arc/docs/communishift/index.rst

Communishift
============

Purpose
-------

Investigate what is needed in order to run a community focused Openshift instance.

Identify possible bottlenecks, issues and whatever the CPE team needs to develop new
components/services for this new Openshift instance.

Resources
---------

- https://docs.openshift.com/dedicated/storage/persistent_storage/osd-persistent-storage-aws.html
- https://docs.openshift.com/container-platform/4.6/applications/quotas/quotas-setting-per-project.html

Investigation
-------------

The team discussed the following topics:

.. toctree::
    :maxdepth: 1

    authentication
    resource-quota
    storage

Conclusions
-----------

- The cluster can leverage EFS to provision volumes (using the AWS EFS operator from the
  Operator Marketplace) and an extra ansible playbook to automate part of the process;
- Quotas can be enforced by creating an Openshift operator that watches all user
  namespaces;
- Authentication groups can be automatically synched between FasJSON and Openshift with
  a new Operator.

Proposed Roadmap
----------------

AWS EFS Ansible Playbook
~~~~~~~~~~~~~~~~~~~~~~~~

One needs to provide some AWS info when creating a volume using the EFS operator, sample
resource bellow:

.. code-block::

    apiVersion: aws-efs.managed.openshift.io/v1alpha1
    kind: SharedVolume
    metadata:
      name: sv1
      namespace: default
    spec:
      accessPointID: fsap-0123456789abcdef
      fileSystemID: fs-0123cdef

Both "accessPointID and fileSystemID" are generated by AWS with "accessPointID" being
generated for every PVC that gets provisioned in the cluster.

An ansible playbook comes into play to automate the process of creating an "accessPoint"
for a namespace whichs should be request in an infra ticket when requesting the creation
of a new namespace in the cluster.

Fedora Cloud Quota Operator
~~~~~~~~~~~~~~~~~~~~~~~~~~~

An operator can be created to ensure a namespace's resource quota.

The operator would watch for namespaces with specific tags/annotations (TBD) and apply
the required quotas in those namespaces.

The quotas themselves are applied by creating a `ResourceQuota` object in the namespace
is supposed to manage:
https://docs.openshift.com/container-platform/4.6/applications/quotas/quotas-setting-per-project.html.

Fedora FasJSON Sync Operator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An operator can be used to ensure FasJSON groups are synched with the cluster groups
used by Openshift roles.

This operator would retrieve a group(s) information every N seconds from FasJSON and
apply the changes in the cluster, ensuring syncrhonization between the two systems.

Food for thought: it would be interesting if FasJSON notifies group changes to
fedora-messaging.

Team and Skills
---------------

A team of three indivduals should be able to deliver the proposed roadmap in ~6 weeks (2
week sprint, a sprint per component) assuming the following technical skills:

- Kubernetes basic concepts/usage; * API or previous operator knowledge is a plus;
- Ansible basic usage; * AWS API knowledge is a plus.

It might be a good opportunity to learn about Kubernetes and Operator/Controller
development.