docs: org and cloud scoped access

Signed-off-by: Ricky Moorhouse <[email protected]>

Author: rickymoorhouse

deployment/deployment.yaml

@@ -21,7 +21,9 @@ spec:
       containers:
         - env:
           - name: MGMT_CREDS
-            value: /app/management
+            value: /app/mgmt-cloud
+          - name: ORG_CREDS
+            value: /app/mgmt-org
           - name: DP_CREDS
             value: /app/datapower
           - name: ANALYTICS_CERTS
@@ -51,8 +53,10 @@ spec:
           volumeMounts:
             - mountPath: /config
               name: trawler-config
-            - mountPath: /app/management
-              name: mgmt-creds
+            - mountPath: /app/mgmt-cloud
+              name: mgmt-cloud-creds
+            - mountPath: /app/mgmt-org
+              name: mgmt-org-creds
             - mountPath: /app/datapower
               name: datapower-creds              
 # Update the following for your analytics deployment (replace analytics with your subsystem name)
@@ -71,10 +75,14 @@ spec:
             name: trawler-config
             optional: true
           name: trawler-config
-        - name: mgmt-creds
+        - name: mgmt-cloud-creds
           secret:
             optional: true
-            secretName: trawler-mgmt-creds
+            secretName: trawler-mgmt-cloud-creds
+        - name: mgmt-org-creds
+          secret:
+            optional: true
+            secretName: trawler-mgmt-org-creds
         - name: trawler-certificate
           secret:
             defaultMode: 420

deployment/secret-mgmt-org.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+stringData:
+  client_id: 
+  client_secret:
+# Uncomment and insert the values for the below as needed
+#  username: 
+#  password: 
+#  realm:
+kind: Secret
+metadata:
+  name: trawler-mgmt-org-creds
+type: Opaque

deployment/secret-mgmt.yaml

@@ -8,5 +8,5 @@ stringData:
 #  realm:
 kind: Secret
 metadata:
-  name: trawler-mgmt-creds
+  name: trawler-mgmt-cloud-creds
 type: Opaque

docs/install.md

@@ -7,6 +7,8 @@ To install trawler, you can make use of the sample yaml files within the [deploy
   - Select which nets you want to enable.
 - Adjustments to `secret-mgmt.yaml`
   - Set the credentials to use for connecting to cloud manager.
+- Adjustments to `secret-mgmt-org.yaml`
+  - Set the credentials to use for org level metrics - this should be a user added to the provider orgs.
 - Adjustments to `secret-dp.yaml`
   - Set the credentials to use for connecting to datapower.
 - Adjustments to `kustomization.yaml`:
@@ -39,11 +41,16 @@ namespace: apic-trawler
 
 ## API Manager credentials
 
-For the manager_net you will need to provide trawler credentials to make the API Calls - these can either be client_credentials grants or traditional username/password. For this you will need the following permissions:
+For the manager_net you will need to provide trawler credentials to make the API Calls - these can either be client_credentials grants, api key or traditional username/password. For this you will need the following permissions:
 
- - cloud:view
- - org:view
- - provider-org:view
+- cloud:view
+- org:view
+- provider-org:view
+
+The credentials secrets must contain client_id and client_secret for a client credentials grant or the CLI credentials and if you are not using a client credentials grant you will also need one of the following sets of keys:
+
+- api_key (a [platform REST API Key](https://www.ibm.com/docs/en/api-connect/10.0.8_lts?topic=applications-managing-platform-rest-api-keys))
+- username, password, realm (a user defined with appropriate access and the realm they are created in)
 
 ## Prometheus discovery