Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup Blob CSI for Oral Health Analytics #1896

Open
bryanpaget opened this issue Nov 23, 2023 · 1 comment
Open

Setup Blob CSI for Oral Health Analytics #1896

bryanpaget opened this issue Nov 23, 2023 · 1 comment
Assignees
@bryanpaget
Labels
area/engineering Requires attention from engineering: focus on foundational components or platform DevOps component/storage Persistence related (e.g. Minio, cloud, or user storage)

Comments

@bryanpaget
Copy link
Contributor

bryanpaget commented Nov 23, 2023
edited

Description

Create an FDI bucket/container for Oral Health Analytics by editing azure-blob-csi-system.tf found in:

You'll need to add variables to variables.tf:

Tasks

1. Update azure-blob-csi-system.tf

a. Define client id variable:

<acronym> means your project's acronym, typically just one of the French or English acronyms is used.

Add the following to either resource "kubernetes_secret" "azure_blob_csi_fdi_protected_b" or resource "kubernetes_secret" "azure_blob_csi_fdi_unclassified":

AAW_<ACRONYM>_PROD_SP_AZURE_STORAGE_SPN_CLIENTID = var.aaw_<acronym>_prod_sp_clientid

b. Add secrets clause:

Add the following to the section below ## Start, ~Line 200):

resource "kubernetes_secret" "aaw-<acronym>-prod-sp-secret" {
  metadata {
    name      = "aaw-<acronym>-prod-sp-secret"
    namespace = kubernetes_namespace.azure_blob_csi_system.id
  }
  
  data = {
    azurestoragespnclientsecret = var.aaw_<acronym>_prod_sp_secret
  }
}

c. Add bucket info:

Add the following to resource "kubectl_manifest" "fdi-aaw-configuration-data", in one of:

  1. fdi-protected-b-external.json: | or
  2. fdi-unclassified-external.json: | or
  3. fdi-protected-b-internal.json: | or
  4. fdi-unclassified-internal.json: |

depending on the classification of the bucket.

      {
              "bucketName": "<should-be-provided-for-you>",
              "pvName":     "<acronym>-eprotb",
              "subfolder":  "",
              "readers":    ["<name-of-kuebeflow-profile>"],
              "writers":    ["<name-of-kuebeflow-profile>"],
              "spn": "aaw-<acronym>-prod-sp"
      },
      {
              "bucketName": "<should-be-provided-for-you>-transit",
              "pvName":     "<acronym>-inbox-eprotb",
              "subfolder":  "from-de",
              "readers":    ["<name-of-kuebeflow-profile>"],
              "writers":    ["<name-of-kuebeflow-profile>"],
              "spn": "aaw-<acronym>-prod-sp"
      },
      {
              "bucketName": "<should-be-provided-for-you>-transit",
              "pvName":     "<acronym>-outbox-eprotb",
              "subfolder":  "to-vers",
              "readers":    ["<name-of-kuebeflow-profile>"],
              "writers":    ["<name-of-kuebeflow-profile>"],
              "spn": "aaw-<acronym>-prod-sp"
      }
Info

bucketName: should be given to you by the person requesting the bucket.
pvName: just use the template, filling in with whatever is appropriate.
subfolder: use the example below unless otherwise specified.
readers: use the kubeflow profile name for this
writers: use the kubeflow profile name for this
spn: this has to be created by YOU. Send a JIRA ticket to the Cloud Team.

Example Cloud Ticket

Hi,

Can I get a service principle named aaw-<acronym>-prod-sp created please?

The owners should be:

relevant.person.one@cloud.statcan.ca
relevant.person.two@cloud.statcan.ca
More info: https://jirab.statcan.ca/browse/?????-????

Thanks!

2. Add variables to variables.tf:

variable "aaw_<acronym>_prod_sp_secret" {
  description = "Protected-b <acronym> service principal client secret."
  sensitive   = true
}

variable "aaw_<acronym>_prod_sp_clientid" {
  description = "Protected-b <acronym> service principal client id."
  sensitive   = true
}

3. How to create necessary secrets

Follow the steps below to create the necessary secrets in the Azure Portal, then add the secrets variable to the internal Gitlab CI/CD runner.

  1. Login to Azure Portal
  2. Go to Microsoft Entra ID
  3. Go to App registrations
  4. Go to All Applications
  5. Search for the "App" you are looking for, usually "aaw-<acronym>-prod-sp".
  6. Take note of the "Application (client) ID" found on the Overview page for that particular App registration.
  7. With the App selected, go to Certificates & secrets, create the secret, give it the name "key".
  8. Send the Application (client) ID to the appropriate JIRA page.
  9. Add the secret to the Gitlab CI/CD settings.
@bryanpaget bryanpaget self-assigned this Nov 23, 2023
@bryanpaget bryanpaget added component/storage Persistence related (e.g. Minio, cloud, or user storage) area/engineering Requires attention from engineering: focus on foundational components or platform DevOps labels Nov 23, 2023
@bryanpaget
Copy link
Contributor Author

The instructions for creating a new FDI container are here:

These instructions could use some improvement, more detail, active tone etc. See #1879

The JIRA ticket for this task is located here:

The JIRA ticket for the Cloud Team request for the Service Principle is located here:

@bryanpaget bryanpaget mentioned this issue Nov 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bryanpaget bryanpaget

Labels
area/engineering Requires attention from engineering: focus on foundational components or platform DevOps component/storage Persistence related (e.g. Minio, cloud, or user storage)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bryanpaget