We are in the unfortunate position where we are committed to supporting several tenants which require customisations to their OCP4 environment in order to run their workloads successfully. The purpose of this ticket is to create a mechanism for tracking/maintaining these customisations. We should ensure that these custmomisations are only stored as YAML definitions of a Kubernetes resource.
Some examples to date: - A particular operator needs to be installed and available on the cluster [3] - A particular service account requires elevated permissions [2]
The centosci/projects [1] repo contains metadata related to our tenants, namespace name, list of admins etc, this repo is likely a good candidate to also store our customisations. We could create a sub directory per tenant, and keep all the YAML definitions for their customisations there. Then update our adhoc playbook which creates the namespace/permissions, to also apply the customisations.
Proposed structure in centosci/projects [1]:
└── tenant1 ├── tenant1.yaml ├── customisations │ ├── custom_prometheusrules.yaml │ ├── installation_operatorx.yaml │ └── elevated_serviceaccount_permissions.yaml └── Makefile
@bstinson @arrfab @siddharthvipul1 @pingou at the moment we have a number of customisations in place on the ocp.ci.centos.org production cluster which are not documented (in peoples head), and not automated (unmanageable).
If we stick to only defining these customisations in YAML definitions which adhere to a Kubernetes API spec, we might have some hope of managing this going forward. Its easy to just create a few extra Kubernetes resources once they are correctly defined etc.
Metadata Update from @dkirwan: - Issue untagged with: high-gain, medium-trouble
Metadata Update from @dkirwan: - Issue untagged with: need-more-info - Issue tagged with: high-gain, medium-trouble
Metadata Update from @dkirwan: - Issue assigned to dkirwan
Metadata Update from @dkirwan: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.