From fc6f66f74c94319d503fb66d4f41bcf4eaeecaa3 Mon Sep 17 00:00:00 2001 From: James Blair Date: Fri, 2 Jun 2023 22:56:05 +1200 Subject: [PATCH] Begin documenting etcd infrastructure. This commit introduces initial processes for managing access. Signed-off-by: James Blair --- Documentation/infra-guide/arm64-infra.md | 48 ++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 Documentation/infra-guide/arm64-infra.md diff --git a/Documentation/infra-guide/arm64-infra.md b/Documentation/infra-guide/arm64-infra.md new file mode 100644 index 000000000000..9de6a4a88189 --- /dev/null +++ b/Documentation/infra-guide/arm64-infra.md @@ -0,0 +1,48 @@ +# etcd arm64 test infrastructure + +## Infrastructure summary + +All etcd project pipelines run via github actions. The etcd project currently maintains dedicated infrastructure for running `arm64` continuous integration testing. This is required because currently github actions runner virtual machines are only offered as `x64`. + +The infrastructure consists of two `c3.large.arm` bare metal servers kindly provided by [Equinix Metal](https://www.equinix.com/) via the [CNCF Community Infrastructure Lab](https://github.com/cncf/cluster/issues/227). + +| Hostname | IP | Operating System | Region | +|-------------------------------|----------------|--------------------|---------------| +| etcd-c3-large-arm64-runner-01 | 86.109.7.233 | Ubuntu 22.04.1 LTS | Washington DC | +| etcd-c3-large-arm64-runner-02 | 147.28.151.226 | Ubuntu 22.04.1 LTS | Washington DC | + +## Granting infrastructure access + +Etcd arm64 test infrastructure access is closely controlled to ensure the infrastructure is secure and protect the integrity of the etcd project. + +Access to the infrastructure is defined by the etcd-io [github team](https://github.com/orgs/etcd-io/teams) `infra-admins`. + +Individuals in this github team are granted access to the infrastructure in two ways: + +### 1. Equinix metal web console access + +An etcd project exists under the CNCF organisation in the Equinix Metal web console. The direct url to the etcd console is . + +When a new member is added to the `infra-admins` team, an existing member or etcd maintainer should raise an issue in the [CNCF Community Infrastructure Labs](https://github.com/cncf/cluster/issues) to ensure they are granted web console access. + +### 2. Server ssh access + +Members of the `infra-admins` github team can ssh directly to the servers with a dedicated user account for each team member, usernames are based on github handles for easy recognition in logs. These team members will be able to elevate to the `root` user when necessary via `sudo`. + +Access to machines via ssh is strictly via individual ssh key based authentication, and is not permitted directly to the `root` user. Password authentication is never to be used for etcd infrastructure ssh authentication. + +When a new member is added to the `infra-admins` team, and existing member with ssh access should complete the following actions on all etcd servers: + +- create the new user via `sudo adduser `. +- add their public key to `/home//.ssh/authorized_keys` file. Note: Public keys are to be retrieved via github only, example: . +- add the new user to machine sudoers file via `usermod -aG sudo `. + +## Revoking infrastructure access + +When a member is removed from the `infra-admins` github team existing members must review servers and ensure their user access to etcd infrastructure is revoked by removing the members `/home//.ssh/authorized_keys` entries. + +Note: When revoking access do not delete a user from servers as access may need to be reinstated in future. + +## Regular access review + +On a regular at least quarterly basis members of the `infra-admins` team are responsible for verifying that no unneccessary infrastructure access exists by reviewing membership of the github group and existing server access.