dociment update - operator-user-guide.md

doc/operator-user-guide.md

@@ -318,6 +318,133 @@ Check [*APIManager SystemS3Spec*](apimanager-reference.md#SystemS3Spec) for refe
 _For AWS STS ApiManager CR contains **STS: true** field._
 Check [AWS STS Support](#aws-sts-support) for more details.
 
+##### AWS STS Support
+
+With the new support for STS authentication (Secure Token Service for  short-term, limited-privilege security credentials),
+the secret generated by the Cloud Credential tooling looks differ from IAM (Identity and Access Management) secret.
+There are two new fields AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are present instead of
+AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.  
+Below are samples for STS and IAM secrets:
+
+**STS Secret sample**
+```yaml
+kind: Secret
+apiVersion: v1
+metadata: 
+  name: s3-credentials
+  namespace: 3scale-test
+data: 
+  AWS_ROLE_ARN: XXXXX=
+  AWS_WEB_IDENTITY_TOKEN_FILE: XXXXX=
+  AWS_BUCKET: XXXXX=
+  AWS_REGION: XXX
+type: Opaque
+```
+
+**IAM Secret sample**
+```yaml
+kind: Secret
+apiVersion: v1
+metadata: 
+  name: s3-credentials
+  namespace: 3scale-test
+data: 
+  AWS_ACCESS_KEY_ID: XXXXX=
+  AWS_SECRET_ACCESS_KEY: XXXXX=
+  AWS_BUCKET: XXXXX=
+  AWS_REGION: XXX
+type: Opaque
+```
+
+**Summary for keys for each secret "type"**
+
+|Secret key                 |Required for IAM|Required for STS|
+|---------------------------|---|---|
+AWS_ACCESS_KEY_ID           |Y|N|
+AWS_SECRET_ACCESS_KEY       |Y|N|
+AWS_ROLE_ARN                |N|Y|
+AWS_WEB_IDENTITY_TOKEN_FILE |N|Y|
+AWS_BUCKET                  |Y|Y|
+AWS_REGION                  |Y|Y|
+AWS_HOSTNAME                |N|N|
+AWS_PROTOCOL                |N|N|
+AWS_PATH_STYLE              |N|N|
+
+
+
+**SystemApp Environment Variables**  
+The 3scale operator will pass the following env vars depending on the type of the s3 secret
+
+|ENV variable              |IAM|STS|
+|--------------------------|---|---|
+AWS_ACCESS_KEY_ID          |Y|N|
+AWS_SECRET_ACCESS_KEY      |Y|N|
+AWS_ROLE_ARN               |N|Y|
+AWS_WEB_IDENTITY_TOKEN_FILE|N|Y|
+AWS_BUCKET                 |Y|Y|
+AWS_REGION                 |Y|Y|
+AWS_HOSTNAME               |Y|Y|
+AWS_PROTOCOL               |Y|Y|
+AWS_PATH_STYLE             |Y|Y|
+FILE_UPLOAD_STORAGE        |Y|Y|
+
+**In case of STS - the operator will add a projected volume to request the token**  
+Following pods will have projected volume in case of STS:
+- system-app
+- system-app hook pre
+- system-sidekiq
+
+**Pod example for STS**
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: system-sidekiq-1-zncrz
+  namespace: 3scale-test
+spec:
+  containers:
+  ....
+    volumeMounts:
+    - mountPath: /var/run/secrets/openshift/serviceaccount
+      name: s3-credentials
+      readOnly: true
+  .....
+  volumes:
+  - name: s3-credentials
+    projected:
+      defaultMode: 420
+      sources:
+      - serviceAccountToken:
+          audience: openshift
+          expirationSeconds: 3600
+          path: token
+```
+
+**ApiManager**  
+ApiManager CR contains **STS** boolean field.  
+Operator will configure deployments according to this definition.  
+Below is example for ApiManager CR
+```yaml
+apiVersion: apps.3scale.net/v1alpha1
+kind: APIManager
+metadata:
+  name: apimanager-sample
+  namespace: 3scale-test
+spec:
+  system:
+    fileStorage:
+      simpleStorageService:
+        configurationSecretRef:
+          name: s3-credentials
+        sts: true
+...
+  wildcardDomain: <wildcardDomain>
+```
+
+_Reference to STS configured cluster pre-requisite:_
+- https://docs.openshift.com/container-platform/4.11/authentication/managing_cloud_provider_credentials/cco-mode-sts.html
+- https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts.md
+
 
 #### Setting a custom Storage Class for System FileStorage RWX PVC-based installations
 
@@ -697,129 +824,3 @@ If you selected *Manual updates*, when a newer version of the Operator is availa
 the OLM creates an update request. As a cluster administrator, you must then manually approve
 that update request to have the Operator updated to the new version.
 
-### AWS STS Support
-
-With the new support for STS authentication (Secure Token Service for  short-term, limited-privilege security credentials),
-the secret generated by the Cloud Credential tooling looks differ from IAM (Identity and Access Management) secret.
-There are two new fields AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are present instead of
-AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.  
-Below are samples for STS and IAM secrets:
-
-**STS Secret sample**
-```yaml
-kind: Secret
-apiVersion: v1
-metadata: 
-  name: s3-credentials
-  namespace: 3scale-test
-data: 
-  AWS_ROLE_ARN: XXXXX=
-  AWS_WEB_IDENTITY_TOKEN_FILE: XXXXX=
-  AWS_BUCKET: XXXXX=
-  AWS_REGION: XXX
-type: Opaque
-```
-
-**IAM Secret sample**
-```yaml
-kind: Secret
-apiVersion: v1
-metadata: 
-  name: s3-credentials
-  namespace: 3scale-test
-data: 
-  AWS_ACCESS_KEY_ID: XXXXX=
-  AWS_SECRET_ACCESS_KEY: XXXXX=
-  AWS_BUCKET: XXXXX=
-  AWS_REGION: XXX
-type: Opaque
-```
-
-**Summary for keys for each secret "type"**
-
-|Secret key                 |Required for IAM|Required for STS|
-|---------------------------|---|---|
-AWS_ACCESS_KEY_ID           |Y|N|
-AWS_SECRET_ACCESS_KEY       |Y|N|
-AWS_ROLE_ARN                |N|Y|
-AWS_WEB_IDENTITY_TOKEN_FILE |N|Y|
-AWS_BUCKET                  |Y|Y|
-AWS_REGION                  |Y|Y|
-AWS_HOSTNAME                |N|N|
-AWS_PROTOCOL                |N|N|
-AWS_PATH_STYLE              |N|N|
-
-
-
-**SystemApp Environment Variables**  
-The 3scale operator will pass the following env vars depending on the type of the s3 secret
-
-|ENV variable              |IAM|STS|
-|--------------------------|---|---|
-AWS_ACCESS_KEY_ID          |Y|N|
-AWS_SECRET_ACCESS_KEY      |Y|N|
-AWS_ROLE_ARN               |N|Y|
-AWS_WEB_IDENTITY_TOKEN_FILE|N|Y|
-AWS_BUCKET                 |Y|Y|
-AWS_REGION                 |Y|Y|
-AWS_HOSTNAME               |Y|Y|
-AWS_PROTOCOL               |Y|Y|
-AWS_PATH_STYLE             |Y|Y|
-FILE_UPLOAD_STORAGE        |Y|Y|
-
-**In case of STS - the operator will add a projected volume to request the token**  
-Following pods will have projected volume in case of STS:
-- system-app
-- system-app hook pre
-- system-sidekiq
-
-**Pod example for STS**
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: system-sidekiq-1-zncrz
-  namespace: 3scale-test
-spec:
-  containers:
-  ....
-    volumeMounts:
-    - mountPath: /var/run/secrets/openshift/serviceaccount
-      name: s3-credentials
-      readOnly: true
-  .....
-  volumes:
-  - name: s3-credentials
-    projected:
-      defaultMode: 420
-      sources:
-      - serviceAccountToken:
-          audience: openshift
-          expirationSeconds: 3600
-          path: token
-```
-
-**ApiManager**  
-ApiManager CR contains **STS** boolean field.  
-Operator will configure deployments according to this definition.  
-Below is example for ApiManager CR
-```yaml
-apiVersion: apps.3scale.net/v1alpha1
-kind: APIManager
-metadata:
-  name: apimanager-sample
-  namespace: 3scale-test
-spec:
-  system:
-    fileStorage:
-      simpleStorageService:
-        configurationSecretRef:
-          name: s3-credentials
-        sts: true
-...
-  wildcardDomain: <wildcardDomain>
-```
-
-**Reference to STS configured cluster pre-requisite**
-- https://docs.openshift.com/container-platform/4.11/authentication/managing_cloud_provider_credentials/cco-mode-sts.html
-- https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts.md