CAPI Provider Identities Enterprise

Multi-tenancy

Some Cluster API providers allow you to choose the account or identity that the new cluster will be created with. This is often referred to as Multi-tenancy in the CAPI world. Weave GitOps currently supports:

• AWS multi-tenancy
• Azure multi-tenancy
• vSphere multi-tenancy

Identities and templates

Our templates describe the properties of the cluster, how many nodes, what version of Kubernetes etc, while the identity is which account will be used to create the cluster. So given in our cluster we have the template:

apiVersion: templates.weave.works/v1alpha2
kind: GitOpsTemplate
metadata:
  name: capa-cluster-template
spec:
  resourcetemplates:
    - contents:
      - apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
        kind: AWSCluster
        metadata:
          name: "${CLUSTER_NAME}"
        spec:
          region: "${AWS_REGION}"

and the identity

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
kind: AWSClusterStaticIdentity
metadata:
  name: "test-account"
spec:
  secretRef:
    name: test-account-creds
    namespace: capa-system
  allowedNamespaces:
    selector:
      matchLabels:
        cluster.x-k8s.io/ns: "testlabel"

We can select ask Weave GitOps to use the test-account when creating the cluster by using the Infrastructure provider credentials dropdown on the Create new cluster with template page:

The resulting definition will have the identity injected into the appropriate place in the template, for this example:

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
kind: AWSCluster
metadata:
  name: example-cluster
spec:
  region: eu-north-1
  identityRef:
    kind: AWSClusterStaticIdentity
    name: test-account

identityRefs

The supported providers implement multi-tenancy by setting an identityRef on the the provider cluster object, e.g. AWSCluster, AzureCluster or VSphereCluster.

Weave GitOps will search all namespaces in the cluster for potential identities that can be used to create a cluster. The following identity kinds are currently supported and their corresponding Cluster kinds:

• AWSClusterStaticIdentity: AWSCluster
• AWSClusterRoleIdentity: AWSCluster
• AzureClusterIdentity: AzureCluster
• VSphereClusterIdentity: VSphereCluster