Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / b13b7ffcdb3d37022d4cad4603b9bdacc6c54936^! / . / cluster / README
commitb13b7ffcdb3d37022d4cad4603b9bdacc6c54936[log] [tgz]
authorSergiusz Bazanski <q3k@hackerspace.pl>Thu Aug 29 20:12:24 2019 +0200
committerSergiusz Bazanski <q3k@hackerspace.pl>Fri Aug 30 23:08:18 2019 +0200
treefa2309b04edc36fe855f9e344dae4a91ef376add
parentd16454badc639bcec7ab4b54e7fe6a897b6052af [diff] [blame]
prod{access,vider}: implement

Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

diff --git a/cluster/README b/cluster/README
index e798e96..ae09fc7 100644
--- a/cluster/README
+++ b/cluster/README

@@ -6,33 +6,17 @@
 Accessing via kubectl
 ---------------------
 
-There isn't yet a service for getting short-term user certificates. Instead, you'll have to get admin certificates:
-
-    bazel run //cluster/clustercfg:clustercfg admincreds $(whoami)-admin
+    prodaccess # get a short-lived certificate for your use via SSO
     kubectl get nodes
 
-Provisioning nodes
+Persistent Storage
 ------------------
 
- - bring up a new node with nixos, running the configuration.nix from bootstrap (to be documented)
- - `bazel run //cluster/clustercfg:clustercfg nodestrap bc01nXX.hswaw.net`
-
-That's it!
-
-Ceph
-====
-
-We run Ceph via Rook. The Rook operator is running in the `ceph-rook-system` namespace. To debug Ceph issues, start by looking at its logs.
-
-The following Ceph clusters are available:
-
-ceph-waw1
----------
-
 HDDs on bc01n0{1-3}. 3TB total capacity.
 
 The following storage classes use this cluster:
 
+ - `waw-hdd-paranoid-1` - 3 replicas
  - `waw-hdd-redundant-1` - erasure coded 2.1
  - `waw-hdd-yolo-1` - unreplicated (you _will_ lose your data)
  - `waw-hdd-redundant-1-object` - erasure coded 2.1 object store
@@ -49,3 +33,22 @@
 
 `tools/rook-s3cmd-config` can be used to generate test configuration file for s3cmd.
 Remember to append `:default-placement` to your region name (ie. `waw-hdd-redundant-1-object:default-placement`)
+
+Administration
+==============
+
+Provisioning nodes
+------------------
+
+ - bring up a new node with nixos, running the configuration.nix from bootstrap (to be documented)
+ - `bazel run //cluster/clustercfg:clustercfg nodestrap bc01nXX.hswaw.net`
+
+That's it!
+
+Ceph
+====
+
+We run Ceph via Rook. The Rook operator is running in the `ceph-rook-system` namespace. To debug Ceph issues, start by looking at its logs.
+
+The following Ceph clusters are available:
+