Currently, the are a number of holes in the automation of the hypathia system. There are also parts that are unnecessarily complex. Most of these are the result of the organic growth of the system from it’s original incubation invironment.
Hypathia.net has grown out of an environment that uses Puppet for configuration management. But this requires further infrastructure that is not worthwhile for setting up the few pet nodes that make up the Hypathia.net bootstrap infrastructure.
Terraform is used to set up the configuration of the Matchbox server, but not utilized for the other machines.
Any new (or old) system should allow the step-by-step installation of all components of the system, be easily readable by humans and not require an additional server/infrastructure setup.
Currently there are separate DHCP servers for distributing IP addresses and for injecting node identity and configuration information. The reason for this is the lack of LDAP backend support of the matchbox server.
A solution to merge the configuration data to a single source of truth is needed.
It should be possible to close them, with the construction of a number of operators and controllers for the kubernetes system. An overview can be seen in this graphic:
In order to use tools like Draft, users have to be able to list namespaces. But as granting this right would result in exposing the information about other users namespaces, this is not permitted in the current settings.
The OwnerListAdmissionController must retrieve the information to which namespaces the calling account has access to from either the GitLab directly or better yet from a ownership service running within the cluster. It then must filter all requests for namespaces to only return those that the user has permission to read from.
(work in progress: will ask K8s API for information on namespaces and their rolebinding)
(work in progress)
(work in progress: read Tenant CRD, create/maintain namespaces, RoleBinding)
(work in progress)