitle: v1.x GA
+weight: 4
+Description: >
+  Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization v1.x GA.
+tags: 
+ - csm-authorization
+---
+
+The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
+
+![CSM for Authorization](./karavi-authorization-example.png "CSM for Authorization")
+
+## CSM for Authorization Capabilities
+{{<table "table table-striped table-bordered table-sm">}}
+| Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
+| - | - | - | - | - | - |
+| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
+| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
+| Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
+{{</table>}}
+
+**NOTE:** PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS [documentation](https://www.dell.com/support/home/en-us/product-support/product/isilon-onefs/docs).
+
+## Authorization Components Support Matrix
+CSM for Authorization consists of 2 components - The authorization sidecar, bundled with the driver, communicates with the Authorization proxy server to validate access to Storage platforms. The authorization sidecar is backward compatible with older Authorization proxy server versions. However, it is highly recommended to have the Authorization proxy server and sidecar installed from the same release of CSM.
+
+**NOTE:** If the deployed CSI driver has a number of controller pods equal to the number of schedulable nodes in your cluster, CSM for Authorization may not be able to inject properly into the driver's controller pod.
+To resolve this, please refer to our [troubleshooting guide](./troubleshooting) on the topic.
+
+## Roles and Responsibilities
+
+The CSM for Authorization CLI can be executed in the context of the following roles:
+- Storage Administrators
+- Kubernetes Tenant Administrators
+
+### Storage Administrators
+
+Storage Administrators can perform the following operations within CSM for Authorization
+
+- Tenant Management (create, get, list, delete, bind roles, unbind roles)
+- Token Management (generate, revoke)
+- Storage System Management (create, get, list, update, delete)
+- Storage Access Roles Management (assign to a storage system with an optional quota)
+
+### Tenant Administrators
+
+Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
+
+### Workflow
+
+1) Tenant Admin requests storage from a Storage Admin.
+2) Storage Admin uses CSM Authorization CLI to:<br>
+    a) Create a tenant resource.<br>
+    b) Create a role permitting desired storage access.<br>
+    c) Assign the role to the tenant and generate a token.<br>
+3) Storage Admin returns a token to the Tenant Admin.
+4) Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
+5) Tenant Admin updates CSI driver with CSM Authorization sidecar module.
+
+![CSM for Authorization Workflow](./design2.png "CSM for Authorization Workflow")

content/docs/authorization/configuration/powerflex/_index.md → content/docs/authorization/v1.x GA/configuration/powerflex/_index.md

@@ -55,7 +55,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     **Helm**
 
-    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
+    Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
 
     - Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
 
@@ -78,7 +78,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     **Operator**
 
-    Refer to the [Create Secret](../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
+    Refer to the [Create Secret](../../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
 
     - Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
 
@@ -102,7 +102,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     **Helm**
 
-    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.
+    Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.
 
     - Update `authorization.enabled` to `true`.
 
@@ -136,7 +136,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     **Operator**
 
-    Refer to the [Install Driver](../../../deployment/csmoperator/drivers/powerflex/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
+    Refer to the [Install Driver](../../../../deployment/csmoperator/drivers/powerflex/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
 
     Under `modules`, enable the module named `authorization`:
 
@@ -172,4 +172,4 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
 6. Install the Dell CSI PowerFlex driver following the appropriate documenation for your installation method.
 
-7. (Optional) Install [dellctl](../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../support/cli) for the installation steps and command list.
+7. (Optional) Install [dellctl](../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../support/cli) for the installation steps and command list.

content/docs/authorization/v2.0 Tech Preview/_index.md

@@ -0,0 +1,53 @@
+---
+title: Authorization - v2.0 Tech Preview
+linktitle: v2.0 Tech Preview
+weight: 4
+Description: >
+  Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization v2.0 Tech Preview.
+tags: 
+ - csm-authorization
+---
+
+>> NOTE: This tech-preview release is not intended for use in production environment.
+
+>> NOTE: Only supported on PowerFlex.
+
+The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
+
+![HA CSM Authorization](authorization-ha-example.png)
+
+This is the introduction to a Stateless Architecture for Authorization. The creation of storage, roles, and tenants is done through Custom Resources (CRs) which are tracked and contained within CSM Authorization. The underlying communication is consistent with the previous architecture which makes the creation of volumes and snapshots seamless.
+
+## CSM for Authorization Capabilities
+{{<table "table table-striped table-bordered table-sm">}}
+| Feature                                                                                                                        | PowerFlex | PowerMax | PowerScale |
+| -----------------------------------------------------------------------------------------------------------------------------  | --------- | -------- | ---------- |
+| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage                                        | Yes       | Yes      | No         |
+| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes       | Yes      | No         |
+| Ability to shield storage credentials from Kubernetes administrators by storing them in vault                                  | Yes       | No       | No         |
+| Ability to create snapshots from owned volumes that consume the storage quota                                                  | Yes       | No       | No         |
+| Ability to periodically query storage array to keep quota consumption in sync                                                  | Yes       | No       | No         |
+{{</table>}}
+
+## Roles and Responsibilities
+
+The Stateless CSM Authorization contains the following roles:
+- Storage Administrators
+- Kubernetes Tenant Administrators
+
+### Storage Administrators
+
+Storage Administrators perform the following:
+
+- Storage System Management (create, get, delete)
+- Role Management (create, get, delete)
+- Tenant Management (create, get, delete)
+- Token Management (create, revoke)
+
+For more information on the configuration of the above, see the configuration of the [Proxy Server](../v2.0-tech-preview/configuration/proxy-server/#configuring-storage).
+
+### Tenant Administrators
+
+Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
+
+For more information on how to use the token and configuration, see configuration for the [PowerFlex driver](../v2.0-tech-preview/configuration/powerflex).

content/docs/authorization/v2.0 Tech Preview/configuration/_index.md

@@ -0,0 +1,8 @@
+---
+title: Configuration
+linktitle: Configuration
+weight: 2
+description: Configure CSM Authorization
+---
+
+This section provides the details and instructions on how to configure CSM Authorization.