Hello, we'd like to request access for our Fedora CI SIG.
Most of the details should be in the taiga epic: https://teams.fedoraproject.org/project/ci/epic/64
I have no idea if there is an official process for this and what exact information you need from me. We also have a document outlining our infra plans & resources needs (it's internal atm, we can open it).
CC @bookwar @mvadkert
Metadata Update from @mizdebsk: - Issue tagged with: aws
ok, so this is to install a openshift 4.x cluster in aws?
I am not sure it's going to be possible to do this in the shared fedora account. The OpenShift installer uses tons of permissions and creates a bunch of things, including managing it's own roles and tags, which would not interact well with all the other groups using this.
Perhaps we should look at a seperate account for this?
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review)
I believe we'd be able to manage the cluster ourselves (unless you really want to do it on your own).
Sadly, I have no idea what is the existing AWS setup, so can't comment there - separate account makes sense to me.
@kevin is the whole process documented somewhere? I think there is more unclarity about what we can actually expect. Eg. who creates the account and sets it up, how billing is managed, etc... Thanks!
So, let me explain what we have and how it's setup and then ask you all a few questions. :)
We have a aws account (1) that amazon has setup for fedora as a community account. This means that amazon picks up the billing for it, and expects us to use it for Fedora related items that help us, but also help them (having up to date/close mirrors for fedora aws users, etc). Access to this account uses our ipsilon SAML2 idp and fas groups or specific users and tokens (for automation). We create a aws-foo group in fas (so users can be added/removed there) and users login and get a aws 'role'. Each role (and user) has a policy setup that allows them access to specific services they need (like ec2 and/or s3). For ec2, everyone can create and manage untagged instances, but once they tag them with their fedora group/role only that group/role can manage those instances. For s3, permissions are by per bucket name. So, a group gets a bucket and only they can manage that bucket.
The OpenShift installer expects to have * permissions. It sets up it's own Roles and Users and... well, everything. I would be very afraid that it would step on our local perms and policies and mess up all the other groups using this account. You can see the perms it needs at: https://docs.openshift.com/container-platform/4.1/installing/installing_aws/installing-aws-account.html So, I am not very much in favor of slapping an openshift cluster on top of our existing groups.
Some questions:
Do you need your own cluster? Or could you share with others?
Do you need to manage your own cluster, or if someone else managed it, it would be ok?
Do you need 3.x or 4.x or doesn't matter?
Who pointed you at us for aws resources? (I'm not mad at anyone, just want to make sure we explain what we have and how it's setup for those suggesting it's use)
Sending over the details after today's call for Testing Farm:
FAS accounts:
Plus we need one automation user for us, feel free to use name like fedora-ci-testing-farm.
fedora-ci-testing-farm
As discussed we will start with one group aws-fedora-ci
@bookwar @ttomecek please add your FAS accounts and "automation user" requirements.
I also need to know what services you want to use... ec2 and eks? or any others?
@kevin testing-farm needs ec2, eks and s3 (for image import)
Sorry for the long delay here.
I'll leave this open for now to make sure you have access you need and that we get you the token for the user.
@mvadkert do you have everything you need ? if so can we close that ticket ?
Meh, already 18 days I planned to test this, sorry for the delay also. Will test this today and report back ASAP
@kevin @cverna unfortunately it does not work. I am getting:
Your request included an invalid SAML response. To logout, click here
when redirected to AWS after a successful login.
I recorded a video about it:
<img alt="login-issue.mp4" src="/fedora-infrastructure/issue/raw/files/fef96ed04a061cd391d30199a5d3540178766acc17881642b4712f33ae9b8ded-login-issue.mp4" />
Oops. I missed a step here. ;(
Can you try again now?
@kevin seems I am still seeing the same thing :(
/me retrying few times
I tried an incognito browser, I see the same problem as recorded in the video ...
I am now able to login, I was able to provision EC2 instances and I can edit aws-fedora-ci group.
Not working spot instances are tracked here: https://pagure.io/fedora-infrastructure/issue/8407
Dedicated instances work well!
I think this ticket is done
Great. Enjoy!
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.