From 34c93b57dd79b29b7bebbf7cd9441e0975b1ad2c Mon Sep 17 00:00:00 2001
From: Yee Hing Tong <wild-endeavor@users.noreply.github.com>
Date: Sat, 31 Oct 2020 00:28:57 +0000
Subject: [PATCH] Admin secrets notes (#577)

---
 .../administrator/install/configure/admin.rst | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/rsts/administrator/install/configure/admin.rst b/rsts/administrator/install/configure/admin.rst
index 6e8cf6e93d..b439ee31bd 100644
--- a/rsts/administrator/install/configure/admin.rst
+++ b/rsts/administrator/install/configure/admin.rst
@@ -119,3 +119,24 @@ Example config
 ==============
 
 .. literalinclude:: ../../../../kustomize/overlays/sandbox/admindeployment/flyteadmin_config.yaml
+
+
+FlyteAdmin Remote Cluster Access
+================================
+
+Some deployments of Flyte may choose to run the control plane separate from the data plane. Flyte Admin is designed to create kubernetes resources in one or more Flyte data plane clusters. For Admin to access remote clusters, it needs credentials to each cluster. In kubernetes, scoped service credentials are created by configuring a “Role” resource in a Kubernetes cluster. When you attach that role to a “ServiceAccount”, Kubernetes generates a bearer token that permits access. We create a flyteadmin `ServiceAccount <https://github.com/lyft/flyte/blob/c0339e7cc4550a9b7eb78d6fb4fc3884d65ea945/artifacts/base/adminserviceaccount/adminserviceaccount.yaml>`_ in each data plane cluster to generate these tokens.
+
+When you first create the Flyte Admin ServiceAccount in a new cluster, a bearer token is generated, and will continue to allow access unless the ServiceAccount is deleted. Once we create the Flyte Admin ServiceAccount on a cluster, we should never delete it. In order to feed the credentials to Flyte Admin, you must retrieve them from your new data plane cluster, and upload them to Admin somehow (within Lyft, we use Confidant for example). 
+
+The credentials have two parts (ca cert, bearer token). Find the generated secret via ::
+
+  kubectl get secrets -n flyte | grep flyteadmin-token
+
+Once you have the name of the secret, you can copy the ca cert to your clipboard with ::
+
+  kubectl get secret -n flyte {secret-name} -o jsonpath='{.data.ca\.crt}' | base64 -D | pbcopy
+
+You can copy the bearer token to your clipboard with ::
+
+  kubectl get secret -n flyte {secret-name} -o jsonpath='{.data.token}’ | base64 -D | pbcopy
+