Blame docs/infra/team.md

6f32ae
# CentOS Infrastructure Team
6f32ae
6f32ae
## Overview
6f32ae
6f32ae
CentOS Infra is mainly managed by the [Community Platform Engineering](https://docs.fedoraproject.org/en-US/cpe/) Team, but also accepting infra contributions from Community Contributors, which can be delegated rights on parts of the infra for service[s] they'd like to contribute to, or even be responsible for.
6f32ae
6f32ae
All that is possible at various levels :
6f32ae
6d98f4
 * Application level : granted needed credentials (usually authenticated through [ACO](authentication.md))
6d98f4
 * Ansible role level : through Pull Requests against our [Ansible](../ansible/index.md) roles and/or inventories
6f32ae
 * Machine/Infra level : granted shell/elevated rights based on Ansible rights
6f32ae
6f32ae
## Onboarding infra members
6f32ae
6f32ae
This is an overview of needed steps to onboard a new sysadmin, having so access everywhere :
6f32ae
6f32ae
!!! info
6f32ae
    Worth knowing that all explained steps *don't* have to be all applied. 
6f32ae
    Example: someone can be granted `koji` build right for the infra tags, because also of needed delegation for just koji/cbs.centos.org but not needing shell/access anywhere else, so don't apply *blindly* this process !
6f32ae
6f32ae
6f32ae
### IPA Group membership
6f32ae
6f32ae
While being part of the `sig-infra` group doesn't grant any shell/sudo permission *anywhere* , it at least reflect that new person joigning the team will be a PoC for infra and also automatically granted : 
6f32ae
6f32ae
 * rights to build/promote pkgs on the [infra koji tags](https://cbs.centos.org/koji/search?match=glob&type=tag&terms=infra*)
6d98f4
 * a `@centosproject.org` email address (see also the [postfix](mailservers.md) section)
6f32ae
6f32ae
### Ansible inventory access (for "full" sysadmin)
6f32ae
6d98f4
Based on the [Environment](../index.md#available-environments) that new infra team member needs access to (delegation, as some are in charge of CentOS CI but not -yet- other parts, etc), one needs to be added in a specific ansible list/variables in inventory, the [admins_list](https://github.com/CentOS/ansible-role-baseline/blob/master/defaults/main.yml#L5) that contains list of shell accounts to create , with their ssh pub key and if they are granted sudo rights.
6f32ae
6f32ae
From that point, next time Ansible will be ran across servers fleet (either automatically through central mgmt station *or* manually for the machines in the `manual-run` specific group), it will add the new sysadmin (or modify/remove) on the nodes.
6f32ae
6f32ae
To retrieve a sysadmin ssh public key, gpg key or other needed informations, you can directly query IPA through fajson (it needs first to have a working kerberos ticket, so don't forget to `kinit` first) :
6f32ae
6f32ae
```
6f32ae
fas_user="arrfab"
6f32ae
curl --silent --fail --negotiate -u : https://fasjson.fedoraproject.org/v1/users/${fas_user}/|jq
6f32ae
```
6f32ae
6f32ae
!!! danger ""
6f32ae
    It's *required* that CentOS Infra members, when they'll be in charge of multiple services and granted elevated rights, will :
6f32ae
      
6f32ae
      * use GnuPG for encryption (for mails and/or to be able to access ansible inventory git repositories) and so public gpg key available through fasjson/IPA/noggin portal
6f32ae
      * have their ssh pub key also passphrase protected and with publicy key available on fasjson/IPA/noggin
6f32ae
      * have enabled OTP on their account for authentication services
6f32ae
6f32ae
6d98f4
Once you have verified the GPG public key, you can (for `git-crypt`ed git repositories for ansible, add the new collaborator like this (do this on *each* [git repo](../ansible/topology.md) that the new sysadmin is granted access to).
6f32ae
So after you've added the gpg in your own keyring, you can add it to git-crypt
6f32ae
6f32ae
```
6f32ae
git-crypt add-gpg-user --trusted 
6f32ae
[master e28a784] Add 1 git-crypt collaborator
6f32ae
 1 file changed, 1 insertion(+)
6f32ae
 create mode 100644 .git-crypt/keys/default/0/<usually_user_gpg_pub_key>.gpg
6f32ae
git push
6f32ae
```
6f32ae
6f32ae
### Zabbix access (for "full" sysadmin)
6f32ae
6f32ae
One existing administrator can create (through WebUI - Administration/Users - or through Zabbix API), a new user with the following settings:
6f32ae
6f32ae
 * User section
6f32ae
   * Alias (username) => matching existing `nick` from authentication
6f32ae
   * Groups => can be `Zabbix administrators` for full admins
6f32ae
   * password => randomly generated *and* initial one sent to new sysadmin by gpg encrypted email, to be changed by user after (note that when we'll switch zabbix to new auth system, that step will be skipped completely)
6f32ae
 * Media section 
6f32ae
   * At least add the `email` media type, sending to his registered email in IPA
6f32ae
   * Filter out `Not classified` and `Information` severity levels but users can change/fine tune after
6f32ae
 * Permissions section
6f32ae
   * User Type => `Zabbix Super Admin` : Read-Write *everywhere* in Zabbix
6f32ae
6f32ae
### Various notes
6f32ae
6f32ae
#### IPA groups giving access 
6f32ae
6f32ae
##### git/pagure
6f32ae
6f32ae
The `centos-git-admins` IPA group will give you all needed rights in pagure/git.centos.org, so add user in that group if he needs to be able to administer this git forge solution.
6f32ae
6f32ae
##### Openshift
6f32ae
6f32ae
6f32ae
#### Git notifications
6f32ae
6f32ae
For the current setup for inventories (not the ones hosted on gitlab that is) we can quickly enable commits notifications like this (adapt to the needs/users/projects) :
6f32ae
6f32ae
```
6f32ae
# Some variables
6f32ae
git_basedir="/repositories/git/centos"
6f32ae
git_repos="ansible-filestore-ci ansible-pkistore-ci ansible-inventory-ci"
6f32ae
git_mailto="rcpt_1@domain.com, rcpt2@otherdomain.com"
6f32ae
git_mailfrom="git@centosproject.org"
6f32ae
 
6f32ae
pushd ${git_basedir}
6f32ae
for repo in ${git_repos}; do
6f32ae
  pushd ${repo}.git 
6f32ae
  git config multimailhook.mailingList "${git_mailto}"
6f32ae
  git config multimailhook.from ${git_mailfrom}
6f32ae
  pushd hooks/post-receive.d; test -e git_multimail.py || ln -s /usr/bin/git_multimail.py ; popd
6f32ae
  popd
6f32ae
done
6f32ae
popd
6f32ae
```
6f32ae
6f32ae