 Hi everyone, my name is Patrick. I work for Red Hat as a software engineer for the community platform engineering team and My colleagues Lanka and David were supposed to be here with me to present with me, but unfortunately, they could not make it So today I would like to talk to you about authorizing open-shift hosted projects to community members in Fedora And let's begin So first I would like to go over some background about how all of this came about A couple of years ago, we had a thing called community shift Which was a community facing open-shift cluster for the community to like run and deploy And test apps experiment and learn learn on And this cluster was retired Back in 2020. I think In a data center move And then in q3 of 2022 cpe was tasked with Solving a couple of the blockers that were holding up the release of the replacement cluster There were a couple of areas that we have had to solve First one was self service administration of projects With a little or no added work for the infra team because we had a lot of Tickets being opened regularly that were requesting access to the systems Another one was that we needed a way to sync the Fedora account system and the cluster and we needed this to happen automatically And the last one is that the Fedora account system API uses Kerberos authentication. So we needed a key tab Okay, as a quick aside here, I would like to briefly describe What an uncivil operator is so it is a kubernetes native application that consists of two parts First one is a small chunk of code that just handles the interface between OpenShift and the operator and the second one is a container That receives events from that code and then can run uncivil playbooks as is required These operators can then be managed by the operator framework, which is like an open source toolkit And it can be managed in an effective And automated manner So what advantages does creating your operators with uncivil offer? First off, it's easier to write as uncivil and operator SDK the project that I mentioned abstract away all of the difficult parts of writing an operator such as having to know relatively low-level programming languages like go lang or being familiar with kubernetes internals And you also have immediate access to any module that uncivil can run Including custom modules that you can write, which is what we also did as part of the initiative Solution to the problem that I was described Describing earlier was to write an uncivil operator named community shift authorization Which connects to the Fedora account system API Retrieves all of the community shift named groups and the group membership Then connects to the open shift API and syncs it you can configure how often it should reconcile We went with 20 minutes second operator that I would like to talk about is fast to discourse Because once we had the community shift authorization operator done We realized that this approach could be used for more than just that one service And fast to discourse syncs The Again from the Fedora account system It syncs the group membership to Fedora discussion Which is a discourse instance that we have and like kind of forums where you can Talk to members of the Fedora community Okay, so here is a little graphic of how it works On the left, we have the Fedora account system Which is our single source of truth regarding users and group membership and It allows us fine grained access To various systems that we have in the Fedora community group sponsors Can add and remove members here from their group And what we lacked was a mechanism To sync these changes To the various systems that we have which is where the operator comes into play. It's the sync in the middle So once we have the information in the Fedora account system The operators retrieve it And sync it to Fedora discussion or community shift groups respectively As we are talking about two separate operators This approach could also be used in the future for any other service And I reckon we will do it again at some point So on the last slide here, I have a little demo So on the left, you can see the web UI of FAS Where project admins can add or remove users from their groups And on the right, you can see we are interacting with the community shift cluster and retrieving the groups And in the give here Bottom left, I am being Removed from and then re-add it to the community shift admins group The operator then picks up the changes and syncs it to the cluster And the users once this is done can then log in to open shift and have access to their project At least in theory as The cluster has not yet been fully re-released So this was a lightning talk. So it was just a brief overview of what we did But if anyone is interested in digging into the Technical details of how we did it, here are a couple of useful links The first two contain the source code of the actual operators This is all from me. Thank you for your attention and have a pleasant rest of the day