Feat/spiffe Machine Identity - user documentation

[prbinu-nvidia]

Description

Machine Identity Operator Documentation — Branch Summary

Issue: #1981 SPIFFE machine identity user documentation
Document the user settings and configurations for enabling machine identity features in Nico.

Scope: ~970 lines added across 8 doc files (+ minor cross-links and nav)

---

New documentation

Document	Purpose
docs/getting-started/installation-options/day0-machine-identity.md	Day 0: KEK secrets, site [machine_identity], DPU agent [machine-identity] (incl. sign-proxy settings), site-level verification
docs/configuration/machine_identity.md	Day 1: per-org config, token delegation, SSRF proxy/allowlist recommendation, links to runbooks
docs/manuals/machine_identity_verification.md	REST + IMDS verification checklist; optional gRPC reference for custom sign-proxy backends
docs/manuals/machine_identity_signing_key_rotation.md	Per-org JWT signing key rotation with JWKS overlap
docs/manuals/machine_identity_kek_rotation.md	Site KEK re-wrap (gRPC today; REST planned)

---

Navigation and cross-links

• docs/index.yml — Day 0 page, Day 1 config page, three Operations runbooks
• book/src/configuration/configurability.md — links to Day 0/Day 1 docs
• docs/configuration/tenant_management.md — pointer to machine identity setup (“tenant instances”, not “tenant workloads”)

---

Design choices reflected in docs

• Day 0 verification via REST global gate only (no DPU smoke tests)
• No Profile A/B/C taxonomy; sidecar/IP tokenEndpoint documented as a simple note
• Verification runbook is operator-facing (REST + IMDS); SignMachineIdentity / grpcurl kept as optional reference for custom sign-proxy-url implementations
• KEK rotation documented as gRPC-only for now, with REST API noted as coming

---

Related design reference

• SPIFFE JWT-SVID SDD — authoritative design (unchanged; operator docs complement it)

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

#1981
#261

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: aac7b75b-08c3-4b3b-afc2-e5132b9920e9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}