introduce arch section in the docs, write some infos about the new internal proxy

On-behalf-of: @SAP [email protected]

Author: xrstf

docs/content/.pages

@@ -1,5 +1,6 @@
 nav:
   - Home: README.md
   - Setup: setup
+  - Architecture: architecture
   - Reference: reference
   - Contributing: contributing

docs/content/architecture/.pages

@@ -0,0 +1,5 @@
+nav:
+  - index.md
+  - basics.md
+  - front-proxy.md
+  - Certificate Management: pki.md

docs/content/architecture/basics.md

@@ -0,0 +1,49 @@
+---
+description: >
+    A general overview over the resources provided by the kcp-operator.
+---
+
+# Basics
+
+kcp-operator ships with a number of resources that, together, can be used to create a kcp installation.
+
+## Resource Relationships
+
+```mermaid
+flowchart TD
+    FrontProxy -- ObjRef (n:1)--> RootShard
+    Shard --ObjRef (n:1)--> RootShard
+    RootShard --ObjRef (1:1, optional)--> CacheServer
+    Shard --ObjRef (n:1, optional)--> CacheServer
+    Kubeconfig --ObjRef (n:1)-->Shard
+    Kubeconfig --ObjRef (n:1)-->RootShard
+    Kubeconfig --ObjRef (n:1)-->FrontProxy
+```
+
+### `RootShard` & `Shard`
+
+Each kcp installation consists at the minimum of one root shard and one [front-proxy](front-proxy.md), but you can add additional "regular" shards to scale kcp horizontally.
+
+Creating a new `RootShard` object means creating a new kcp installation, as you cannot have more than one root shard in one kcp installation, however multiple installations can run in the same Kubernetes namespace (though this is not necessarily recommended). The `RootShard` object's name is not really important inside kcp itself.
+
+Each additional shard is created by creating a `Shard` object, which will reference the root shard it belongs to. Shard names are relevant in kcp, as each shard will register itself on its root shard, using the name of the `Shard` object.
+
+### `FrontProxy`
+
+The kcp front-proxy can be used to provide access to either a whole or a subset of a kcp installation. Its main purpose is to act as a gateway, since it builds up a runtime map of all existing workspaces across all shards that it targets, so it knows where to route a request to `/clusters/root:my-team` to the shard where the logicalcluster for that workspace resides.
+
+A kcp installation can contain multiple front-proxies with different settings; one might perform additional authentication while another might pass unauthenticated requests to the shards (which will then perform their own authentication).
+
+For developing controllers against kcp, it is often necessary to access the shards directly, so front-proxies are not the only way to access kcp.
+
+### `Kubeconfig`
+
+Kubeconfigs allow the easy creation of credentials to access kcp. As a sharded system, kcp relies on client certificate authentication and the kcp-operator will ensure the correct certificates are generated and then neatly wrapped up in ready-to-use kubeconfig Secrets.
+
+Kubeconfigs can be configured to point to a specific shard or to a front-proxy instance, which affects which client CA is used to generate the certificates.
+
+## Cross-Namespace/Cluster References
+
+Due to the potential "global" nature of a kcp setup it might be necessary to run kcp-operator on multiple clusters while attempting to form one single kcp setup with multiple shards and front proxies.
+
+To make this possible, resources with object references (see above) could have a secondary way of reading necessary configuration (instead of a `corev1.LocalObjectReference`). This could be a reference to a `ConfigMap` or a `Secret` (to be determined) which are automatically generated for various resource types. A sync process (outside of the kcp-operator) could then sync the `ConfigMap` (or the `Secret`, or a custom resource type) across namespaces or even clusters, where e.g. a `Shard` object references a `Secret` which was generated for a `RootShard` on another cluster.

docs/content/architecture/front-proxy.md

@@ -0,0 +1,29 @@
+---
+description: >
+    Explains how the kcp front-proxy can be used to ingest traffic.
+---
+
+# kcp front-proxy
+
+The kcp front-proxy can be used to provide access to either a whole or a subset of a kcp installation. Its main purpose is to act as a gateway, since it builds up a runtime map of all existing workspaces across all shards that it targets, so it knows where to route a request to `/clusters/root:my-team` to the shard where the logicalcluster for that workspace resides.
+
+!!! warning
+    Currently it is required to have at least one front-proxy in a kcp installation, which must be reachable at the hostname also configured as the external name for the root shard. Without a front-proxy, new workspaces will not be able to be scheduled.
+
+    The front-proxy must exist even if there is only one shard (the RootShard). This is a requirement of kcp, not the operator itself.
+
+## Usage
+
+As mentioned above, your first front-proxy should have the same external hostname as is configured on the root shard. Every additional front-proxy can be served at arbitrary hostnames. Since the CA used to generate the serving certs for front-proxies is embedded in kubeconfigs generated by the kcp-operator, there is no need to use well-known CAs or ACME providers like Let's Encrypt, unless you intend to also access kcp from systems that do not use kubeconfig files and have no way to configure additional CAs.
+
+## Mode of Operation
+
+The kcp front-proxy will build up a runtime map of all shards, workspaces and logicalclusters in a kcp installation. For this it connects dynamically to each shard individually and begins to watch the necessary resources. This runtime index is then used to route incoming requests to their target shards.
+
+The proxy can optionally perform authentication, for example using OIDC, and pass authentication information (like username and groups) on to the shard (via HTTP headers). This can be configured for each front-proxy individually. If no authentication is performed, the requests will be passed unauthenticated to their target shards, where then authentication happens.
+
+## RootShard Proxy
+
+The kcp-operator will deploy an internal front-proxy for every `RootShard` (i.e. one for each kcp installation). This internal proxy is solely used by the operator itself to allow it to resolve workspace paths to logicalclusters and provision resources inside those workspaces.
+
+The reason a standalone proxy is deployed is that the admin-configured front-proxies (based on `FrontProxy` objects) can be configured to drop sensitive groups, like `system:masters`, from incoming requests. This is a security measure, ensuring no super admin access is possible to kcp from the outside.

docs/content/architecture/index.md

@@ -0,0 +1,13 @@
+# Architecture
+
+This section describes how the kcp-operator is designed and meant to be used.
+
+## Overview
+
+- [Basics](basics.md) – A general overview over the resources provided by the kcp-operator.
+- [front-proxy](front-proxy.md) – Explains how the kcp front-proxy can be used to ingest traffic.
+- [Certificate Management](pki.md) – This page describes the various CAs and certificates used in a kcp installation.
+<!--
+- [Sharding](sharding.md) – How `RootShards` and `Shards` work together to create a scalable kcp setup.
+- [Kubeconfigs](kubeconfigs.md) – Shows how `Kubeconfig` objects can be used to provide credentials to kcp.
+-->

docs/content/architecture/pki.md

@@ -0,0 +1,45 @@
+---
+description: >
+    Explains the various certificate authorities and certificates used by the kcp-operator.
+---
+
+## kcp PKI
+
+The placeholders `$rootshard` and `$frontproxy` in the chart are used to denote the name of the corresponding operator resource.
+
+```mermaid
+graph TB
+    A([kcp-pki-bootstrap]):::issuer --> B(kcp-pki-ca):::ca
+    B --> C([$rootshard-ca]):::issuer
+
+    C --> D(kcp-etcd-client-ca):::ca
+    C --> E(kcp-etcd-peer-ca):::ca
+    C --> F($rootshard-front-proxy-client-ca):::ca
+    C --> G($rootshard-server-ca):::ca
+    C --> H($rootshard-requestheaer-client-ca):::ca
+    C --> I($rootshard-client-ca):::ca
+    C --> J(kcp-service-account-ca):::ca
+
+    D --> K([kcp-etcd-client-issuer]):::issuer
+    E --> L([kcp-etcd-peer-issuer]):::issuer
+    F --> M([$rootshard-front-proxy-client-ca]):::issuer
+    G --> N([$rootshard-server-ca]):::issuer
+    H --> O([$rootshard-requestheader-client-ca]):::issuer
+    I --> P([$rootshard-client-ca]):::issuer
+    J --> Q([kcp-service-account-issuer]):::issuer
+
+    K --- K1(kcp-etcd):::cert --> K2(kcp-etcd-client):::cert
+    L --> L1(kcp-etcd-peer):::cert
+    M --> M1($rootshard-$frontproxy-admin-kubeconfig):::cert
+    N --- N1(kcp):::cert --- N2($rootshard-$frontproxy-server):::cert --> N3(kcp-virtual-workspaces):::cert
+    O --- O1($rootshard-$frontproxy-requestheader):::cert --> O2("(kcp-front-proxy-vw-client)"):::cert
+    P --- P1($rootshard-$frontproxy-kubeconfig):::cert --> P2(kcp-internal-admin-kubeconfig):::cert
+    Q --> Q1(kcp-service-account):::cert
+
+    B --> R([$rootshard2-ca]):::issuer
+    R --> S(...):::ca
+
+    classDef issuer color:#77F
+    classDef ca color:#F77
+    classDef cert color:orange
+```

docs/content/contributing/.pages

@@ -1,6 +1,5 @@
 nav:
     - index.md
     - local-setup.md
-    - architecture.md
     - releasing.md
     - continuous-integration