diff --git a/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md b/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md index dc4cc02..da865ef 100644 --- a/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md +++ b/docs/operations/ci/adding_cico_tenant/adding-duffy-tenant.md @@ -2,81 +2,41 @@ This SOP covers the process of how to create a duffy tenant ## Create new tenant -### Connect to duffy.ci.centos.org -```shell -ssh duffy.ci.centos.org -``` - -### Change to duffy user -```shell -sudo su - duffy -``` -### Create tenant with the command below and save api key somewhere safe, it outputs the key as `: ` -```shell -duffy admin create-tenant -``` +### Creating dedicated ssh keypair -## Migrate/Update tenant +!!! note + we'll start using the `pkistore` git-crypted git repo for this, so be sure to have that under git control -Migrating an existing Duffy tenant from older DB is like previous step but we just need to enforce a specific (and known) API key. So we can apply previous `duffy admin create-tenant` step but then calling `duffy admin update-tenant` to enforce existing API key to be "valid" in new DB : +We'll just create the new ssh keypair directly into the CI pkistore repository : ``` -duffy admin update-tenant --help -Usage: duffy admin update-tenant [OPTIONS] NAME - - Update a tenant. - -Options: - --ssh-key TEXT New SSH key for the tenant. - --api-key TEXT Either a new API key (UUID) for the tenant - or 'reset' to set automatically. - --node-quota INT_OR_NONE How many nodes the tenant can use at a time - (optional, will use default if unset). - --session-lifetime INTERVAL_OR_NONE - The initial session lifetime for this - tenant. - --session-lifetime-max INTERVAL_OR_NONE - The maximum session lifetime for this - tenant. +project="samba" +ssh-keygen -f ocp/ssh/${project} -C ${project}@CI ``` -We just need first to retrieve existing duffy api key and ssh public keys from old Duffy DB -Let's assume for the example that projectname is "test-infra" : +!!! important + Don't forget to add and git commit && git push new keys in pkistore/ocp/ssh repo -``` -MariaDB [duffy]> select * from users where projectname like '%test-infra%'; -+--------------------------------------+-------------+-------------+------------+------------+ -| apikey | projectname | jobname | createdat | limitnodes | -+--------------------------------------+-------------+-------------+------------+------------+ -| d6e0483b-c9e1-40c7-a2a0-0f29f4961cde | test-infra | test-infr a | 2015-06-10 | 10 | -+--------------------------------------+-------------+-------------+------------+------------+ -1 row in set (0.00 sec) -MariaDB [duffy]> select `key` from userkeys where project_id='d6e0483b-c9e1-40c7-a2a0-0f29f4961cde'; -+W2EMNDARNa50KaFXQ3hM6TWLPwGhnG0Sj5l1obae0sNiEgzUejp1gNnTPWv/BLKdOH5yl14Z -> ssh-rsa SBLcm+f3Xy8WJEqtFF461XSoM97rSapDM9KH/h1tMqUyXnVTzbofQlGGAJw40+l9D4+F98Nbm95jWVmjQ+1N/uCiz0/Io5MDxZPq645mR4ChUAhrwE16JPr7c1DsYES7rTPbmC0lX9VCjhzxBSlbOzvxBuEipYt0FMKRlwvMzwPHONijvmx1AkB7t test-infra@jenkins-agent.ci.centos.org -> ssh-rsa PyqI7/BvcozCQQaM33LfbcpKb4ks0vw4+RH1AjnjC9r8SNivUiUQ9zg0RHXwUGRCK0iD70JGeO43Q7cSixtYfHu/MXm2feFNz01hsAIEGrlJVUlMzUyLYcqOu0BTKxIlKyK3tG1RLNvG/IDcaZMMBNS83k9phJyATvzXpeocyo6NgUVDeZstpunVv4xKQNX39nD4S/09jslXk6lZ8Pj7fyKf0rGOHuu7NpJOIb2rcSd8sC1MmsOGlY+EUuZ test-infra@CI" test-infra +### Change to duffy user +```shell +sudo su - duffy ``` - -It's really *important* that the whole --ssh-key "block" is seen as a string with newline inside so that it's correct injected for duffy job as different lines in remote .ssh/authorized_keys when duffy will contextualize the node - -It's also important to add this / keypair in the `duffy_metaclient_usermap` list in ansible inventory, in the host_vars, so that if tenant is actually just using only old/legacy endpoint with his apikey, it will still be recognized by duffy (until we remote the legacy endpoint) -When committed to git and pushed, one can play the duffy role with the config tags and it will update 20_metaclient.yaml file used by metaclient service. - -Once tenant is imported (apikey and ssh public key(s)) and ansible duffy role applied, the tenant can either use `icico` client (in compatibility mode) or already use the new duffy client (see below) +### Create tenant with the command below and save api key somewhere safe, it outputs the key as `: ` +```shell +duffy admin create-tenant "ssh-rsa " +``` ## Artifacts storage box diff --git a/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md b/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md index 862e841..5d707bc 100644 --- a/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md +++ b/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md @@ -1,31 +1,5 @@ # CentOS CI - On-boarding -Note to users: - -Please note that Infra space is for Fedora and CentOS related projects to -consume. Decision may take some time (often up to 2 weeks) as these are decided -by the whole team. -Once decided as go, we will create you a namespace in a openshift cluster where -you can configure your CI. We do provide a Jenkins template in case you want to be -able to consume vms/baremetal nodes to perform your CI. - -Please answer the following questions so that we understand your requirement. - -* How does your project relates to Fedora/CentOS? -* Describe your work flow and if you need any special permissions (other than - admin access to namespace), please tell us and provide a reason for them. -* Do you need bare-metal/vms checkout capability? (we prefer your workflow - containerized) -* Resources required - * PVs: - -``` -Project_name: -Project_members: - - user1@ACO_registered_email_address - - user2@ACO_registered_email_address -``` - ## Steps 1. Create an entry in duffy db (with ssh key) - [follow adding-duffy-tenant.md](/operations/ci/adding_cico_tenant/adding-duffy-tenant/) @@ -38,83 +12,8 @@ Project_members: ### Create an OpenShift namespace !!! important - we don't use the previous specific git repo for projects, as it's now all using the `ocp-admin` ansible role, see below - -To create the openshift namespace/project, just add edit the inventory/host_vars/ and add the new project to the existin `ocp_projects_list` ansible list. - -Example: - -``` -# Declaring projects that will be created in ocp.ci -ocp_projects_list: - - name: ci-infra-test - members: - - ci-user1@centos.org - - ci-user2@centos.org + It's all created automatically now, including groups/users membership, and tied to ACO/FAS. The only needed operation is to create in IPA a group with suffix `ocp-cico-` and then name of the group/project. So for example create `ocp-cico-kmods` group, itself nesting `sig-kmods` and so existing users. Maximum 2 minutes later, the project/group should be created automatically in openshift cluster -``` - -Once done, don't forget to commit/push and you can then apply remotely from central CI ansible node the role directly with a specific tag. - -``` -   ~  ansible  CentOS_CI  ./filestore/remote_ansible_call    -[+] 20220325-15:10 ansible-ara-run -> == Ansible Ara manual trigger == -Which ansible role you want to play ? (like haproxy, without -role) => ocp-admin-node -List of possible tags for role ocp-admin-node : - => TASK TAGS: [backup, certs, config, localstorage, projects, tls] -Do you want to call specific tag[s] and which one[s] ? (can be empty) => projects -Host/Group limits ? (default to whole group) => -[+] 20220325-15:11 ansible-ara-run -> Updating first inventory/pkistore/filestore -[+] 20220325-15:11 ansible-ara-run -> Checking role [ocp-admin-node] is present and up2date ... -[+] 20220325-15:11 ansible-ara-run -> Calling now ansible with ara reporting ... -[+] 20220325-15:11 ansible-ara-run -> ansible-playbook playbooks/role-ocp-admin-node.yml --tags projects -e ara_playbook_name=role-ocp-admin-node - -PLAY [hostgroup-role-ocp-admin-node] ***************************************************************************** - -TASK [ocp-admin-node : Rendering template for projects] ********************************************************** -Friday 25 March 2022 15:11:08 +0000 (0:00:00.445) 0:00:00.445 ********** -ok: [ocp-admin.ci.centos.org] => (item=ci-infra-test) -ok: [ocp-admin.ci.centos.org] => (item=samba) -ok: [ocp-admin.ci.centos.org] => (item=hyperscale) -ok: [ocp-admin.ci.centos.org] => (item=networkmanager) -ok: [ocp-admin.ci.centos.org] => (item=gluster) -ok: [ocp-admin.ci.centos.org] => (item=pagure) -ok: [ocp-admin.ci.centos.org] => (item=sp-augur) - -TASK [ocp-admin-node : Creating/modifying project if needed] ***************************************************** -Friday 25 March 2022 15:11:11 +0000 (0:00:02.892) 0:00:03.337 ********** -skipping: [ocp-admin.ci.centos.org] => (item=ci-infra-test) -skipping: [ocp-admin.ci.centos.org] => (item=samba) -skipping: [ocp-admin.ci.centos.org] => (item=hyperscale) -skipping: [ocp-admin.ci.centos.org] => (item=networkmanager) -skipping: [ocp-admin.ci.centos.org] => (item=gluster) -skipping: [ocp-admin.ci.centos.org] => (item=pagure) -skipping: [ocp-admin.ci.centos.org] => (item=sp-augur) - -TASK [ocp-admin-node : Deleting project[s] if needed] ************************************************************ -Friday 25 March 2022 15:11:12 +0000 (0:00:00.597) 0:00:03.935 ********** -ok: [ocp-admin.ci.centos.org] => (item=fedora-coreos) -ok: [ocp-admin.ci.centos.org] => (item=coreos-ci) - -PLAY RECAP ******************************************************************************************************* -n4-136.cloud.ci.centos.org : ok=0 changed=0 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0 -ocp-admin.ci.centos.org : ok=2 changed=0 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 - -Friday 25 March 2022 15:11:13 +0000 (0:00:01.320) 0:00:05.255 ********** -=============================================================================== -ocp-admin-node : Rendering template for projects --------------------------------------------------------- 2.89s -ocp-admin-node : Deleting project[s] if needed ------------------------------------------------------------ 1.32s -ocp-admin-node : Creating/modifying project if needed ----------------------------------------------------- 0.60s -Playbook run took 0 days, 0 hours, 0 minutes, 5 seconds - -``` - -!!! note - If you need to also modify members and/or email addresses, you can just follow the same process and replay the same playbook : that will reflect changes in openshift. If you need access to that private git repository (to be fixed and moved elsewhere in the official `centos` namespace, reach out to another infra team member - - -!!! important - If you have to instead delete/remove a project, you can just add the project name in the `ocp_projects_to_delete_list` ansible list and it will be deleted/removed on next ansible run ## Deploy a PV (Persistent Volume) and Jenkins instance