For background please refer to the description of Workspace Provisioning. The general idea is to
Step 1: watch for the creation of a Kubernetes Bucket CRD in the Kubernetes cluster reflecting the need for user workspace provisioning
Step 2: fulfill this demand by creating S3 compliant object storage bucket (platform specific!)
Step 3: communicate the successful creation of the bucket to EOEPCA components by exposing necessary access details via a Kubernetes secret
Note: Step 2 can either be
or
This project demonstrates how the fulfillment process of specific platform resources like user specific object storage could be automated - the current implementation uses the openstack4j java library as well as the AWS S3 java SDK to
create an OpenStack project for a user
create an OpenStack user identity within the OpenStack project for the user
create an OpenStack container (i.e. S3 compliant object storage bucket) within OpenStack project for the user
link the OpenStack user identity to the OpenStack project
assign a bucket policy to grant access to other OpenStack user identities (e.g. the ADES component) to the created OpenStack container
To create proper platform resources on OpenStack the following environment variables for the bucket-operator project have to be provided:
OS_USERNAME, OS_PASSWORD, OS_DOMAINNAME of an EOEPCA operations user with administrative permissions to create new projects, users and containers via OpenStack API
OS_MEMBERROLEID of a specific role grouping users of the EOEPCA operations team to grant them access to the newly created user project (support, troubleshooting,...)
OS_SERVICEPROJECTID of a project containing the OpenStack user identity of EOEPCA components requiring write permissions on the created user bucket (e.g. ADES)
USER_EMAIL_PATTERN associated to the created user within the created user project
This demonstrator only aims to grant user access to the created user bucket, not to other OpenStack resources, i.e. we put an EOEPCA operations email here.
Note: <name>
is templated and will be replaced, e.g. eoepca+<name>@eoepca-operator.org
See here for example values corresponding to the EOEPCA development cluster.