Infrastructure/infra-docs-fpo
1
0
Fork 0
Code Issues 100 Pull requests 6 Projects Releases Packages Wiki Activity Actions
infra-docs-fpo/modules/sysadmin_guide/pages/sop_communishift_onboard_tenant.adoc
David Kirwan 5141624ed5
Communishift: project deletion and notifcations SOP 
Openshift: WIP best practices

Signed-off-by: David Kirwan <davidkirwanirl@gmail.com>
2024-12-11 13:20:33 +00:00

65 lines
3.1 KiB
Text
Raw Permalink Blame History

= Onboard a tenant to the Communishift Cluster
== Resources
- [1] Playbook: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/manual/communishift.yml
- [2] Role: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/communishift
- [3] Cluster: https://console-openshift-console.apps.fedora.cj14.p1.openshiftapps.com
- [4] CAO: https://pagure.io/cpe/communishift/blob/main/f/CommunishiftAuthorization
== Onboarding
To onboard a tenant, perform the following steps:
=== Add project name to Playbook
Members of `sysadmin-openshift` can run this playbook at [1]. It contains the list of communishift projects. When on boarding, add the new name of the project to the `communishift_projects` dictionary in `inventory/group_vars/all`.
If needed, resource quotas can be overriden from defaults in the same dictionary.
Note: Projects *must* start with `communishift-` eg `communishift-dev-test`.
See the following example of the `communishift-eventbot` project and the `communishift-fedora-review-service` project being added:
----
communishift_projects:
communishift-eventbot:
name: communishift-eventbot
communishift-fedora-review-service:
name: communishift-fedora-review-service
do_not_delete: true # Marked do not delete 2024-10-21
...
----
NOTE: To mark a project as one which should _NOT_ be cleaned up as part of the Communishift clean up script, mark it with the boolean like so and it is helpful to include the date so we can see at a glance when projects were granted this special status: `do_not_delete: true # Marked do not delete YYYY-MM-DD`
=== Add new project group to IPA
A group must be created in IPA which matches the name of the group added to the playbook in the previous step. Please ensure that the community member requesting access to the cluster is also added to this group in IPA, and made a sponsor. This way they can administer members in their group in a self service fashion later.
=== Run the playbook
Run the playbook on the batcave.
----
sudo rbac-playbook manual/communishift.yml
----
This will create the project, creates the EFS storage in AWS, then creates a Secret in the project which contains the credentials in order to create a `SharedVolume` object.
eg:
----
apiVersion: aws-efs.managed.openshift.io/v1alpha1
kind: SharedVolume
metadata:
name: communishift-dev-test-sharedvolume
namespace: communishift-dev-test
spec:
accessPointID: fsap-xxxxx
fileSystemID: fs-xxxx
----
This also applies a ResourceQuota to the project. This sets an upper limit on the amount of resources that may be consumed within. It is low on purpose, and can be changed later in an individual basis based on the tenant needs.
=== Authorizing the project members to access the cluster
The CommunishiftAuthorization operator [4] handles dishing out permissions to access the cluster. This is based on the group name being present in IPA. Every 20minutes, the CAO will retrieve a list of groups from IPA via fasjson, which match `communishift-*` pattern, then ensure this group exists in Openshift, and synchronises the users between the IPA group and Openshift. This process is automatic and performed every 20 minutes.
Reference in a new issue View git blame Copy permalink