doc: document ARO-HCP Clusters creation in CS with Managed Identities

[miguelsorianod]

What this PR does

We document how to create the N needed Managed Identities when creating ARO-HCP Clusters directly against CS.

As an important remark, this assumes 4.17.x clusters creation. The set of required managed identities can differ between OCP versions. For now assuming 4.17.x is good enough but in the future we might want to improve on this.

As an important note, similar documentation / scripts should be created for the frontend side.

Special notes for your reviewer

[miguelsorianod]

Although for now we document this, I think the whole step 2, which is creation of prerequisites, could be automated or partially automated by having a script that executes the commands.

We can work on that in the near future if we want.

[JameelB]

+1 that would be great.

[miguelsorianod]

An example of a name of a managed identity is:

msoriano-cp-cloud-controller-manager-8ffe3f

[miguelsorianod]

Notice how the control plane side managed identities contain a "cp" part. The same happens for the data plane ones with "dp". This is intentional and the reason is that the same operator can be installed in both the control plane and the data plane but we still need different managed identities for it so we add cp/dp to allow having different names for them

[miguelsorianod]

cc @bennerv , @machi1990, @geoberle as relevant people too

[miguelsorianod]

I think we could already require people to do this even if not fully used by CS, to start preparing and getting them used to this.

Before though we would need all the pieces in the frontend side too so the information can be passed from user -> frontend -> cs

[geoberle]

I wonder if we should use the future clusters name as the suffix instead of a random string. Easier for traceability. Wdyt?

[miguelsorianod]

The reason I added randomness is because:

• Two different people could create a cluster with the same name
• The same person could create two clusters with the same name, in different RGs
• In the Azure portal UI you see the name of the managed identity

We could add the name of the cluster on top of that at some point too

[machi1990]

+1 on adding some element that could enable us to associate the MIs to the cluster being created.

[miguelsorianod]

I updated the MIs creation to also include the desired CS Cluster name.

I am not super convinced about it because:

• Different people or even the same person can have the same cluster name for different clusters, which doesn't really help to differentiate then
• Name length limit concerns. If we do this here people will tend to try do to the same or similar when writing automated tests. In those cases reaching the length limit is quite more probable because names formed there usually concatenate several parts adding quickly. MIs have a max length of 128 characters. But right now in this name we already have: username (unbounded), operator name (unbounded), cluster name (54 characters), other extra characters like hyphens, ...

[machi1990]

Thank you Miguel. I really expect authors of the automated tests to take name limits onto account and not copy and paste the command as it or its equivalent.

[miguelsorianod]

@geoberle I also added a cleaning up a cluster section for CS

[miguelsorianod]

Hi @machi1990 , @geoberle, @JameelB, @bennerv please take a look. Also including the threads with my replies.

Thanks.