From 11797db86666342d4c122d5884fc4059c56a65c3 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 6 Oct 2021 11:08:17 -0700 Subject: [PATCH 1/2] Change description of impersonation proxy strategy in supported clusters. This was wrong, since you don't need a LoadBalancer to run the impersonation proxy if you specify spec.service.type = "None" or "ClusterIP" on the CredentialIssuer. --- site/content/docs/reference/supported-clusters.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/site/content/docs/reference/supported-clusters.md b/site/content/docs/reference/supported-clusters.md index 28ba554b..f21c5534 100644 --- a/site/content/docs/reference/supported-clusters.md +++ b/site/content/docs/reference/supported-clusters.md @@ -27,8 +27,10 @@ The Pinniped Concierge has two strategies available to support clusters, under t This type of cluster is typically called "self-hosted" because the cluster's control plane is running on nodes that are part of the cluster itself. Most managed Kubernetes services do not support this. -2. Impersonation Proxy: Can be run on any Kubernetes cluster where a `LoadBalancer` service can be created. Most cloud-hosted Kubernetes environments have this -capability. The Impersonation Proxy automatically provisions a `LoadBalancer` for ingress to the impersonation endpoint. +2. Impersonation Proxy: Can be run on any Kubernetes cluster. Default configuration requires that a `LoadBalancer` service can be created. Most cloud-hosted Kubernetes environments have this +capability. The Impersonation Proxy automatically provisions a `LoadBalancer` for ingress to the impersonation endpoint. Users who wish to use the impersonation proxy without an automatically +configured `LoadBalancer` can do so with an automatically provisioned `ClusterIP` or with a Service that they provision themselves. These options +can be configured in the spec of the [`CredentialIssuer`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#credentialissuer). If a cluster is capable of supporting both strategies, the Pinniped CLI will use the token credential request API strategy by default. From 4aa66b96675947d678bafc104253836cba0cda50 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 6 Oct 2021 11:23:29 -0700 Subject: [PATCH 2/2] Update site/content/docs/reference/supported-clusters.md Co-authored-by: Mo Khan --- site/content/docs/reference/supported-clusters.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/docs/reference/supported-clusters.md b/site/content/docs/reference/supported-clusters.md index f21c5534..bb1162af 100644 --- a/site/content/docs/reference/supported-clusters.md +++ b/site/content/docs/reference/supported-clusters.md @@ -28,7 +28,7 @@ This type of cluster is typically called "self-hosted" because the cluster's con Most managed Kubernetes services do not support this. 2. Impersonation Proxy: Can be run on any Kubernetes cluster. Default configuration requires that a `LoadBalancer` service can be created. Most cloud-hosted Kubernetes environments have this -capability. The Impersonation Proxy automatically provisions a `LoadBalancer` for ingress to the impersonation endpoint. Users who wish to use the impersonation proxy without an automatically +capability. The Impersonation Proxy automatically provisions (when `spec.impersonationProxy.mode` is set to `auto`) a `LoadBalancer` for ingress to the impersonation endpoint. Users who wish to use the impersonation proxy without an automatically configured `LoadBalancer` can do so with an automatically provisioned `ClusterIP` or with a Service that they provision themselves. These options can be configured in the spec of the [`CredentialIssuer`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#credentialissuer).