General documentation improvements

- We're now using release-based projects
- Flesh out management docs a bit
- Add some more tips to troubleshooting docs
- Add a service account for image pruning

Change-Id: Id74044dc741032be8c70bc2a863f991c51654451

doc/source/managing.rst

@@ -1,33 +1,55 @@
 Managing the registry
 =====================
 
-.. warning:: Fleshing out this documentation is a work in progress.
+.. warning:: This should eventually be automated, see
+             https://github.com/rdo-infra/rdo-container-registry/issues/1
 
 .. note:: These operations are done directly on the master
 
 ::
 
-    # Grant superuser privileges to a user once he has logged in at least once
-    # https://docs.openshift.com/container-platform/3.5/admin_guide/manage_authorization_policy.html
-    oc policy add-role-to-user cluster-admin dmsimard
+    # Grant superuser privileges to a user (doesn't require the user to login before applying)
+    oadm policy add-cluster-role-to-user cluster-admin dmsimard
 
-    # Create project
-    oc new-project tripleo \
-      --description="TripleO container images for trunk and continuous integration" \
-      --display-name="TripleO container images"
+    # Create projects
+    oc new-project master \
+      --description="TripleO container images for trunk and continuous integration for OpenStack 'master'" \
+      --display-name="TripleO container images for 'master'"
 
-    # Create service account, make it admin of the project
-    oc create serviceaccount tripleo.service -n tripleo
-    oc policy add-role-to-user admin system:serviceaccount:tripleo:tripleo.service -n tripleo
+    oc new-project pike \
+      --description="TripleO container images for trunk and continuous integration for OpenStack 'pike'" \
+      --display-name="TripleO container images for 'pike'"
 
-    # Retrieve service account token for image pushes (for CI and things like that)
-    oc describe serviceaccount tripleo.service -n tripleo
-    oc describe secret tripleo.service-token-<generated> -n tripleo
+    # Allow authenticated users to browse the projects
+    # Note:
+    #  - https://github.com/cockpit-project/cockpit/issues/6711
+    #  - https://github.com/openshift/origin/issues/14381
+    oc policy add-role-to-group registry-viewer system:authenticated -n master
+    oc policy add-role-to-group registry-viewer system:authenticated -n pike
 
-    # Allow authenticated users to browse the TripleO project
-    # Note: https://github.com/cockpit-project/cockpit/issues/6711
-    oc policy add-role-to-group registry-viewer system:authenticated -n tripleo
-
-    # Allow unauthenticated users to pull images from the TripleO project
+    # Allow unauthenticated users to pull images from the projects
     # (Anonymous, public access to registry, not the actual console)
-    oc policy add-role-to-group registry-viewer system:unauthenticated -n tripleo
+    oc policy add-role-to-group registry-viewer system:unauthenticated -n master
+    oc policy add-role-to-group registry-viewer system:unauthenticated -n pike
+
+    # Create service account, make it admin of the projects
+    oc create serviceaccount tripleo.service -n default
+
+    # Add permissions for the service account to push and pull images
+    oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n master
+    oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n pike
+
+    # Retrieve service account token for image pushes, for example when doing CI
+    oc describe serviceaccount tripleo.service -n default
+    oc describe secret tripleo.service-token-<generated> -n default
+
+    # Create a service account with exclusive rights to image pruning
+    oc create serviceaccount rdo.pruner -n default
+    oadm policy add-cluster-role-to-user system:image-pruner system:serviceaccount:default:rdo.pruner -n default
+
+More reading
+~~~~~~~~~~~~
+
+- https://docs.openshift.com/container-platform/latest/admin_guide/manage_authorization_policy.html
+- https://docs.openshift.com/container-platform/latest/dev_guide/projects.html
+- https://docs.openshift.com/container-platform/latest/admin_guide/service_accounts.html

doc/source/troubleshooting.rst

@@ -5,20 +5,24 @@ Troubleshooting the registry
 
 ::
 
-    # Logs for the origin-master process
-    journalctl -u origin-master --follow
+    # Logs for the OpenShift processes
+    journalctl -u origin-master-api --follow
+    journalctl -u origin-master-controllers --follow
+    journalctl -u origin-node --follow
 
     # Note, commands using -n default is to select from the default namespace
 
-    # List routes, pods and services
+    # List routes, pods, services and deployment configurations
     oc get routes -n default
     oc get pods -n default
     oc get svc -n default
+    oc get dc -n deault
 
     # Dump configuration of things
     oc export routes -n default -o yaml |less
     oc export pods -n default -o yaml |less
     oc export svc -n default -o yaml |less
+    oc export dc -n default -o yaml |less
 
     # Follow logs from running pods
     oc get pods -n default
@@ -28,5 +32,16 @@ Troubleshooting the registry
     oc get pods -n default
     oc exec -n default <pod name> <command> (ex: oc exec -n default docker-registry-1-xgxqb ls)
 
+    # Get a shell on a running pod
+    oc get pods -n default
+    oc rsh <pod name> -n default (ex: oc rsh docker-registry-1-xgxqb -n default)
+
     # Look at policies and permissions for a project
     oc get rolebindings -n project
+
+    # If authentication on the master node doesn't seem right
+    # You might be logged on as a different user
+    oc whoami
+    oc login -u system:admin --config=/etc/origin/master/admin.kubeconfig
+    oadm config get-contexts
+    oadm config use-context default/192-168-1-17:8443/system:admin