| |
@@ -5,11 +5,9 @@
|
| |
or C3IaaS.
|
| |
|
| |
## Onboarding to C3IaaS
|
| |
+ The access to C3IaaS is limited to `c3iaas-user` role. The definition of `c3iaas-user` role can be found in the [rbac](rbac) directory.
|
| |
|
| |
- For security reasons, the C3I team restricts the access to C3IaaS jobs only to on-boarded clients.
|
| |
-
|
| |
- A C3I client needs to provide a list of OpenShift users (service accounts) or groups to the C3I team, then the C3I team assigns the `c3iaas-user` role using the following command:
|
| |
-
|
| |
+ The role can be assigned to users and groups using following command:
|
| |
```
|
| |
# assign to users
|
| |
oc policy add-role-to-user --role-namespace=c3i c3iaas-user mikeb yuxzhu
|
| |
@@ -18,11 +16,10 @@
|
| |
oc policy add-role-to-group --role-namespace=c3i c3iaas-user system:serviceaccounts:c3i system:serviceaccounts:c3i-stage
|
| |
```
|
| |
|
| |
- The definition of `c3iaas-user` role can be found from the `rbac` directory.
|
| |
+ ## c3iaas-tasks
|
| |
+ #### c3iaas-request-project
|
| |
+ This job can be triggered by a C3I user to request a temporary OpenShift project in OpenShift. The projects will be tracked by C3IaaS and they are automatically deleted when expires. There is `c3iaas-cleanup-projects` which ensures that projects don't take resources after the end of life.
|
| |
|
| |
- ## c3iaas-request-project
|
| |
-
|
| |
- This job can be triggered by a C3I user to request a temporary OpenShift project in OpenShift. That project will be tracked by C3IaaS and is automatically deleted when expires.
|
| |
|
| |
To trigger this job, a C3I user can run
|
| |
|
| |
@@ -32,20 +29,23 @@
|
| |
|
| |
Following build parameters are supported:
|
| |
|
| |
- - PROJECT_NAME
|
| |
- Required, the name of requested OpenShift project, must be prefixed with `c3i-`
|
| |
+ - PROJECT_NAME - *Required*, the __name of requested OpenShift project__, must be prefixed with `c3i-`
|
| |
+
|
| |
+ - DELETE_PROJECT_IF_EXISTS - if `true`, delete the project before recreating. *(default: true)*
|
| |
+
|
| |
+ - ADMIN_USERS - Comma separated __list of OpenShift users__ that will be assigned with the `admin` role.
|
| |
+
|
| |
+ - ADMIN_GROUPS - Comma separated __list of OpenShift groups__ that will be assigned with the `admin` role.
|
| |
+
|
| |
+ - VIEW_USERS - Comma separated __list of OpenShift users__ that will be assigned with the `view` role.
|
| |
|
| |
- - DELETE_PROJECT_IF_EXISTS="true"
|
| |
- if `true`, delete the project before recreating.
|
| |
+ - VIEW_GROUPS - Comma separated __list of OpenShift groups__ that will be assigned with the `view` role.
|
| |
|
| |
- - ADMIN_USERS
|
| |
- Comma separated list of OpenShift users that will be assigned with the `admin` role.
|
| |
+ - EDIT_USERS - Comma separated __list of OpenShift users__ that will be assigned with the `edit` role.
|
| |
|
| |
- - ADMIN_GROUPS
|
| |
- Comma separated list of OpenShift groups that will be assigned with the `admin` role.
|
| |
+ - EDIT_GROUPS - Comma separated __list of OpenShift groups__ that will be assigned with the `edit` role. *(default: "system:authenticated")*
|
| |
|
| |
- - VIEW_USERS
|
| |
- Comma separated list of OpenShift users that will be assigned with the `view` role.
|
| |
+ - LIFETIME_IN_MINUTES - __Number of minutes__ which will specify the life time of the project. The project is deleted after this time. *(default: 30, max: 1440 minutes = 1 day)*
|
| |
|
| |
- - VIEW_GROUPS="system:authenticated"
|
| |
- Comma separated list of OpenShift groups that will be assigned with the `view` role.
|
| |
+ #### c3iaas-cleanup-projects
|
| |
+ This job ensures that non of the expired projects take resources. The job is triggered evey 6 minutes.
|
| |