For background please refer to the description of Workspace Provisioning. The general idea is to
Step 1: watch for the creation of a Kubernetes Bucket CRD in the Kubernetes cluster reflecting the need for user workspace provisioning
Step 2: fulfill this demand by creating S3 compliant object storage bucket (platform specific!)
Step 3: communicate the successful creation of the bucket to EOEPCA components by exposing necessary access details via a Kubernetes secret
Note: Step 2 can either be
- automated - as done with the implementation for CreoDias / OpenStack with this bucket-operator demonstrator
or
- performed manually - by creating a bucket on the platform and manually creating a secret with access details in the Kubernetes cluster afterwards)
This project demonstrates how the fulfillment process of specific platform resources like user specific object storage could be automated - the current implementation uses the openstack4j java library as well as the AWS S3 java SDK to
-
create an OpenStack project for a user
-
create an OpenStack user identity within the OpenStack project for the user
-
create an OpenStack container (i.e. S3 compliant object storage bucket) within OpenStack project for the user
-
link the OpenStack user identity to the OpenStack project
-
assign a bucket policy to grant access to other OpenStack user identities (e.g. the ADES component) to the created OpenStack container
To create proper platform resources on OpenStack the following environment variables for the bucket-operator project have to be provided:
-
OS_USERNAME, OS_PASSWORD, OS_DOMAINNAME of an EOEPCA operations user with administrative permissions to create new projects, users and containers via OpenStack API
-
OS_MEMBERROLEID of a specific role grouping users of the EOEPCA operations team to grant them access to the newly created user project (support, troubleshooting,...)
-
OS_SERVICEPROJECTID of a project containing the OpenStack user identity of EOEPCA components requiring write permissions on the created user bucket (e.g. ADES)
-
USER_EMAIL_PATTERN associated to the created user within the created user project
This demonstrator only aims to grant user access to the created user bucket, not to other OpenStack resources, i.e. we put an EOEPCA operations email here.
Note: <name> is templated and will be replaced, e.g. eoepca+<name>@eoepca-operator.org
See here for example values corresponding to the EOEPCA development cluster.