Uploaded image for project: 'Service Binding'
  1. Service Binding
  2. APPSVC-1283

Primazactl: add create namespace commands

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • Primaza 0.1
    • None
    • Service Binding
    • None
    • AppSvc Sprint 234, AppSvc Sprint 235

      Owner: Architect:

      Francesco Ilario

      Story (Required)

      As a Primaza Administrator, I would like to easily set up Applications and Services namespaces so that I can discover services and bind them to applications.

      Background (Required)

      Given a Primaza and a Worker clusters, Primaza Administrator needs to create applications and services namespaces into the Worker cluster.

      As defined in the Primaza architecture document, we need to provide to Primaza the rights to access and deploy agents into applications and services namespaces.
      Also, we need to set up Service Accounts for agents, and configure their permissions on resources. Permissions must be namespace scoped.

      See epic for arch document link.

      Glossary

      See glossary in architecture document

      Out of scope

      • Cluster creation
      • Primaza User creation

      In Scope

      • Namespace creation
      • Role and RoleBinding creation

      Approach(Required)

      In primazactl, define the following commands

      primazactl worker create applications-namespace --name "$APPLICATION_NAMESPACE_NAME" --cluster-environment "$CLUSTER_ENVIRONMENT_NAME"
primazactl worker create services-namespace --name "$SERVICE_NAMESPACE_NAME" --cluster-environment "$CLUSTER_ENVIRONMENT_NAME"

      Whenever a new namespace is requested we have to create an identity on Primaza, to authenticate its agents.
      So the first needed action is to generate an RSA key >= 2048 for the Worker cluster, in the following named "Worker key".

       
      On Primaza cluster, the following operations should be performed:

      • Use the Worker key to create a CertificateSigningRequest (CSR) named after the Cluster Environment and the Environment, like primaza-$CLUSTER_ENVIRONMENT_NAME
      • Approve the CSR
      • Create a kubeconfig with CSR's Certificate
         

      On Worker cluster, the following operations should be performed:

      • Create the Namespace
      • In the created namespace, create the Secret 'primaza-auth-$CLUSTER_ENVIRONMENT' the Worker key and the kubeconfig for authenticating with the Primaza cluster.
      • In the created namespace, create a Service Account for the agent to be deployed in the namespace (named for example primaza-application-agent or primaza-service-agent)
      • In the created namespace, create the Role for the agent (named for example primaza-application-agent or primaza-service-agent), that will grant it access to namespace and its resources
      • In the created namespace, create a RoleBinding for binding the agents' Service Account to the role defined above
      • In the created namespace, create a Role (named primaza-application or primaza-service), that will grant primaza access to namespace and its resources (e.g. create ServiceClaim, create RegisteredServices)
        • Remainder: the primaza user is created on worker cluster setup
      • In the created namespace, RoleBinding for binding the user primaza to the role defined above

      For both namespace types user primaza must be able to perform the following actions for deploying agents:

      • create,update Deployments

      For applications namespaces, Service Account primaza-application-agent must be able to perform the following actions:

      • read,list Secrets
      • read,list,watch ServiceBinding
      • read,list,update/watch Deployments
      • read,list,update Pods

      For services namespaces, Service Account primaza-service-agent must be able to perform the following actions:

      • read,list Services
      • read,list Deployments

      For security reasons, other permissions for services discovery should be granted to primaza-service-agent by the cluster administrator.

      Demo requirements(Required)

      NA

      Dependencies

      Edge Case

      NA

      BDD Tests

      You can find BDD Test specification for this story at in the GitHub Issue linked to this story.
      Click here for all BDD Tests Issues.

      Acceptance Criteria

      • Development
        primazactl has commands for creating applications and services namespaces
        primaza user permission are set correctly for each namespace type
        primaza-application-agent Service Accounts is created and assigned permissions
        primaza-service-agent Service Accounts is created and assigned permissions
        There is an help for each implemented command
      • QE
        There are test cases for applications namespaces creation
        There are test cases for services namespaces creation
      • Docs
        There is a page in our docs dedicated to explaining how to create an applications namespace and what resources will be created
        There is a page in our docs dedicated to explaining how to create a services namespace and what resources will be created
        There is a link in primazactl docs to the commands pages

      INVEST Checklist

      Dependencies identified
      Blockers noted and expected delivery timelines set
      Design is implementable
      Acceptance criteria agreed upon
      Story estimated

      Legend

      Unknown
      Verified
      Unsatisfied

              mmulholl Martin Mulholland (Inactive)
              rh-ee-filario Francesco Ilario
              Francesco Ilario
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: