communishift: SOPs for administering the Communishift cluster

Signed-off-by: David Kirwan dkirwan@redhat.com
Signed-off-by: Lenka Segura lsegura@redhat.com
Signed-off-by: Patrik Polakovic ppolakov@redhat.com
Signed-off-by: David Kirwan <dkirwan@redhat.com>

modules/ocp4/pages/sop_communishift.adoc

@@ -0,0 +1,8 @@
+= Communishift
+The following SOPs are related to the administration of the Communishift Cluster.
+
+== Resources
+- [1] Cluster: https://console-openshift-console.apps.fedora.cj14.p1.openshiftapps.com
+- [2] Install the CommunishiftAuthorization operator xref:sop_communishift_authorization_operator.adoc
+- [3] Testing the CommunishiftAuthorization operator xref:sop_communishift_authorization_operator_testing.adoc
+- [4] Onboarding a Communishift tenant xref:sop_communishift_onboard_tenant.adoc

modules/ocp4/pages/sop_communishift_authorization_operator.adoc

@@ -0,0 +1,26 @@
+= Configure the CommunishiftAuthorization Operator
+
+== Resources
+- [1] Code:  https://pagure.io/cpe/communishift/blob/main/f/CommunishiftAuthorization
+
+== Installation
+There is a Makefile bundled with the code [1] of this operator.
+
+To install the operator:
+
+- From a terminal, be logged into the Communishift cluster with cluster-admin privileges.
+- Create a project `communishift-authorization-operator`
+- Run `make deploy`
+
+To activate the operator we need to create a `CommunishiftAuthorization` custom resource. An example of one exists in `CommunishiftAuthorization/config/samples/_v1alpha1_communishiftauthorization.yaml`
+
+Create it with the following:
+
+----
+oc apply -f CommunishiftAuthorization/config/samples/_v1alpha1_communishiftauthorization.yaml
+----
+
+
+== Configuration
+
+- No other configuration is required for this operator.

modules/ocp4/pages/sop_communishift_authorization_operator_testing.adoc

@@ -0,0 +1,14 @@
+= Test the CommunishiftAuthorization Operator
+
+== Resources
+- [1] Code:  https://pagure.io/cpe/communishift/blob/main/f/CommunishiftAuthorization
+- [2] Molecule: https://molecule.readthedocs.io/en/latest/
+
+== Installation
+There is a molecule directory bundled with the code [1] of this operator. They currently are designed to only run against the Communishift cluster itself, as it needs access to secrets for the keytab to auth against fasjson.
+
+To run the operator molecule tests:
+
+- Ensure that the molecule utility is installed `dnf install python3-molecule`
+- From a terminal, be logged into the Communishift cluster with cluster-admin privileges.
+- Run `molecule test`

modules/ocp4/pages/sop_communishift_onboard_tenant.adoc

@@ -0,0 +1,50 @@
+= Onboard a tenant to the Communishift Cluster
+
+== Resources
+- [1] Playbook: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/manual/communishift.yml
+- [2] Role: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/communishift
+- [3] Cluster: https://console-openshift-console.apps.fedora.cj14.p1.openshiftapps.com
+- [4] CAO: https://pagure.io/cpe/communishift/blob/main/f/CommunishiftAuthorization
+
+== Onboarding
+To onboard a tenant, perform the following steps:
+
+
+=== Add project name to Playbook
+Members of `sysadmin-openshift` can run this playbook at [1]. It contains the list of communishift projects. When onboarding, add the new name of the project to the `communishift_projects` list at the bottom.
+
+Note: Projects *must* start with `communishift-` eg `communishift-dev-test`.
+
+
+=== Add new project group to IPA
+A group must be created in IPA which matches the name of the group added to the playbook in the previous step. Please ensure that the community member requesting access to the cluster is also added to this group in IPA, and made a sponsor. This way they can administer members in their group in a self service fashion later.
+
+
+=== Run the playbook
+Run the playbook on the batcave.
+
+----
+sudo rbac-playbook manual/communishift.yml
+----
+
+This will create the project, creates the EFS storage in AWS, then creates a Secret in the project which contains the credentials in order to create a `SharedVolume` object.
+
+eg:
+
+----
+apiVersion: aws-efs.managed.openshift.io/v1alpha1
+kind: SharedVolume
+metadata:
+  name: communishift-dev-test-sharedvolume
+  namespace: communishift-dev-test
+spec:
+  accessPointID: fsap-xxxxx
+  fileSystemID: fs-xxxx
+----
+
+This also applys a ResourceQuota to the project. This sets an upper limit on the amount of resources that may be consumed within. It is low on purpose, and can be changed later in an indivudal basis based on the tenant needs.
+
+
+=== Authorizing the project members to access the cluster
+The CommunishiftAuthorization operator [4] handles dishing out permissions to access the cluster. This is based on the group name being present in IPA. Every 20minutes, the CAO will retrieve a list of groups from IPA via fasjson, which match `communishift-*` pattern, then ensure this group exists in Openshift, and synchronises the users between the IPA group and Openshift. This process is automatic and performed every 20 minutes.
+

modules/ocp4/pages/sops.adoc

@@ -20,4 +20,4 @@
 - xref:sop_add_odf_storage.adoc[SOP Add new capacity to the OCP4 ODF Storage Cluster]
 - xref:sop_velero.adoc[SOP Velero]
 - xref:sop_aws_efs_operator.adoc[SOP AWS EFS Operator]
-
+- xref:sop_communishift.adoc[SOP Communishift Cluster Administration]

modules/sysadmin_guide/nav.adoc

@@ -85,10 +85,9 @@
 ** xref:new-hosts.adoc[DNS Host Addition - SOP]
 ** xref:nonhumanaccounts.adoc[Non-human Accounts Infrastructure - SOP]
 ** xref:nuancier.adoc[Nuancier - SOP]
-** xref:ocp4:sops.adoc[Openshift 4 SOPs]
+** xref:ocp4:sops.adoc[Openshift SOPs]
 ** xref:odcs.adoc[On Demand Compose Service - SOP]
 ** xref:openqa.adoc[OpenQA Infrastructure - SOP]
-** xref:openshift.adoc[OpenShift - SOP]
 ** xref:openvpn.adoc[OpenVPN - SOP]
 ** xref:outage.adoc[Outage Infrastructure - SOP]
 ** xref:packagereview.adoc[Package Review - SOP]