From 792b2964dea93f98bfe1aa3f78f80aef9829986c Mon Sep 17 00:00:00 2001 From: siddharthvipul Date: Jun 28 2021 07:18:50 +0000 Subject: add tenant onboarding doc Signed-off-by: siddharthvipul --- diff --git a/docs/operations/ci/adding-jumphost.md b/docs/operations/ci/adding-jumphost.md deleted file mode 100644 index 8222b0c..0000000 --- a/docs/operations/ci/adding-jumphost.md +++ /dev/null @@ -1,17 +0,0 @@ -# Add user to jumphost - -Jumphost users live in inventory file `inventory/ci-ssh-jumphosts` - -* make an entry of user in inventory in the following format -``` -login_name: billgates -full_name: "Bill Gates | Microsoft loves linux" -ssh_pub_keys: - - "- - - - " -``` -* Ensure all the lastest commits in playbook directory and inventory are pulled locally. -`git pull inventory/ && git pull playbooks` -* Use playbook baseline-playbook to envoke role role-baseline. we will limit - the run to just the ci ssh jumphost. -`ansible-playbook playbooks/role-baseline.yml --limit ci-ssh-jumphosts` -* Update remote with latest changes diff --git a/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md b/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md index 7bf716e..276f217 100644 --- a/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md +++ b/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md @@ -68,7 +68,7 @@ MariaDB [duffy]> describe userkeys; +------------+---------------+------+-----+---------+----------------+ 3 rows in set (0.00 sec) -MariaDB [duffy]> +MariaDB [duffy]> ``` @@ -91,7 +91,7 @@ MariaDB [duffy]> 1. How do we connect to instances -The Duffy database runs on the admin.ci node: `ssh admin.ci.centos.org`. +The Duffy database runs on the admin.ci node: `ssh admin.ci.centos.org`. 2. We have a script which does this work.. how do we use it @@ -100,7 +100,11 @@ The Duffy database runs on the admin.ci node: `ssh admin.ci.centos.org`. 4. Retrieve the api key from the users table ` select * from users where projectname="projectname";` +Copy the API key somewhere handy (we will need it) 5. Using that api-key/UUID as project_id, enter ssh key of a user from the project so that they can ssh into the machines. This process must be repeated for every user we wish to add access to via SSH. `insert into userkeys (`project_id`,`key`) values('', '');` This ssh key is pushed to duffy nodes - authorized keys when a tenant requests the node through api key. + +NOTE: we need to copy private key (pair of key just added in db), and paste it +in openshift jenkins template (so copy it to save the trouble later) diff --git a/docs/operations/ci/adding_cico_tenant/adding-jumphost.md b/docs/operations/ci/adding_cico_tenant/adding-jumphost.md new file mode 100644 index 0000000..8222b0c --- /dev/null +++ b/docs/operations/ci/adding_cico_tenant/adding-jumphost.md @@ -0,0 +1,17 @@ +# Add user to jumphost + +Jumphost users live in inventory file `inventory/ci-ssh-jumphosts` + +* make an entry of user in inventory in the following format +``` +login_name: billgates +full_name: "Bill Gates | Microsoft loves linux" +ssh_pub_keys: + - "- - - - " +``` +* Ensure all the lastest commits in playbook directory and inventory are pulled locally. +`git pull inventory/ && git pull playbooks` +* Use playbook baseline-playbook to envoke role role-baseline. we will limit + the run to just the ci ssh jumphost. +`ansible-playbook playbooks/role-baseline.yml --limit ci-ssh-jumphosts` +* Update remote with latest changes diff --git a/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md b/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md new file mode 100644 index 0000000..11b3fdb --- /dev/null +++ b/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md @@ -0,0 +1,61 @@ +# CentOS CI - On-boarding + +Note to users: + +Please note that Infra space is for Fedora and CentOS related projects to +consume. Decision may take some time (often up to 2 weeks) as these are decided +by the whole team. +Once decided as go, we will create you a namespace in a openshift cluster where +you can configure your CI. We do provide a Jenkins template in case you want to be +able to consume vms/baremetal nodes to perform your CI. + +Please answer the following questions so that we understand your requirement. + +* How does your project relates to Fedora/CentOS? +* Describe your work flow and if you need any special permissions (other than + admin access to namespace), please tell us and provide a reason for them. +* Do you need bare-metal/vms checkout capability? (we prefer your workflow + containerized) +* Resources required + * PVs: + +``` +Project_name: +Project_members: + - user1@ACO_registered_email_address + - user2@ACO_registered_email_address +``` + +## Steps +1. Create an OpenShift namespace +2. Create an entry in duffy db (with ssh key) - follow adding-duffy-api-key.md +3. Instantiate a template to provision Jenkins + + +### Create an OpenShift namespace + +Using the data provided by tenant (i.e. Project name and its admins), create an yaml file to be passed to ansible-playbook (example above). + +Store it in project directory to and push it to git + +Use playbook (adhoc-openshift-resources.yaml)[https://github.com/CentOS/ansible-infra-playbooks/blob/staging/adhoc-openshift-resources.yaml] with variables `host=openshift-ci-management` and `the file containing project name and admins` + +Example: "ansible-playbook playbooks/adhoc-openshift-resources.yaml -e "host=ocp-ci-management" -e "@important_project.yaml"" + + +## Create an entry in duffy db (with ssh key) - [follow adding-duffy-api-key.md](https://docs.infra.centos.org/operations/ci/adding_cico_tenant/adding-duffy-api-key/) + +## Instantiate a template to provision Jenkins +* Login to openshift +* Go to project cico-templates to select the cico-workspace Jenkins template + from workloads -> From Catalog -> {search cico-workspace} + you would see a template called "cico-workspace: provided by The CentOS + Project" +* Click the template to start instantiation process. + * Select the namespace we want to run Jenkins in (In Namespace variable) + * Enter appropriate Memory limit and volume capacity (for Jenkins, we prefer 3Gi and 10Gi respectively) + * Enter duffy API key for the project and SSH private key whose public pair is in duffy db. + +Click create to instantiate the project. + +Admin's hack: Increase timeout in deployment config to counter our slow storage timeout issue. diff --git a/docs/operations/ci/onboarding_sysadmin.md b/docs/operations/ci/onboarding_sysadmin.md index ace4d5b..3c737bb 100644 --- a/docs/operations/ci/onboarding_sysadmin.md +++ b/docs/operations/ci/onboarding_sysadmin.md @@ -65,7 +65,7 @@ aarch64 20 ### Resources - Working with CentOS Infra https://docs.fedoraproject.org/en-US/cpe/day_to_day_centos/ -- Ticket Tracker: pagure.io/centos-infra [Use template ci-migration for migration or +- Ticket Tracker: pagure.io/centos-infra [Use template ci-migration for migration or - Fedora Nest 2020 talk: https://docs.google.com/presentation/d/1Efwz73t4NdxuzmyV8kvi3SewCIzDpidpePXGLfuweso/edit?ts=5f2ea19e#slide=id.g8fead7ec8b_0_44 diff --git a/mkdocs.yml b/mkdocs.yml index 8570bd3..3015b81 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -26,8 +26,9 @@ nav: - operations/ci/localstorage/binding_pvc.md - operations/ci/localstorage/installation.md - Onboard Tenants: + - operations/ci/adding_cico_tenant/adding_cico_tenants.md - operations/ci/adding_cico_tenant/adding-duffy-api-key.md - - operations/ci/adding-jumphost.md + - operations/ci/adding_cico_tenant/adding-jumphost.md - Add an OpenID identity provider to the cluster: operations/ci/adding_oidc_authentication.md - Adding Admin Users: operations/ci/adding_admin_users.md - Adding Nodes: operations/ci/adding_nodes.md