Onboard a tenant to the Communishift Cluster

Onboarding

To onboard a tenant, perform the following steps:

Add project name to Playbook

Members of sysadmin-openshift can run this playbook at [1]. It contains the list of communishift projects. When on boarding, add the new name of the project to the communishift_projects dictionary in inventory/group_vars/all. If needed, resource quotas can be overriden from defaults in the same dictionary.

Note: Projects must start with communishift- eg communishift-dev-test.

See the following example of the communishift-eventbot project and the communishift-fedora-review-service project being added:

communishift_projects:
  communishift-eventbot:
    name: communishift-eventbot
  communishift-fedora-review-service:
    name: communishift-fedora-review-service
    do_not_delete: true                           # Marked do not delete 2024-10-21
...
To mark a project as one which should NOT be cleaned up as part of the Communishift clean up script, mark it with the boolean like so and it is helpful to include the date so we can see at a glance when projects were granted this special status: do_not_delete: true # Marked do not delete YYYY-MM-DD

Add new project group to IPA

A group must be created in IPA which matches the name of the group added to the playbook in the previous step. Please ensure that the community member requesting access to the cluster is also added to this group in IPA, and made a sponsor. This way they can administer members in their group in a self service fashion later.

Run the playbook

Run the playbook on the batcave.

sudo rbac-playbook manual/communishift.yml

This will create the project, creates the EFS storage in AWS, then creates a Secret in the project which contains the credentials in order to create a SharedVolume object.

eg:

apiVersion: aws-efs.managed.openshift.io/v1alpha1
kind: SharedVolume
metadata:
  name: communishift-dev-test-sharedvolume
  namespace: communishift-dev-test
spec:
  accessPointID: fsap-xxxxx
  fileSystemID: fs-xxxx

This also applies a ResourceQuota to the project. This sets an upper limit on the amount of resources that may be consumed within. It is low on purpose, and can be changed later in an individual basis based on the tenant needs.

Authorizing the project members to access the cluster

The CommunishiftAuthorization operator [4] handles dishing out permissions to access the cluster. This is based on the group name being present in IPA. Every 20minutes, the CAO will retrieve a list of groups from IPA via fasjson, which match communishift-* pattern, then ensure this group exists in Openshift, and synchronises the users between the IPA group and Openshift. This process is automatic and performed every 20 minutes.