Awesome
Cloud Plugin for ColdFront
The cloud plugin allows resource allocations to be requested and provisioned in OpenStack and OpenShift cloud environments from ColdFront.
Note: OpenShift support requires deploying the openshift-acct-mgt API service.
Terminology
Caution as OpenStack, OpenShift and ColdFront use the same term to mean different things! Those terms will be prefixed by the system they apply to.
ColdFront
- resource - describes a computational environment for which access can be requested. In this document they will be referred to as coldfront resources.
- project - a container for grouping together metadata and resource allocations from the same group of people and for the same purpose. They will be referred as coldfront projects.
- resource allocation - tracks the lifecycle of access to an environment from a project.
- resource attribute - attributes associated to a specific environment.
- resource allocation attribute - attributes associated to a specific resource allocation on an environment from a project.
OpenStack
- resource - describes a type of computational resource offered by the OpenStack cloud. In this document they will be referred to as openstack resources. Can be a virtual server, vCPUs, RAM, volumes, etc.
- project - OpenStack terminology for a resource allocation and all resource spawned therein. They will be referred as openstack projects.
- quota - limitation on the amount of a resource that can be consumed by a project.
- domain - container for groups and users. Allows some organizational and administrative separation.
OpenShift
- project - OpenShift terminology for a namespace. In this document they will be referred to as openshift projects.
Configuration
The plugin registers a helper command to register the appropriate resource
types and resource attribute types as described below. The cloud plugin
is called automatically for coldfront resources of type OpenStack
and
OpenShift
.
$ coldfront register_cloud_attributes
Multiple coldfront resources of type OpenStack
or OpenShift
can be created.
Configuring for OpenStack
Authentication for OpenStack is loaded as pairs of environment variables in the form
OPENSTACK_{resource_name}_APPLICATION_CREDENTIAL_ID
and
OPENSTACK_{resource_name}_APPLICATION_CREDENTIAL_SECRET
where {resource_name}
is the name of the coldfront resource as all uppercase (with spaces and -
replaced by _
).
Each OpenStack resource must have the following attributes set in coldfront:
OpenStack Auth URL
- the URL of the Keystone endpoint (omitting version and ending slash)OpenStack Domain for Projects
- The domain id that new projects will be created inOpenStack Domain for Users
- The domain id that new users will be created inOpenStack Identity Provider
- The identity provider as configured in keystoneOpenStack Federation Protocol
- (defaults to openid) The federation protocol used with the identity providerOpenStack Role for User in Project
- (defaults to member) The role name of the role that is assigned to the user on project creation
Registration of OpenStack coldfront resources can be performed via the UI management dashboard or through the helper command:
$ coldfront add_openstack_resource
usage: coldfront add_openstack_resource [-h] --name NAME --auth-url AUTH_URL [--users-domain USERS_DOMAIN] [--projects-domain PROJECTS_DOMAIN] --idp IDP [--protocol PROTOCOL] [--role ROLE]
[--public-network PUBLIC_NETWORK] [--network-cidr NETWORK_CIDR] [--esi] [--version] [-v {0,1,2,3}] [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback]
[--no-color] [--force-color] [--skip-checks]
coldfront add_openstack_resource: error: the following arguments are required: --name, --auth-url, --idp
An Openstack resource can be specified as an ESI resource by setting the --esi
command flag.
ESI resource allocations will only have quotas for network resources by default.
Configuring for OpenShift
Note: OpenShift support requires deploying the openshift-acct-mgt API service.
Authentication for OpenShift is loaded as pairs of environment variables
OPENSHIFT_{resource_name}_USERNAME
and OPENSHIFT_{resource_name}_PASSWORD
where {resource_name}
is the name of the coldfront resource as all uppercase
(with spaces and -
replaced by _
).
Each OpenShift resource must have the following attributes set in coldfront:
OpenStack Auth URL
- the URL of theopenshift-acct-mgt
endpoint.OpenStack Role for User in Project
- the name of theClusterRole
to assign to users on the namespace.
Registration of OpenShift coldfront resources can be performed via the UI management dashboard or through the helper command:
$ coldfront add_openshift_resource
usage: coldfront add_openshift_resource [-h] --name NAME --auth-url AUTH_URL [--role ROLE] [--version] [-v {0,1,2,3}] [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback]
[--no-color] [--force-color] [--skip-checks]
coldfront add_openshift_resource: error: the following arguments are required: --name, --auth-url
Quotas
The amount of quota to start out a resource allocation after approval, can be specified using an integer field in the resource allocation request form.
ColdFront has a current limitation on being able to display only one integer field, therefore the concept of a unit of computing is introduced to tie multiple resource quotas to a single multiplier.
OpenStack Resource Name | Quota Amount x Unit |
---|---|
Instances | 1 |
vCPUs | 2 |
RAM | 4096 |
Volumes | 1 |
OpenShift Resource Name | Quota Amount x Unit |
---|---|
Limit on CPU | 2 |
Limit on RAM (MB) | 2 |
Limit on Ephemeral Storage Quota (GB) | 5 |
After the resource allocation has been approved, these resulting quota will be stored individually per resource as resource allocation attributes under the following resource allocation attribute types.
-
OpenStack Compute Instance Quota
-
OpenStack Compute RAM Quota
-
OpenStack Compute vCPU Quota
-
OpenStack Volumes Quota
-
OpenShift Limit on CPU Quota
-
OpenShift Limit on RAM Quota
-
OpenShift Limit on Ephemeral Storage Quota (GB)
-
OpenShift Request on Storage Quota (GB)
-
OpenShift Persistent Volume Quota
By submitting a Resource Allocation Change Request and editing those attributes a PI can request a change in their quota.