API to present data to the tenant-dashboard with a GitHub oauth login.
Tenants represents the teams of a GitHub organization.
The tenant-api will search for namespaces named like the github teams, which you have access in your GitHub organisation.
It is recommended to use a multitenancy tool to jail each tenant in its host-Cluster namespace. For this you can use the vclusters technology. So you can deploy for each tenant a hostcluster namespace (named like your GitHub team) and in this namespace you can deploy the vcluster (which is the tenant). The vcluster will sync all resources created in it only on the hostcluster namespace. So the tenant-api only have to search the low level / costly resources (like pods, pvcs, ingress, requests, etc.) to present the data to the dashboard.
You can also sync your slack broadcast channel to present some important informations about your infrastructure to your tenant.
important: for authenticated access you need to provide the
Authorization
header with theBearer
token.
You can add <tenant>
in front of the path to get the tenant specific data (of everything).
e.g.
/api/v1/<tenant>/pods
/login/github
- Login with GitHub
/login/github/callback
- Callback after GitHub login
/api/v1/notifications
- Get the Slack notification messages of the broadcast channel provided via envs
/api/v1/<tenant>/pods
- Get a list of pods of a tenant
/api/v1/<tenant>/pvcs
- Get a list of pvcs of a tenant by storage classes
/api/v1/<tenant>/ingresses
- Get a list of ingresses of a tenant
/api/v1/<tenant>/requests/cpu
- Get cpurequests in Milicores of a tenant
/api/v1/<tenant>/requests/memory
- Get memoryrequests in Bytes of a tenant
/api/v1/<tenant>/requests/storage
- Get storagerequests in Bytes of a tenant by storageclass \
/api/v1/<tenant>/costs/cpu
- Get the CPU costs by CPU
/api/v1/<tenant>/costs/memory
- Get the memory costs by Memory
/api/v1/<tenant>/costs/storage
- Get the storage costs by StorageClass
/api/v1/<tenant>/costs/ingress
- Get the ingress costs by tenant
/api/v1/<tenant>/quotas/cpu
- Get the CPU resource Quota by the label defined via env
/api/v1/<tenant>/quotas/memory
- Get the memory resource Quota by the label defined via env
/api/v1/<tenant>/quotas/storage
- Get the storage resource Quota for each storage class by the labels defined via env
You can send the github code with json body {"github_code": "..."}
to the /login/github
endpoint.
The code you need to generate must have the
read:org
scope.
CORS
- CORS middleware for Fiber that that can be used to enable Cross-Origin Resource Sharing with various options. (e.g. "https://example.com, https://example2.com")
There are two ways for authenticating with GitHub. You can authenticate without a dashboard, so the github callback url is not the same as the dashboard.
CLIENT_ID
- GitHub client id required
CLIENT_SECRET
- GitHub client secret required
CALLBACK_URL
- GitHub oauth callback url without path optional (default: "http://localhost:3000")
SECRET_KEY
- JWT secret key optional (default: random 32 bytes, displayed in the logs)
CORS
- Define CORS as one string optional (default: "*")
MAX_REQUESTS
- Define max API requests per 30 Seconds optional (default: "100")
SLACK_TOKEN
- Tenant API Slack Application User Token optional (if not set, the notification REST route will be deactivated)
SLACK_BROADCAST_CHANNEL_ID
- BroadCast Slack Channel ID optional (required if SLACK_TOKEN is set)
SLACK_URL
- The slack url of your slack Channel optional (required if SLACK_TOKEN is set, e.g. "https://natronio.slack.com")
DISCOUNT_LABEL
- label key for selecting the discount value optional (default: "natron.io/discount" (float -> e.g. "0.1"))
CPU_COST
- Cost of a CPU in your currency optional (default: 1.00 for 1 CPU)
MEMORY_COST
- Cost of a memory in your currency optional (default: 1.00 for 1 GB)
STORAGE_COST_<storageclass name>
- Cost of your storage classes in your currency required, multiple allowed (default: 1.00 for 1 GB)
INGRESS_COST
- Cost of ingress in your currency optional (default: 1.00 for 1 ingress)
INGRESS_COST_PER_DOMAIN
- Calculates only ingress per domain.tld format optional (default: false)
EXCLUDE_INGRESS_VCLUSTER
- Excludes the vcluster ingress resource to expose the vcluster Kubernetes API. Name of the ingress must contain the string "vcluster" optional (default: false)
It will get the resource quotas defined in the tenant namespace with the exact name of the tenant.
For setting the quota labels on the tenant config namespace, you have to enter the values in the following format:
- CPU:
cores
e.g. natron.io/cpu-quota: "1" (-> 1 Core) - Memory:
GB
e.g. natron.io/memory-quota: "4" (-> 4GB) - Storage:
GB
e.g. natron.io/storage-quota-: "50" (-> 50GB)
example deployment files: kubernetes manifests
- run a local minikube and apply a service account with clusterwide
view
permissions
minikube start
kubectl apply -f sa.yaml
kubectl apply -f rbac.yaml
kubectl apply -f deployment.yaml
kubectl expose deployment tenant-api --type=NodePort --port=8000
minikube service tenant-api
- create a GitHub application in your GitHub organization and set the url (and port displayed at exposing the service via minikube) to the
CALLBACK_URL
(without path) and for the callback URL set theCALLBACK_URL
with the path/login/github/callback
(e.g. http://localhost:3000/login/github/callback)