Merge branch 'main' into rholling-SCS-docs

Author: maxwolfs

community/cloud-resources/cloud-resources.md

@@ -60,7 +60,6 @@ Service users will have their default_project_id set to a specific project and w
 | 91091d4039a6457db27d48d58bb1b4e4 | p500924-jschoone            | jschoone          | KaaS dev and evaluation               | ∞            |
 | 93956190702b4a7d8a8886806d57713f | p500924-metering            | cah-link          | Dev Environment for VP13              | 31.12.2023   |
 | abbe6561cf6248b6af395334aa09af85 | p500924-harbor              | chess-knight      | SCS Harbor for VP06c                  | ∞            |
-| 4ff97734574146ccb4c7e7568bc1e36f | p500924-XPanse              | swaroopar         | Eclipse XPanse Projekt POC            | 31.11.2023   |
 | e7622c1048ac4520a2d050ae141e826b | p500924-tender-6a           | mxmxchere         | Dev Environment for VP06a             | ∞            |
 | eeed7e0ad33f42f189fb4165116f5a1b | p500924-dnation-k8s         | matofeder         | dNation dev for VP06c                 | ∞            |
 | b342f37804f14459bdf703573169bf79 | p500924-minery              | 90n20             | Testbed env for Pentesting            | 30.11.2024   |

community/collaboration.md

@@ -11,22 +11,34 @@ for more details.
 
 ### Project updates
 
-- Weekly with all teams on Thursday at 1505 CEST (45 mins)
+- Weekly with all teams on Thursday at 15:05 CEST (40 mins)
+- In some weeks we schedule an additional lightning talk at 15:40 CEST
 
 ### Sprint review/Backlog refinement/Sprint planning meetings
 
-- Weekly with Team IaaS on Wednesdays at 1005 CEST (1 hour)
-- Weekly with Team Container on Mondays at 1005 CEST (1 hour)
-- Weekly with Team OPS & IAM on Thursdays at 1005 CEST (1 hour)
-
-### Special interest groups (SIGs)
-
-- Identity & Access Management (IAM): Bi-Weekly on Friday at 1005 CEST (1 hour)
-- Monitoring & Logging: Weekly on Friday at 1205 CEST (1 hour)
+- Weekly Team meetings (~1hr) for currently 4 teams:
+  - Team IaaS
+  - Team Container
+  - Team IAM & Security
+  - Team Operations
+- Please refer to the public calendar (on the previous page) for details.
+
+### Special interest groups (SIGs) and hacking sessions
+
+- There are a number of SIG meetings and hacking sessions that meet weekly or bi-weekly
+  - Identity & Access Management (IAM) hacking session
+  - Monitoring and Logging
+  - SIG Standardization and Certification
+  - SIG Documentation
+  - SIG Community
+  - SIG Central API
+  - ...
+- Please refer to the Calendar (on the previous page) for details.
 
 ## Videoconference
 
 We use a self-hosted [Jitsi Meet](https://jitsi.org) instance for video conferencing.
+Thanks go to Cleura for providing the server for it.
 
 The server uses an automated deployment based on the
 [heat-docker-jitsi-meet](https://github.com/garloff/heat-docker-jitsi-meet) project.
@@ -35,6 +47,9 @@ Configuration is such everyone who knows the room can connect, unless the modera
 sets a password/PIN. Opening a new room requires authentication. (Contact Kurt if
 you need a password.)
 
+Links to the meeting room (as well as dial-in information) are in the appointments
+in the public calendar.
+
 ### Usage
 
 Connect with a desktop browser (Chrome/Chromium or other blink based browser
@@ -52,17 +67,19 @@ for folks that lack internet connectivity (but have a working phone connection).
 ## Nextcloud
 
 We have a [Nextcloud](https://nextcloud.com)
-[instance](https://scs.sovereignit.de) for sharing files, calendar, contacts, ...
+[instance](https://scs.sovereignit.de) for sharing files, doing polls, ...
 setup for things that are not public.
 
-We are also using it for our taskboards currently, though we are looking at
-options to do this in the open.
-
-If you want to contribute, we'll do an onboarding call and add you to nextcloud.
-This will also add you to the `[email protected]` mailing list.
+You can contribute to SCS via the github workflows, asking questions there (via
+opening issues against the issues repository), submitting pull requests, ...
+If you want to contribute on a regular basis, we are happy to also onboard you
+to the nextcloud and do an onboarding call. Nextcloud onboarding also adds you
+to the `[email protected]` mailing list which also add you to the
+announcement list (described in the next paragraph).
 
 We have an announcements mailing list there `[email protected]` and you
 can subscribe via the [mailman3 frontend](https://scs.sovereignit.de/mailman3/postorius/lists/)
+also without the SCS nextcloud account if you prefer.
 
 ## Zuul CI/CD pipelines and project gating
 

docs/05-iam/index.md

@@ -0,0 +1,75 @@
+# Introduction on Identity Management and Federation in SCS
+
+Sovereign Cloud Stack wants to make it possible for operators to delegate
+administration of user identities to the organizational entities that the
+users are part of. Usually that's customer organizations but it could also
+be the operator itself. Federation protocols like OpenID Connect can be used
+to achieve that goal. To simplify connecting the different parts of SCS
+to customer owned IAM solutions, the SCS reference implementation offers
+Keycloak as central Identity Provider (IdP) service.
+
+## Deployment
+
+Keycloak can be deployed by running
+
+```
+osism apply keycloak
+```
+
+The required Keycloak client configuration that allows Keystone to obtain
+OIDC token from Keycloak needs to be deployed by running
+
+```
+osism apply keycloak-oidc-client-config
+```
+
+After these steps Keystone should be able to obtain token using the
+Device Authorization Grant with PKCE, which is configured by default in the
+`wsgi-keystone.conf` deployed in SCS.
+
+## Accessing Keycloak
+
+Currently deployed on the manager node, by default under `https://keycloak.<yourdomain>`.
+Details TODO.
+
+## Identity Mapping
+
+The idea is that customer can create groups with specific names in their own IAM.
+These shall be mapped to a claim `groups` to be included in the OIDC token.
+Via the Keystone [mapping](https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html)
+they shall be mapped to roles on OpenStack projects.
+[The corresponding section for Developers](https://docs.scs.community/dev-docs/operations/iam/identity-federation-in-scs) may be interesting for more technical details.
+Please be aware that currently there are still some technical challenges to be solved
+within the OpenStack Keystone mapping engine and the mapping rules to make this work
+seamlessly.
+
+## SCS to SCS federation
+
+Federation between separate deployments of SCS is possible via the IdP by
+means of OpenID Connect.
+The section on [inter SCS federation setup](https://docs.scs.community/docs/iam/intra-SCS-federation-setup-description-for-osism-doc-operations) explains the required steps in some detail.
+
+### Prerequisites and Requirements
+
+- Knowledge: Familiarity with Keycloak, OIDC federation, and basic SSL and web security principles is pivotal.
+- Software: The core software component is the OpenID-Connect identity provider, configured to function optimally with OpenStack environments. While the SCS reference implementation focusses on Keycloak as IdP, with appropriate configuration adjustments any OAuth 2.0 compliant IdP should be suitable as an alternative. Each implemntation may have its own pros and cons.
+
+### Features
+
+- Horizon Web SSO
+- OpenStack CLI use via the Device Authorization Grant
+
+### Limitations
+
+- Keystone currently still has limitations in its mapping engine, which are addressed by the SCS development team as we
+  see possibilities and alignement with upstream OpenDev development plans. Automatically creating `ephemeral` users in
+  their specific OpenStack domains, as specified in their OIDC token is one example, currently beeing worked on. Please
+  check carefully if the technical results meet the security demands of your specific environment.
+
+### Current state and future Outlook
+
+Currently SCS exemplifies deploying Keycloak on the management plane. This shall be moved to a Kubernetes based
+management plane to improve scalability and architecture.
+
+In the near future, the Container layer shall be able to make use of the IdP to allow federated users to access Kubernetes.
+In the mid term, workloads on Kubernetes shall be able to make use of OAuth tokens to access resources on the IaaS layer.

sidebarsDocs.js

@@ -190,7 +190,8 @@ const sidebarsDocs = {
       type: 'category',
       label: 'Identity and Access Management (IAM)',
       link: {
-        type: 'generated-index'
+        type: 'doc',
+        id: 'iam/index'
       },
       items: [
         'iam/intra-SCS-federation-setup-description-for-osism-doc-operations'

src/pages/index.tsx

@@ -142,7 +142,7 @@ export default function Home(): JSX.Element {
                   title="IAM Layer"
                   body="Working on Keycloak federated identity provider within our Team IAM."
                   buttonText="Learn More"
-                  url="/docs/category/identity-and-access-management-iam"
+                  url="/docs/iam"
                 />
               </div>
             </div>

standards/certification/certified-clouds.md

@@ -7,6 +7,7 @@ This is a list of clouds that we test on a nightly basis against our `scs-compat
 | [gx-scs](https://github.com/SovereignCloudStack/docs/blob/main/community/cloud-resources/plusserver-gx-scs.md) | Dev environment provided for SCS & GAIA-X context | plusserver GmbH               | ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/SovereignCloudStack/standards/check-gx-scs-v1.yml?label=compliant)   |                                   [HM](https://health.gx-scs.sovereignit.cloud:3000/)                                    |
 | [pluscloud open - prod1](https://www.plusserver.com/en/products/pluscloud-open)                                | Public cloud for customers                        | plusserver GmbH               | ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/SovereignCloudStack/standards/check-pco-prod1-v1.yml?label=compliant) |                               [HM](https://health.prod1.plusserver.sovereignit.cloud:3000)                               |
 | [pluscloud open - prod2](https://www.plusserver.com/en/products/pluscloud-open)                                | Public cloud for customers                        | plusserver GmbH               | ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/SovereignCloudStack/standards/check-pco-prod2-v1.yml?label=compliant) |                               [HM](https://health.prod1.plusserver.sovereignit.cloud:3000)                               |
+| [pluscloud open - prod3](https://www.plusserver.com/en/products/pluscloud-open)                                | Public cloud for customers                        | plusserver GmbH               | ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/SovereignCloudStack/standards/check-pco-prod3-v2.yml?label=compliant) |                               [HM](https://health.prod1.plusserver.sovereignit.cloud:3000)                               |
 | [Wavestack](https://www.noris.de/wavestack-cloud/)                                                             | Public cloud for customers                        | noris network AG/Wavecon GmbH | ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/SovereignCloudStack/standards/check-wavestack-v3.yml?label=compliant) |                                 [HM](https://health.wavestack1.sovereignit.cloud:3000/)                                  |
 | [REGIO.cloud](https://regio.digital)                                                                           | Public cloud for customers                        | OSISM GmbH                    | ![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/SovereignCloudStack/standards/check-regio-a-v3.yml?label=compliant)  | [Dashboard](https://apimon.services.regio.digital/public-dashboards/17cf094a47404398a5b8e35a4a3968d4?orgId=1&refresh=5m) |