Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(mpp): document MP+ specifics and firewall rules #599

Merged
merged 2 commits into from
Sep 25, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions docs/deployment/specifics/clusters.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
title: Clusters
---

## Automotive → MP+

Currently we are moving from the Automotive cluster to the MP+ cluster. Our
staging deployment is already present on the MP+ and there were some differences
introduced once the migration started.

### Namespaces

Previously we have used a rather simple `packit-{{ deployment }}` namespace. On
MP+ we are given `packit` as a tenant prefix, that needs to be separated from
our custom namespaces by `--`, therefore we use `packit--stg` and
`packit--stg-sandbox`.

### Postgres

On MP+ we have also moved to the newer postgres image, specifically we have used
v13 and moved on to the v15.

### Logging

On Automotive cluster we're using fluentd-sidecar to upload the logs to the
Splunk. Within the MP+ cluster we don't need to, since the logs can be output to
the `stdout` and are logged implicitly.

### Firewall

Outgoing connections on the MP+ are implicitly denied and firewall rules must be
explicitly requested. `10.0.0.0/8` network access from within our sandbox is
explicitly denied.

#### Requesting firewall rules

1. Search for “egress firewall rules OSD” on Source
2. Shiny link _opening a ticket_
3. You can take an inspiration from RITM1861658; almost all of our tickets for
firewall rules follow a template below.
mfocko marked this conversation as resolved.
Show resolved Hide resolved

#### Template and notes

```
• source: ‹list the clusters here›
• destination: ‹list of domains›
• protocol: 80, 443
• justification: ‹almost as our release notes›
(N clusters × M domains × P ports)
```

If you want to include subdomains, I would recommend typing it as
`.example.com`, e.g., `.kde.org`.
mfocko marked this conversation as resolved.
Show resolved Hide resolved

Don't forget to replace the `N`, `M`, and `P` with their respective values, it
is used just as a check. You can also link the original issue with the waiting
list, not required though.

If you need to request outgoing SSH to be allowed (e.g. SSH access to git
forges), don't forget to specify port 22 (which is the usual default), **and**
instead of domain, give **IP addresses**. SSH access is bound by IPs rather than
domains (can be seen in the “inspiration” ticket mentioned above).
Loading