From 3937832343b2cf26a26b5b55430bdcc9868e362c Mon Sep 17 00:00:00 2001
From: JasleenKaurSethi <53913719+JasleenKaurSethi@users.noreply.github.com>
Date: Mon, 14 Jul 2025 12:07:28 +0100
Subject: [PATCH 1/3] Update magnum-capi.rst

---
 doc/source/configuration/magnum-capi.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/source/configuration/magnum-capi.rst b/doc/source/configuration/magnum-capi.rst
index 7ca1ef594b..b2ca4ba700 100644
--- a/doc/source/configuration/magnum-capi.rst
+++ b/doc/source/configuration/magnum-capi.rst
@@ -90,7 +90,8 @@ The general running order of the provisioning playbook is the following:
 
 - Install the required components on the HA cluster to manage Magnum user clusters
 
-Once the seed VM has been provisioned, it can be accessed via SSH by running ``./bin/seed-ssh`` from the root of the azimuth-config repository. Within the seed VM, the k3s cluster and the HA cluster can both be accessed using the pre-installed ``kubectl`` and ``helm`` command line tools. Both of these tools will target the k3s cluster by default; however, the ``kubeconfig`` file for the HA cluster can be found in the seed's home directory (named e.g. ``kubeconfig-capi-mgmt-<site-specific-name>.yaml``).
+Once the seed VM has been provisioned, it can be accessed via SSH by running ``./bin/seed-ssh`` from the root of the azimuth-config repository. Within the seed VM, the k3s cluster and the HA cluster can both be accessed using the pre-installed ``kubectl`` and ``helm`` command line tools. Both of these tools will target the k3s cluster by default; however, the ``kubeconfig`` file for the HA cluster can be found in the seed's home directory (named e.g. ``kubeconfig-capi-mgmt-<site-specific-name>.yaml``). This file can contain two types of authentication configurations:
+Client Certificate-Based Authentication configuration which is valid for a limited period (typically one year). Once expired, the certificate must be manually refreshed, which can lead to operational overhead. As an alternative, a token-based kubeconfig can be created by generating a ServiceAccount with appropriate ClusterRole permissions and embedding its token in a kubeconfig. This method provides a long-lived, non-expiring authentication without any manual intervention required.
 
 .. note::
 

From 77d31965ba66c3f05fedb463b9caf2729c1bfbd1 Mon Sep 17 00:00:00 2001
From: JasleenKaurSethi <53913719+JasleenKaurSethi@users.noreply.github.com>
Date: Mon, 14 Jul 2025 12:24:53 +0100
Subject: [PATCH 2/3] Apply suggestions from code review

Co-authored-by: Scott Davidson <49713135+sd109@users.noreply.github.com>
---
 doc/source/configuration/magnum-capi.rst | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/source/configuration/magnum-capi.rst b/doc/source/configuration/magnum-capi.rst
index b2ca4ba700..7bf65a629b 100644
--- a/doc/source/configuration/magnum-capi.rst
+++ b/doc/source/configuration/magnum-capi.rst
@@ -90,8 +90,13 @@ The general running order of the provisioning playbook is the following:
 
 - Install the required components on the HA cluster to manage Magnum user clusters
 
-Once the seed VM has been provisioned, it can be accessed via SSH by running ``./bin/seed-ssh`` from the root of the azimuth-config repository. Within the seed VM, the k3s cluster and the HA cluster can both be accessed using the pre-installed ``kubectl`` and ``helm`` command line tools. Both of these tools will target the k3s cluster by default; however, the ``kubeconfig`` file for the HA cluster can be found in the seed's home directory (named e.g. ``kubeconfig-capi-mgmt-<site-specific-name>.yaml``). This file can contain two types of authentication configurations:
-Client Certificate-Based Authentication configuration which is valid for a limited period (typically one year). Once expired, the certificate must be manually refreshed, which can lead to operational overhead. As an alternative, a token-based kubeconfig can be created by generating a ServiceAccount with appropriate ClusterRole permissions and embedding its token in a kubeconfig. This method provides a long-lived, non-expiring authentication without any manual intervention required.
+Once the seed VM has been provisioned, it can be accessed via SSH by running ``./bin/seed-ssh`` from the root of the azimuth-config repository. Within the seed VM, the k3s cluster and the HA cluster can both be accessed using the pre-installed ``kubectl`` and ``helm`` command line tools. Both of these tools will target the k3s cluster by default; however, the ``kubeconfig`` file for the HA cluster can be found in the seed's home directory (named e.g. ``kubeconfig-capi-mgmt-<site-specific-name>.yaml``). 
+
+This file can contain two types of authentication configuration:
+
+- Certificate-based authentication which is valid for a limited period (typically one year). The certificate must be manually refreshed before it expires, which can lead to undesirable operational overhead.
+
+- A service account and corresponding token-based kubeconfig with appropriate Kubernetes RBAC permissions. This method provides a long-lived, non-expiring authentication and should be preferred where possible. This option can be enabled by setting `capi_cluster_service_account_enabled: true` in the azimuth-config repository (this is the default behaviour when using the capi-mgmt mixin environment).
 
 .. note::
 

From 03afbbb25db1ae931df7465bd73a1015f4c4d3df Mon Sep 17 00:00:00 2001
From: Jasleen <jasleen@stackhpc.com>
Date: Wed, 19 Nov 2025 11:46:19 +0000
Subject: [PATCH 3/3] Fix trailing whitespaces

---
 doc/source/configuration/magnum-capi.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/source/configuration/magnum-capi.rst b/doc/source/configuration/magnum-capi.rst
index 7bf65a629b..48e952f257 100644
--- a/doc/source/configuration/magnum-capi.rst
+++ b/doc/source/configuration/magnum-capi.rst
@@ -90,7 +90,7 @@ The general running order of the provisioning playbook is the following:
 
 - Install the required components on the HA cluster to manage Magnum user clusters
 
-Once the seed VM has been provisioned, it can be accessed via SSH by running ``./bin/seed-ssh`` from the root of the azimuth-config repository. Within the seed VM, the k3s cluster and the HA cluster can both be accessed using the pre-installed ``kubectl`` and ``helm`` command line tools. Both of these tools will target the k3s cluster by default; however, the ``kubeconfig`` file for the HA cluster can be found in the seed's home directory (named e.g. ``kubeconfig-capi-mgmt-<site-specific-name>.yaml``). 
+Once the seed VM has been provisioned, it can be accessed via SSH by running ``./bin/seed-ssh`` from the root of the azimuth-config repository. Within the seed VM, the k3s cluster and the HA cluster can both be accessed using the pre-installed ``kubectl`` and ``helm`` command line tools. Both of these tools will target the k3s cluster by default; however, the ``kubeconfig`` file for the HA cluster can be found in the seed's home directory (named e.g. ``kubeconfig-capi-mgmt-<site-specific-name>.yaml``).
 
 This file can contain two types of authentication configuration: