From 87d1b855fedb6f92847d0e449ecf1d22749aff8d Mon Sep 17 00:00:00 2001 From: Matej Focko Date: Wed, 25 Sep 2024 10:12:59 +0200 Subject: [PATCH] docs(mpp): document MP+ specifics and firewall rules Related to #593 Signed-off-by: Matej Focko --- docs/deployment/specifics/clusters.md | 62 +++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 docs/deployment/specifics/clusters.md diff --git a/docs/deployment/specifics/clusters.md b/docs/deployment/specifics/clusters.md new file mode 100644 index 0000000..fcefb52 --- /dev/null +++ b/docs/deployment/specifics/clusters.md @@ -0,0 +1,62 @@ +--- +title: Clusters +--- + +## Automotive → MP+ + +Currently we are moving from the Automotive cluster to the MP+ cluster. Our +staging deployment is already present on the MP+ and there were some differences +introduced once the migration started. + +### Namespaces + +Previously we have used a rather simple `packit-{{ deployment }}` namespace. On +MP+ we are given `packit` as a tenant prefix, that needs to be separated from +our custom namespaces by `--`, therefore we use `packit--stg` and +`packit--stg-sandbox`. + +### Postgres + +On MP+ we have also moved to the newer postgres image, specifically we have used +v13 and moved on to the v15. + +### Logging + +On Automotive cluster we're using fluentd-sidecar to upload the logs to the +Splunk. Within the MP+ cluster we don't need to, since the logs can be output to +the `stdout` and are logged implicitly. + +### Firewall + +Outgoing connections on the MP+ are implicitly denied and firewall rules must be +explicitly requested. `10.0.0.0/8` network access from within our sandbox is +explicitly denied. + +#### Requesting firewall rules + +1. Search for “egress firewall rules OSD” on Source +2. Shiny link _opening a ticket_ +3. You can take an inspiration from RITM1861658; almost all of our tickets for + firewall rules follow a template below. + +#### Template and notes + +``` +• source: ‹list the clusters here› +• destination: ‹list of domains› +• protocol: 80, 443 +• justification: ‹almost as our release notes› +(N clusters × M domains × P ports) +``` + +If you want to include subdomains, I would recommend typing it as +`.example.com`, e.g., `.kde.org`. + +Don't forget to replace the `N`, `M`, and `P` with their respective values, it +is used just as a check. You can also link the original issue with the waiting +list, not required though. + +If you need to request outgoing SSH to be allowed (e.g. SSH access to git +forges), don't forget to specify port 22 (which is the usual default), **and** +instead of domain, give **IP addresses**. SSH access is bound by IPs rather than +domains (can be seen in the “inspiration” ticket mentioned above).