+ = fas2discourse Operator

+ The following SOPs are related to the administration of the fas2discourse operator.

+ 

+ == Resources

+ - https://pagure.io/cpe/fas2discourse/[Code]

+ - https://quay.io/repository/fedora/fas2discourse-operator[Image]

+ - https://pagure.io/fedora-infrastructure/issue/10952[Initial ticket]

+ - xref:sop_fas2discourse_operator_installation.adoc[Install the fas2discourse operator]

+ - xref:sop_fas2idscourse_operator_testing.adoc[Testing the fas2discourse operator]

+ - xref:sop_fas2discourse_operator_build.adoc[Building/releasing the fas2discourse operator]

+ - xref:sop_fas2discourse_operator_interacting.adoc[Interacting with the the fas2discourse operator]

+ - xref:sop_fas2discourse_operator_debugging.adoc[Debugging issues with the the fas2discourse operator]

+ 

+ = Build/release the fas2discourse Operator

+ 

+ == Resources

+ - [1] Code: https://pagure.io/cpe/fas2discourse

+ - [2] Quay: https://quay.io/repository/fedora/fas2discourse-operator

+ 

+ == Installation

+ To build the operator and tag it with version `0.0.63` as an example:

+ 

+ - First ensure that you are logged into quay.io and have access to the repository at [2].

+ - Check out the code at [1].

+ - Make the change to the version of the operator being built by editing the `Makefile` and change the variable at the top `VERSION ?= 0.0.63`

+ 

+ ----

+ make build

+ ----

+ 

+ Push the operator to the quay.io catalog then with the following:

+ 

+ ----

+ podman push quay.io/repository/fedora/fas2discourse-operator:0.0.63

+ ----

+ 

+ = Debugging issues with the fas2discourse Operator

+ 

+ == Resources

+ - [1] Code: https://pagure.io/cpe/fas2discourse/

+ - [2] Playbook: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/manual/fas2discourse.yml

+ - [3] Role: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/fas2discourse

+ 

+ == Workload

+ The operator runs in the namespace: `fas2discourse-operator` on both the staging and production openshift clusters.

+ 

+ There is a single pod running. First port of call should be to examine the logs of this pod.

+ 

+ By default, the verbocity of logs are set low. To increase them to debug level add the following annotation to the `Fas2DiscourseConfig` object in the `fas2discourse-operator` namespace:

+ 

+ ----

+ apiVersion: fas2discourse.apps.fedoraproject.org/v1alpha1

+ kind: Fas2discourseConfig

+ metadata:

+   annotations:

+     ansible.sdk.operatorframework.io/verbosity: '5'

+ ----

+ 

+ This will enable full output from logging, which may aid in debugging.

+ 

+ The following task list is contained inside the operator. This list is repeated in the reconcile loop which is currently set to run every `20 minutes`.

+ 

+ ----

+ # tasks file for Fas2discourseConfig

+ 

+ - include_tasks: retrieve_openshift_secrets.yml  # Retrieves the secrets such as discourse api key etc and populates variable which feeds into the later tasks

+ - include_tasks: kerberos_auth.yml               # Authenticate to fasjson via keytab

+ - include_tasks: retrieve_discourse_groups.yml   # Contact Discourse API, retrieve the list of groups, and retrieve the list of users in each group

+ - include_tasks: retrieve_ipa_groups.yml         # Contact fasjson, using the Discourse group list, retrieve the membership of each group in IPA

+ - include_tasks: sync_group_membership.yml       # Using set functions, discover who is not in Discourse group but is in IPA group: add them. Who is in Discourse group but not in IPA group: remove them.

+ ----

+ 

+ The results of each call in the workflow is outputted in the log. If any task fails the entire loop stops and retries.

+ = Installation of the fas2discourse Operator

+ 

+ == Resources

+ - [1] Code: https://pagure.io/cpe/fas2discourse/

+ - [2] Playbook: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/manual/fas2discourse.yml

+ - [3] Role: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/fas2discourse

+ 

+ == Installation on Fedora Infra

+ 

+ There is a playbook [2] and role [3]. To install the operator in staging and production, run the playbook [2]. Users in the `sysadmin-openshift` group have permissions to run this playbook.

+ 

+ 

+ == Installation on a CRC cluster

+ There is a Makefile bundled with the code [1] of this operator.

+ 

+ To install the operator the basic steps are followed:

+ 

+ - From a terminal, be logged into the cluster with cluster-admin privileges.

+ - Run `make deploy`

+ 

+ To activate the operator we need to create a `fas2discourseconfig` custom resource. An example of one exists in `config/samples/_v1alpha1_fas2discourseconfig.yaml`

+ 

+ Create it with the following:

+ 

+ ----

+ oc apply -f config/samples/_v1alpha1_fas2discourseconfig.yaml

+ ----

+ 

+ 

+ 

+ 

+ == Configuration

+ 

+ - No other configuration is required for this operator.

+ = Interacting with the fas2discourse Operator

+ 

+ == Resources

+ - [1] Code: https://pagure.io/cpe/fas2discourse/

+ - [2] Playbook: https://pagure.io/fedora-infra/ansible/blob/main/f/playbooks/manual/fas2discourse.yml

+ - [3] Role: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/fas2discourse

+ 

+ == Overview of the fas2discourse Operator

+ The role of this operator is to synchronise group membership between IPA and Discourse. It does not synchronise all groups and all members, but only groups which exist in Discourse.

+ 

+ To start the synchronisation of a group, you must first request that a Discourse admin create it in Discourse. The fas2discourse operator will then begin to synchronise users to that group based on their membership in this group in IPA.

+ 

+ == Configuration of the fas2discourse operator

+ All configuration for the fas2idscourse operator is contained in the Fedora Infra private ansible repo.

+ 

+ Default vars contains the list which are used in the playbook which deploys the operator:

+ 

+ ----

+ fas2discourse_hostname: "fas2discourse.hostna.me"

+ fas2discourse_namespace: "fas2discourse-operator"

+ fas2discourse_project_description: "The fas2discourse-operator is responsible for synchronising group membership for users between Discourse and IPA."

+ fas2discourse_keytab_file: "OVERRIDEME WITH A FILE LOOKUP"

+ fas2discourse_discourse_apikey: "OVERRIDEME WITH A DISCOURSE APIKEY"

+ ----

+ 

+ The Operator has the following vars which it uses internally. These vars are populated by querying secrets in Openshift:

+ 

+ ----

+ # defaults file for Fas2discourseConfig

+ fas2discourse_keytab_path: "/etc/fas2discourse"

+ fas2discourse_principal: "fas2discourse/fas2discourse.hostna.me@FEDORAPROJECT.ORG"

+ f2d_namespace: "fas2discourse-operator"

+ f2d_secret: "fas2discourse-operator-k8s-secret"

+ f2d_discourse_secret: "fas2discourse-operator-discourse-apikey-secret"

+ fasjson_host: "OVERRIDEME"

+ discourse_host: "OVERRIDEME"

+ discourse_api: "OVERRIDEME"

+ discourse_ignored_groups:

+   - "admins"

+   - "staff"

+   - "moderators"

+   - "trust_level_0"

+   - "trust_level_1"

+   - "trust_level_2"

+   - "trust_level_3"

+   - "trust_level_4"

+ ----

+ 

+ = Test the fas2discourse Operator

+ 

+ == Resources

+ - [1] Code: https://pagure.io/cpe/fas2discourse/

+ - [2] Molecule: https://molecule.readthedocs.io/en/latest/

+ 

+ == Installation

+ There is a molecule directory bundled with the code [1] of this operator. They currently are designed to only run against a code ready container cluster.

+ 

+ To run the operator molecule tests:

+ 

+ - Ensure that the molecule utility is installed `dnf install python3-molecule`

+ - From a terminal, be logged into the crc cluster with cluster-admin privileges.

+ - Run `molecule test`

+ - xref:sop_fas2discourse_operator.adoc[SOP fas2discourse operator]