From 36a406732283da27c4df56c97e819861ad97bb37 Mon Sep 17 00:00:00 2001 From: Pavlina Bortlova Date: May 22 2020 10:20:22 +0000 Subject: Update c3iaas docs --- diff --git a/c3iaas/README.md b/c3iaas/README.md index ccdcaff..bcd9daa 100644 --- a/c3iaas/README.md +++ b/c3iaas/README.md @@ -5,11 +5,9 @@ common CI/CD routines. This is called C3I-as-a-Service, or C3IaaS. ## Onboarding to C3IaaS +The access to C3IaaS is limited to `c3iaas-user` role. The definition of `c3iaas-user` role can be found in the [rbac](rbac) directory. -For security reasons, the C3I team restricts the access to C3IaaS jobs only to on-boarded clients. - -A C3I client needs to provide a list of OpenShift users (service accounts) or groups to the C3I team, then the C3I team assigns the `c3iaas-user` role using the following command: - +The role can be assigned to users and groups using following command: ``` # assign to users oc policy add-role-to-user --role-namespace=c3i c3iaas-user mikeb yuxzhu @@ -18,11 +16,10 @@ oc policy add-role-to-user --role-namespace=c3i c3iaas-user mikeb yuxzhu oc policy add-role-to-group --role-namespace=c3i c3iaas-user system:serviceaccounts:c3i system:serviceaccounts:c3i-stage ``` -The definition of `c3iaas-user` role can be found from the `rbac` directory. +## c3iaas-tasks +#### c3iaas-request-project +This job can be triggered by a C3I user to request a temporary OpenShift project in OpenShift. The projects will be tracked by C3IaaS and they are automatically deleted when expires. There is `c3iaas-cleanup-projects` which ensures that projects don't take resources after the end of life. -## c3iaas-request-project - -This job can be triggered by a C3I user to request a temporary OpenShift project in OpenShift. That project will be tracked by C3IaaS and is automatically deleted when expires. To trigger this job, a C3I user can run @@ -32,20 +29,23 @@ oc start-build -n c3i c3iaas-request-project -e PROJECT_NAME=c3i- Following build parameters are supported: -- PROJECT_NAME -Required, the name of requested OpenShift project, must be prefixed with `c3i-` +- PROJECT_NAME - *Required*, the __name of requested OpenShift project__, must be prefixed with `c3i-` + +- DELETE_PROJECT_IF_EXISTS - if `true`, delete the project before recreating. *(default: true)* + +- ADMIN_USERS - Comma separated __list of OpenShift users__ that will be assigned with the `admin` role. + +- ADMIN_GROUPS - Comma separated __list of OpenShift groups__ that will be assigned with the `admin` role. + +- VIEW_USERS - Comma separated __list of OpenShift users__ that will be assigned with the `view` role. -- DELETE_PROJECT_IF_EXISTS="true" -if `true`, delete the project before recreating. +- VIEW_GROUPS - Comma separated __list of OpenShift groups__ that will be assigned with the `view` role. -- ADMIN_USERS -Comma separated list of OpenShift users that will be assigned with the `admin` role. +- EDIT_USERS - Comma separated __list of OpenShift users__ that will be assigned with the `edit` role. -- ADMIN_GROUPS -Comma separated list of OpenShift groups that will be assigned with the `admin` role. +- EDIT_GROUPS - Comma separated __list of OpenShift groups__ that will be assigned with the `edit` role. *(default: "system:authenticated")* -- VIEW_USERS -Comma separated list of OpenShift users that will be assigned with the `view` role. +- LIFETIME_IN_MINUTES - __Number of minutes__ which will specify the life time of the project. The project is deleted after this time. *(default: 30, max: 1440 minutes = 1 day)* -- VIEW_GROUPS="system:authenticated" -Comma separated list of OpenShift groups that will be assigned with the `view` role. +#### c3iaas-cleanup-projects +This job ensures that non of the expired projects take resources. The job is triggered evey 6 minutes.