add graphics to document GRM projected service account tokens (garden…

…er#5160)

docs/concepts/apiserver.md

@@ -70,4 +70,4 @@ Please see [this](../usage/openidconnect-presets.md) separate documentation file
 
 ## Overview Data Model
 
-![Gardener Overview Data Model](gardener-data-model-overview.png)
+![Gardener Overview Data Model](images/gardener-data-model-overview.png)

docs/concepts/architecture.md

@@ -22,10 +22,10 @@ We provide a central operator UI, which we call the "Gardener Dashboard". It tal
 
 #### Overview Architecture Diagram
 
-![Gardener Overview Architecture Diagram](gardener-architecture-overview.png)
+![Gardener Overview Architecture Diagram](images/gardener-architecture-overview.png)
 
 #### Detailed Architecture Diagram
 
-![Gardener Detailed Architecture Diagram](gardener-architecture-detailed.png)
+![Gardener Detailed Architecture Diagram](images/gardener-architecture-detailed.png)
 
 Note: The `kubelet` as well as the pods inside the "shoot" cluster talk through the front-door (load balancer IP; public Internet) to its "shoot" cluster API server running in the "seed" cluster. The reverse communication from the API server to the pod, service, and node networks happens through a VPN connection that we deploy into "seed" and "shoot" clusters.

docs/concepts/gardenlet.md

@@ -30,13 +30,13 @@ is scalable. Gardener achieves the same for cluster management by using a **gard
 as primary "agent" on every seed cluster, and is only responsible for shoot clusters
 located in its particular seed cluster:
 
-![Counterparts in the Gardener Architecture and the Kubernetes Architecture](gardenlet-architecture-similarities.png)
+![Counterparts in the Gardener Architecture and the Kubernetes Architecture](images/gardenlet-architecture-similarities.png)
 
 The `gardener-controller-manager` has control loops to manage resources of the Gardener API. However, instead of letting the `gardener-controller-manager` talk directly to seed clusters or shoot clusters, the responsibility isn’t only delegated to the gardenlet, but also managed using a reversed control flow: It's up to the gardenlet to contact the Gardener API server, for example, to share a status for its managed seed clusters.
 
 Reversing the control flow allows placing seed clusters or shoot clusters behind firewalls without the necessity of direct access via VPN tunnels anymore.
 
-![Reversed Control Flow Using a Gardenlet](gardenlet-architecture-detailed.png)
+![Reversed Control Flow Using a Gardenlet](images/gardenlet-architecture-detailed.png)
 
 ## TLS Bootstrapping
 

docs/concepts/resource-manager.md

@@ -378,6 +378,9 @@ Any attempt to regenerate the token or creating a new such secret will again mak
 
 In order to enable the _TokenInvalidator_ you have to set `--token-invalidator-max-concurrent-workers` to a value larger than `0`.
 
+Below graphic shows an overview of the Token Invalidator for Service account secrets in the Shoot cluster.
+![image](images/resource-manager-token-invalidator.jpg)
+
 ### TokenRequestor
 
 This controller provides the service to create and auto-renew tokens via the [`TokenRequest` API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/).
@@ -449,6 +452,12 @@ token-requestor.resources.gardener.cloud/target-secret-name: "foo"
 token-requestor.resources.gardener.cloud/target-secret-namespace: "bar"
 ```
 
+Overall, the TokenRequestor controller provides credentials with limited lifetime (JWT tokens) used by Shoot control plane components running in the Seed
+to talk to the Shoot API Server. 
+Please see the graphic below:
+
+![image](images/resource-manager-projected-token-controlplane-to-shoot-apiserver.jpg)
+
 ## Webhooks
 
 ### Auto-Mounting Projected `ServiceAccount` Tokens
@@ -489,3 +498,9 @@ spec:
 
 The volume will be mounted into all containers specified in the `Pod` to the path `/var/run/secrets/kubernetes.io/serviceaccount`.
 This is the default location where client libraries expect to find the tokens and mimics the [upstream `ServiceAccount` admission plugin](https://github.com/kubernetes/kubernetes/tree/v1.22.2/plugin/pkg/admission/serviceaccount), see [this document](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller) for more information.
+
+Overall, this webhook is used to inject projected service account tokens into pods running in the Shoot and the Seed cluster.
+Hence, it is served from the Seed GRM and each Shoot GRM.
+Please find an overview below for pods deployed in the Shoot cluster:
+
+![image](images/resource-manager-projected-token-shoot-to-shoot-apiserver.jpg)