communishift: SOPs for modifying tenant ResourceQuota

communishift: SOPs for creating SharedVolume Signed-off-by: David Kirwan dkirwan@redhat.com Signed-off-by: Lenka Segura lsegura@redhat.com Signed-off-by: Patrik Polakovic ppolakov@redhat.com
2022-09-22 11:28:33 +01:00 · 2022-09-22 11:28:33 +01:00 · 3666299252
commit 3666299252
parent 41a59464b5
4 changed files with 109 additions and 2 deletions
--- a/modules/ocp4/pages/sop_communishift.adoc
+++ b/modules/ocp4/pages/sop_communishift.adoc
@ -7,3 +7,6 @@ The following SOPs are related to the administration of the Communishift Cluster
 - [3] Testing the CommunishiftAuthorization operator xref:sop_communishift_authorization_operator_testing.adoc
 - [4] Building/releasing the CommunishiftAuthorization operator xref:sop_communishift_authorization_operator_build.adoc
 - [5] Onboarding a Communishift tenant xref:sop_communishift_onboard_tenant.adoc
+- [6] Configuring the Resourcequota for a tenant xref:sop_communishift_tenant_quota.adoc
+- [7] Create the SharedVolume object which manages tenant storage xref:sop_communishift_create_sharedvolume.adoc
+
--- a/modules/ocp4/pages/sop_communishift_create_sharedvolume.adoc
+++ b/modules/ocp4/pages/sop_communishift_create_sharedvolume.adoc
@ -0,0 +1,78 @@
+= Create SharedVolume
+
+== Resources
+- [1] AWS EFS Operator: https://github.com/openshift/aws-efs-operator
+- [2] AWS EFS Operator Installation/Configuration: https://access.redhat.com/articles/5025181
+
+=== Creating the SharedVolume
+The `communishift` ansible role will create the AWS EFS filesystem and accesspoint, and then creates a Secret called `communishift-project-name-efs-credentials"` in the tenants project. The structure of the secret is as follows:
+
+----
+data:
+  efs_filesystem_id: "fsap-xxxxxxxx"
+  efs_accesspoint_id: "fs-xxxxxxxxxx"
+----
+
+The values are base64 encoded, to retrieve the values do the following:
+
+----
+oc get secret communishift-project-name-efs-credentials -o jsonpath="{.data['efs_accesspoint_id']}" | base64 -d
+oc get secret communishift-project-name-efs-credentials -o jsonpath="{.data['efs_filesystem_id']}" | base64 -d
+----
+
+Next create a yaml file and populate the values for the `accessPointID` and the `fileSystemID`.
+
+----
+apiVersion: aws-efs.managed.openshift.io/v1alpha1
+kind: SharedVolume
+metadata:
+  name: PROJECTNAME-sharedvolume
+  namespace: PROJECTNAME
+spec:
+  accessPointID: fsap-xxxxx
+  fileSystemID: fs-xxxxx
+----
+
+Then create the `SharedVolume` object:
+
+----
+oc apply -f project-name-sharedvolume.yml
+----
+
+Once created, the AWS EFS Operator should automatically create a PersistentVolume, then a PersistentVolumeClaim in the project namespace. Tenants can then mount this volume as normal.
+
+The following Pod defintion maybe used to verify the storage is working correctly.
+
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: volume-test
+  namespace: communishift-dev-test
+spec:
+  securityContext:
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
+    fsGroupChangePolicy: "OnRootMismatch"
+  serviceAccount: volume-test
+  volumes:
+    - name: test-volume
+      persistentVolumeClaim:
+        claimName: pvc-communishift-dev-test-sharedvolume
+  containers:
+    - image: quay.io/operator-framework/ansible-operator:v1.23.0
+      command:
+        - /bin/sh
+        - "-c"
+        - "sleep 60m"
+      imagePullPolicy: IfNotPresent
+      name: alpine
+      volumeMounts:
+        - name: test-volume
+          mountPath: /tmp/volume_test
+      restartPolicy: Always
+      resources:
+        requests:
+          memory: "2Gi"
+----
--- a/modules/ocp4/pages/sop_communishift_onboard_tenant.adoc
+++ b/modules/ocp4/pages/sop_communishift_onboard_tenant.adoc
@ -11,7 +11,7 @@ To onboard a tenant, perform the following steps:


 === Add project name to Playbook
-Members of `sysadmin-openshift` can run this playbook at [1]. It contains the list of communishift projects. When onboarding, add the new name of the project to the `communishift_projects` list at the bottom.
+Members of `sysadmin-openshift` can run this playbook at [1]. It contains the list of communishift projects. When on boarding, add the new name of the project to the `communishift_projects` list at the bottom.

 Note: Projects *must* start with `communishift-` eg `communishift-dev-test`.

@ -42,7 +42,7 @@ spec:
  fileSystemID: fs-xxxx
 ----

-This also applys a ResourceQuota to the project. This sets an upper limit on the amount of resources that may be consumed within. It is low on purpose, and can be changed later in an indivudal basis based on the tenant needs.
+This also applies a ResourceQuota to the project. This sets an upper limit on the amount of resources that may be consumed within. It is low on purpose, and can be changed later in an individual basis based on the tenant needs.


 === Authorizing the project members to access the cluster
--- a/modules/ocp4/pages/sop_communishift_tenant_quota.adoc
+++ b/modules/ocp4/pages/sop_communishift_tenant_quota.adoc
@ -0,0 +1,26 @@
+= Configure the tenant ResourceQuota
+
+== Resources
+- [1] ResourceQuota Openshift Docs: https://docs.openshift.com/container-platform/4.11/applications/quotas/quotas-setting-per-project.html
+
+
+=== Config
+The ResourceQuota is contained within the tenants namespace and is named like `communishift-project-name-quota`.
+
+By default the following quota is assigned:
+
+----
+spec:
+  hard:
+    cpu: "1" # requests.cpu
+    memory: "1Gi" # requests.memory
+    limits.cpu: "1"
+    limits.memory: "2Gi"
+    requests.storage: "5Gi"
+    persistentvolumeclaims: "1"
+    pods: "2"
+    replicationcontrollers: 1
+----
+
+This object can be modified in order to increase or restrict resources available to tenants after the fact. Refer to the official docs for instructions [1].
+