|
| 1 | +# Meta |
| 2 | +[meta]: #meta |
| 3 | +- Name: Shared Concourse Instance |
| 4 | +- Start Date: 2025-07-07 |
| 5 | +- Author(s): @drich10 |
| 6 | +- Status: Draft |
| 7 | +- RFC Pull Request: (fill in with PR link after you submit it) |
| 8 | + |
| 9 | +## Summary |
| 10 | + |
| 11 | +Provide a shared Concourse instance for CI/CD workloads within the CFF. |
| 12 | + |
| 13 | +## Problem |
| 14 | + |
| 15 | +Currently, _most_ teams using Concourse are deploying and managing their own instance. This creates overhead in both engineering time and cloud costs. |
| 16 | + |
| 17 | +## Proposal |
| 18 | + |
| 19 | +The Concourse WG MUST host a shared Concourse for working groups to leverage for CI/CD. This MUST reduce both engineering and cloud expenses. Consolidating Concourse spend into a singular account MAY make it easier to manage the spend and usage. Additionally centralizing management of CI maintenance, MAY remove load on members/leads of working groups managing their own instance(s). Working groups MAY use this instance if they choose to. |
| 20 | + |
| 21 | +### Access |
| 22 | +Concourse can use Github teams to manage access control within pipelines and credential systems. As such, working group areas and membership MUST determine roles within the system: |
| 23 | +* New role in the Concourse WG to administrate. |
| 24 | +* WG execution leads that are onboarded are given adminstration permissions. |
| 25 | +* WGs must identify area(s) to give access to. |
| 26 | + |
| 27 | +### Credential Management |
| 28 | +Credential access and management MUST be segmented so that WGs cannot access one another's secrets. |
| 29 | + * Vault MAY be the secret manager to allow consistent management and separation of secrets between teams on the shared instance. |
| 30 | + * We believe most teams currently use Credhub which does not easily allow us to implement the separation that MUST exist between teams. |
| 31 | + |
| 32 | +### Cost Reduction |
| 33 | +* Removes the overhead from additional Web and DB instances that come from running multiple instances of Concourse. |
| 34 | +* Enables sharing of lesser used worker types such like Windows Workers. Reducing the number of these workers that MUST exist. |
| 35 | + |
| 36 | +### Expectations and Agreements |
| 37 | +* Concourse WG leads will be primarily responsible for system availability during the business hours for each individual. |
| 38 | +* Concourse WG leads will be responsible for system upgrades. |
| 39 | +* WGs onboarded to the shared instance MUST be given sufficient access to operate the system. This includes, but is not limited to: |
| 40 | + * IaaS access |
| 41 | + * Runbooks and tooling for Concourse deployment |
| 42 | +* Support Issues MUST be shared between the Concourse working group maintainers and the concourse supporters |
| 43 | + |
| 44 | +### Timeline |
| 45 | +* Concourse team creates the new, shared, instance and migrates itself (2-3 weeks from acceptance of this proposal) |
| 46 | +* Onboard 1 working group to the new instance and refine deployment and operational strategies from initial learnings (2-3 weeks). Shut down the concourse owned by the working group. |
| 47 | +* Open onboarding to the rest of the working groups and migrate their pipelines. Shut down the concourse owned by the working group(s). |
| 48 | +* Success criteria: |
| 49 | + * 2 or more teams leveraging this instance. |
| 50 | + * Each team onboarding MUST either reduce or maintain the current level of infrastructure costs. |
0 commit comments