From a6768bd55db7a7e943ee56223377b218a5208c15 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Jun 23 2022 13:49:43 +0000 Subject: Adding steps to migrate/update tenant in new Duffy DB Signed-off-by: Fabian Arrotin --- diff --git a/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md b/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md index 8841779..31c31e3 100644 --- a/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md +++ b/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md @@ -1,33 +1,97 @@ -# SOP to create Duffy tenant +# SOP to create/migrate Duffy tenant This SOP covers the process of how to create a duffy tenant -## Steps -1. Connect to duffy.ci.centos.org +## Create new tenant +### Connect to duffy.ci.centos.org ```shell ssh duffy.ci.centos.org ``` -2. Change to duffy user +### Change to duffy user ```shell sudo su - duffy ``` - -3. Create tenant with the command below and save api key somewhere safe, it outputs the key as `: ` +### Create tenant with the command below and save api key somewhere safe, it outputs the key as `: ` ```shell duffy admin create-tenant ``` -4. Connect to the host that will have duffy client + +## Migrate/Update tenant + +Migrating an existing Duffy tenant from older DB is like previous step but we just need to enforce a specific (and known) API key. So we can apply previous `duffy admin create-tenant` step but then calling `duffy admin update-tenant` to enforce existing API key to be "valid" in new DB : + +``` +duffy admin update-tenant --help +Usage: duffy admin update-tenant [OPTIONS] NAME + + Update a tenant. + +Options: + --ssh-key TEXT New SSH key for the tenant. + --api-key TEXT Either a new API key (UUID) for the tenant + or 'reset' to set automatically. + --node-quota INT_OR_NONE How many nodes the tenant can use at a time + (optional, will use default if unset). + --session-lifetime INTERVAL_OR_NONE + The initial session lifetime for this + tenant. + --session-lifetime-max INTERVAL_OR_NONE + The maximum session lifetime for this + tenant. + +``` + +We just need first to retrieve existing duffy api key and ssh public keys from old Duffy DB +Let's assume for the example that projectname is "test-infra" : + +``` +MariaDB [duffy]> select * from users where projectname like '%test-infra%'; ++--------------------------------------+-------------+-------------+------------+------------+ +| apikey | projectname | jobname | createdat | limitnodes | ++--------------------------------------+-------------+-------------+------------+------------+ +| d6e0483b-c9e1-40c7-a2a0-0f29f4961cde | test-infra | test-infr a | 2015-06-10 | 10 | ++--------------------------------------+-------------+-------------+------------+------------+ +1 row in set (0.00 sec) +MariaDB [duffy]> select `key` from userkeys where project_id='d6e0483b-c9e1-40c7-a2a0-0f29f4961cde'; ++W2EMNDARNa50KaFXQ3hM6TWLPwGhnG0Sj5l1obae0sNiEgzUejp1gNnTPWv/BLKdOH5yl14Z +> ssh-rsa SBLcm+f3Xy8WJEqtFF461XSoM97rSapDM9KH/h1tMqUyXnVTzbofQlGGAJw40+l9D4+F98Nbm95jWVmjQ+1N/uCiz0/Io5MDxZPq645mR4ChUAhrwE16JPr7c1DsYES7rTPbmC0lX9VCjhzxBSlbOzvxBuEipYt0FMKRlwvMzwPHONijvmx1AkB7t test-infra@jenkins-agent.ci.centos.org +> ssh-rsa PyqI7/BvcozCQQaM33LfbcpKb4ks0vw4+RH1AjnjC9r8SNivUiUQ9zg0RHXwUGRCK0iD70JGeO43Q7cSixtYfHu/MXm2feFNz01hsAIEGrlJVUlMzUyLYcqOu0BTKxIlKyK3tG1RLNvG/IDcaZMMBNS83k9phJyATvzXpeocyo6NgUVDeZstpunVv4xKQNX39nD4S/09jslXk6lZ8Pj7fyKf0rGOHuu7NpJOIb2rcSd8sC1MmsOGlY+EUuZ test-infra@CI" test-infra + +``` + +It's really *important* that the whole --ssh-key "block" is seen as a string with newline inside so that it's correct injected for duffy job as different lines in remote .ssh/authorized_keys when duffy will contextualize the node + +It's also important to add this / keypair in the `duffy_metaclient_usermap` list in ansible inventory, in the host_vars, so that if tenant is actually just using only old/legacy endpoint with his apikey, it will still be recognized by duffy (until we remote the legacy endpoint) +When committed to git and pushed, one can play the duffy role with the config tags and it will update 20_metaclient.yaml file used by metaclient service. + +Once tenant is imported (apikey and ssh public key(s)) and ansible duffy role applied, the tenant can either use `icico` client (in compatibility mode) or already use the new duffy client (see below) + + +## Duffy client configuration (external) + +### Connect to the host that will have duffy client ```shell ssh @ ``` -5. Install duffy client using `pip` +### Install duffy client using `pip` ```shell pip3.8 install --user duffy[client] ``` -6. In the home path of the user, create `.config` directory if it doesn’t exist and create `.config/duffy` with the following content +### In the home path of the user, create `.config` directory if it doesn’t exist and create `.config/duffy` with the following content ``` client: url: https://duffy.ci.centos.org/api/v1 @@ -36,12 +100,11 @@ client: key: ``` -7. To create a session, the name of the pool is required. Check the pool available executing the command **_(Optional)_** +### To create a session, the name of the pool is required. Check the pool available executing the command **_(Optional)_** ```shell duffy client list-pools ``` - -8. Request a session +### Request a session ```shell duffy client request-session pool=,quantity= ``` @@ -61,7 +124,7 @@ By default this command outputs a _json_, but it's possible to change the format } ``` -9. When needed to retire the session, connect to your duffy client host and execute the command +### When needed to retire the session, connect to your duffy client host and execute the command ```shell duffy client retire-session ```