add doc for workload identity

[sonasingh46]

What type of PR is this?
This PR documents workload identity .

What this PR does / why we need it:
This is a workload identity documentation PR.

• cherry-pick candidate

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

None

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: +0.34% 🎉

Comparison is base (e812eae) 55.57% compared to head (7432707) 55.91%.
Report is 69 commits behind head on main.

❗ Current head 7432707 differs from pull request most recent head 16e3c90. Consider uploading reports for the commit 16e3c90 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3770      +/-   ##
==========================================
+ Coverage   55.57%   55.91%   +0.34%     
==========================================
  Files         190      190              
  Lines       19523    19499      -24     
==========================================
+ Hits        10850    10903      +53     
+ Misses       8064     7981      -83     
- Partials      609      615       +6     

see 36 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[CecileRobertMichon]

Thanks for adding this @sonasingh46! Do you think we should add a section for workload identity in the existing doc https://capz.sigs.k8s.io/topics/multitenancy.html#identity-types and maybe link to this doc for setup or just move everything to that page?

[sonasingh46]

Do you think we should add a section for workload identity in the existing doc https://capz.sigs.k8s.io/topics/multitenancy.html#identity-types and maybe link to this doc for setup or just move everything to that page?

@CecileRobertMichon -- Yes, this is a good idea. @willie-yao is helping me with the docs verification to just get another eye and once the doc is verified and ready, I will move it as you said.

[sonasingh46]

@willie-yao -- I have made changes to the doc to add some missing part and that it becomes more easy to follow.
/assign @willie-yao

[willie-yao]

Thanks so much for the update @sonasingh46! Just a few suggestions from my end while following each step.

[mboersma]

This is great! I just made some small grammar comments when first reading it. Next I'll try out the instructions.

[willie-yao]

Left a few more comments on issues I ran across while going through the doc. Otherwise it is fully working for me!

[mboersma]

I wanted to go through the docs like a user would, looking at CAPZ Book web pages. But I ran the local server and couldn't find the doc:

% brew install mdbook
% make -C docs/book serve
% # open localhost:3000 in a browser

I know it's linked from the "multitenancy" topic, but his doc probably needs a ToC entry in the SUMMARY.md file, near here:

cluster-api-provider-azure/docs/book/src/SUMMARY.md

Line 34 in a050247

- [Windows](./topics/windows.md)

[sonasingh46]

/assign @CecileRobertMichon

[willie-yao]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 4155453da89472b6aff42786ddd55ba368587d8f

[CecileRobertMichon]

Suggested change

	### Workload Identity
	### Workload Identity (Recommended)

[CecileRobertMichon]

Suggested change

	### Service Principal With Client Password
	### AAD Pod Identity using Service Principal With Client Password (Deprecated)

[CecileRobertMichon]

I can't add comments on the lines below but should be the same for other sections

### AAD Pod Identity using Service Principal With Certificate (Deprecated)
### AAD Pod Identity using User-Assigned Managed Identity (Deprecated)

[sonasingh46]

Sure, but for the following:

AAD Pod Identity using User-Assigned Managed Identity (Deprecated)

I don't think User assigned managed identity as anything to do with AAD pod identity.

[CecileRobertMichon]

it does, it uses AAD pod identity too https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/azure/scope/identity.go#L169

https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/#azureidentityspec

[sonasingh46]

Thanks.

[CecileRobertMichon]

/cc @mboersma

[CecileRobertMichon]

Suggested change

	### AAD Pod Identity using Service Principal With Certificate
	### AAD Pod Identity using Service Principal With Certificate (Deprecated)

[CecileRobertMichon]

/lgtm
/approve
/hold

please squash!

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: b8a3ea27991efd9f1e4728c239ea9f2aa58e7883

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[willie-yao]

/lgtm

Thanks for all your hard work on this feature!! 🚀

[sonasingh46]

@CecileRobertMichon @willie-yao -- Have squashed the commit. Sorry about the back and forth.

[CecileRobertMichon]

/hold cancel

thank you for your patience with all my comments @sonasingh46