|
| 1 | +--- |
| 2 | +title: Clusters |
| 3 | +--- |
| 4 | + |
| 5 | +## Automotive → MP+ |
| 6 | + |
| 7 | +Currently we are moving from the Automotive cluster to the MP+ cluster. Our |
| 8 | +staging deployment is already present on the MP+ and there were some differences |
| 9 | +introduced once the migration started. |
| 10 | + |
| 11 | +### Namespaces |
| 12 | + |
| 13 | +Previously we have used a rather simple `packit-{{ deployment }}` namespace. On |
| 14 | +MP+ we are given `packit` as a tenant prefix, that needs to be separated from |
| 15 | +our custom namespaces by `--`, therefore we use `packit--stg` and |
| 16 | +`packit--stg-sandbox`. |
| 17 | + |
| 18 | +### Postgres |
| 19 | + |
| 20 | +On MP+ we have also moved to the newer postgres image, specifically we have used |
| 21 | +v13 and moved on to the v15. |
| 22 | + |
| 23 | +### Logging |
| 24 | + |
| 25 | +On Automotive cluster we're using fluentd-sidecar to upload the logs to the |
| 26 | +Splunk. Within the MP+ cluster we don't need to, since the logs can be output to |
| 27 | +the `stdout` and are logged implicitly. |
| 28 | + |
| 29 | +### Firewall |
| 30 | + |
| 31 | +Outgoing connections on the MP+ are implicitly denied and firewall rules must be |
| 32 | +explicitly requested. `10.0.0.0/8` network access from within our sandbox is |
| 33 | +explicitly denied. |
| 34 | + |
| 35 | +#### Requesting firewall rules |
| 36 | + |
| 37 | +1. Search for “egress firewall rules OSD” on Source |
| 38 | +2. Shiny link _opening a ticket_ |
| 39 | +3. You can take an inspiration from RITM1861658; almost all of our tickets for |
| 40 | + firewall rules follow the template below. |
| 41 | + |
| 42 | +#### Template and notes |
| 43 | + |
| 44 | +``` |
| 45 | +• source: ‹list the clusters here› |
| 46 | +• destination: ‹list of domains› |
| 47 | +• protocol: 80, 443 |
| 48 | +• justification: ‹almost as our release notes› |
| 49 | +(N clusters × M domains × P ports) |
| 50 | +``` |
| 51 | + |
| 52 | +If you want to include subdomains, I would recommend typing it as |
| 53 | +`.example.com`, e.g. `.kde.org`. |
| 54 | + |
| 55 | +Don't forget to replace the `N`, `M`, and `P` with their respective values, it |
| 56 | +is used just as a check. You can also link the original issue with the waiting |
| 57 | +list, not required though. |
| 58 | + |
| 59 | +If you need to request outgoing SSH to be allowed (e.g. SSH access to git |
| 60 | +forges), don't forget to specify port 22 (which is the usual default), **and** |
| 61 | +instead of domain, give **IP addresses**. SSH access is bound by IPs rather than |
| 62 | +domains (can be seen in the “inspiration” ticket mentioned above). |
0 commit comments