This is the multi-page printable view of this section. Click here to print.
Getting started
- 1: Core Concepts
- 1.1: Organizations
- 1.2: Teams
- 1.3: Clusters
- 1.4: PluginDefinitions, Plugins and PluginPresets
- 2: Overview
- 3: Quick start guide
1 - Core Concepts
| Feature | Description | API | UI | Comments |
|---|---|---|---|---|
| Organizations | Organizations are the top-level entities in Greenhouse. | 🟢 | 🟢 | |
| Teams | Teams are used to manage access and ownership of resources in Greenhouse. | 🟢 | 🟡 | Read-only access to Teams via the UI |
| Clusters | Clusters represent a Kubernetes cluster that is managed by Greenhouse. | 🟡 | 🟡 | Limited modification of Clusters via UI, CLI for KubeConfig registry planned. |
| Plugin Definitions & Plugins | Plugins are software components that extend and integrate with Greenhouse . | 🟡 | 🟡 | Read-only access via UI, a native Plugin Catalog is planned. |
1.1 - Organizations
What are Organizations?
Organizations are the top-level entities in Greenhouse. Each Organization gets a dedicated Namespace, that contains all resources bound to the Organization. Greenhouse expects an Organization to provide it’s own Identity Provider and currently supports OIDC Identity Providers. Greenhouse also supports SCIM for syncing users and groups from an Identity Provider.
See creating an Organization for more details.
Organization Namespace and Permissions
The Organization’s Namespace in the Greenhouse cluster contains all resources bound to the Organization. This Namespace is automatically provisioned when a new Organization is created and shares the Organization’s name. Once the Namespace is created, Greenhouse will automatically seed RBAC Roles and ClusterRoles for the Organization. These are used to grant permissions for the Organization’s resources to Teams.
- The Administrators of an Organization are specified via a identity provider (IDP) group during the creation of the Organization.
- The Administrators for Plugins and Clusters need to be defined by the Organization Admins via
RoleBindingsfor the seeded Rolesrole:<org-name>:cluster-adminandrole:<org-name>:plugin-admin. - All authenticated users are considered members of the Organization and are granted the
organization:<org-name>Role.
The following roles are seeded for each Organization:
| Name | Description | ApiGroups | Resources | Verbs | Cluster scoped |
|---|---|---|---|---|---|
role:<org-name>:admin | An admin of a Greenhouse Organization. This entails the permissions of role:<org-name>:cluster-admin and role:<org-name>:plugin-admin | greenhouse.sap/v1alpha1 | * | * | - |
v1 | secrets | * | - | ||
"" | pods, replicasets, deployments, statefulsets, daemonsets, cronjobs, jobs, configmaps | get, list, watch | - | ||
monitoring.coreos.com | alertmanagers, alertmanagerconfigs | get, list, watch | - | ||
role:<org-name>:cluster-admin | An admin of Greenhouse Clusters within an Organization | greenhouse.sap/v1alpha1 | clusters, teamrolebindings | * | - |
v1 | secrets | create, update, patch | - | ||
role:<org-name>:plugin-admin | An admin of Greenhouse Plugins within an Organization | greenhouse.sap/v1alpha1 | plugins, pluginpresets | * | - |
v1 | secrets | create, update, patch | - | ||
organization:<org-name> | A member of a Greenhouse Organization | greenhouse.sap/v1alpha1 | * | get, list, watch | - |
organization:<org-name> | A member of a Greenhouse Organization | greenhouse.sap/v1alpha1 | organizations, plugindefinitions | get, list, watch | x |
OIDC
Each Organization must specify the OIDC configuration for the Organization’s IDP. This configuration is used together with DEXIDP to authenticate users in the Organization.
SCIM
Each Organization can specify SCIM credentials which are used to syncronize users and groups from an Identity Provider. This makes it possible to view the members of a Team in the Greenhouse dashboard.
1.2 - Teams
What are Teams?
Teams are used to manage access to resources in Greenhouse and managed Kubernetes clusters. Each Team must be backed by a group in the identity provider (IdP) of the Organization. Teams are used to structure members of your Organization and assign fine-grained access and permission levels. The Greenhouse Dashboard is showing the members of a Team.
Team RBAC
TeamRoles and TeamRoleBindings provide a mechanism to control the permissions of Teams to onboarded Clusters of an Organization.
Team role-based access control (RBAC) wraps the concept of Kubernetes RBAC in TeamRoles and TeamRoleBindings. TeamRoles are used to define a set of RBAC permissions. These permissions can be granted to Teams with TeamRoleBindings. A TeamRoleBinding refers to a Team, a TeamRole, Cluster(s) and optional Namespaces. Depending on the latter, Greenhouse will create the appropriate rbacv1 resources on the targeted cluster(s) in either Cluster or Namespace scope.
More information about how this can be configured is mentioned in this user guide.
Example of a TeamRoleBinding for a observability-admin which grants the cluster-admin role on the observability cluster in the logs and metrics namespaces. The TeamRoleBinding contains a list of namespaces and a label selector to select the cluster(s) to target. If no Namespaces are provided, then Greenhouse will create a ClusterRoleBinding instead of a RoleBinding.
1.3 - Clusters
What are Clusters?
In the context of Greenhouse a Cluster represents a Kubernetes cluster that is onboarded to Greenhouse. Onboarded in this context means that Greenhouse can handle the management of role-based access control (RBAC) and the provisioning of operating tools (e.g. logging, monitoring, ingress etc.). The Greenhouse dashboard provides an overview of all onboarded clusters. Throughout Greenhouse the reference to a Cluster is used to target it for configuration and deployments.
Cluster access
During the initial onboarding of a cluster, Greenhouse will create a dedicated ServiceAccount inside the onboarded cluster. This ServiceAccount’s token is rotated automatically by Greenhouse.
Cluster registry (coming soon)
Once a Cluster is onboarded to Greenhouse a ClusterKubeConfig is generated for the Cluster based on the OIDC configuration of the Organization. This enables members of an Organization to access the fleet of onboarded Clusters via the common Identity Provider. on the respective Clusters can be managed via Greenhouse Team RBAC.
In order to make it convenient to use these ClusterKubeConfigs and to easily switch between multiple context locally there will be a CLI provided by Greenhouse.
1.4 - PluginDefinitions, Plugins and PluginPresets
What are PluginDefinitions and Plugins?
PluginDefinitons and Plugins are the Greenhouse way to extend the core functionality with domain specific features. PluginDefinitions, as the name suggests, are the definition of a Plugin, whereas a Plugin is a concrete instance of a PluginDefinition that is deployed to a Cluster.
The PluginDefinitions are shared between all Organizations in Greenhouse. A PluginDefinition can include a frontend, that is displayed in the Greenhouse dashboard and/or a backend component. The frontend is expected to be a standalone microfrontend created with the Juno framework. The backend components of a PluginDefinition are packaged as a Helm Chart and provide sane and opinionated default values. This allows Greenhouse to package and distribute tools such as Prometheus with a sensible default configuration, as well as giving the user a list of configurable values.
A Plugin is used to deploy the Helm Chart referenced in a PluginDefinition to a Cluster. The Plugin can be considered as an instance of a PluginDefinition, this instance specifies the PluginDefinition, the desired Cluster and additional values to set. Depending on the PluginDefinition, it may be necessary to specify required values (e.g. credentials, endpoints, etc.), but in general the PluginDefinition provides well-established default values.
[!NOTE] In this example the Plugin ‘openTelemetry-cluster-a’ is used to deploy the PluginDefinition ‘openTelemetry’ to the cluster ‘cluster-a’.
PluginPresets
PluginPresets are a mechanism to configure Plugins for multiple clusters at once. They are used to define a common configuration for a PluginDefinition that can be applied to multiple clusters, while allowing to override the configuration for individual clusters.
[!NOTE] In this example the PluginPreset ’example-obs’ references the PluginDefinition ’example’ and contains a clusterSelector that matches the clusters ‘cluster-a’ and ‘cluster-b’. The PluginPreset creates two Plugins ’example-obs-cluster-a’ and ’example-obs-cluster-b’ for the respective clusters.
2 - Overview
What is Greenhouse?
Greenhouse is a cloud operations platform designed to streamline and simplify the management of a large-scale, distributed infrastructure.
It offers a unified interface for organizations to manage various operational aspects efficiently and transparently and operate their cloud infrastructure in compliance with industry standards.
The platform addresses common challenges such as the fragmentation of tools, visibility of application-specific permission concepts and the management of organizational groups.
It also emphasizes the harmonization and standardization of authorization concepts to enhance security and scalability.
With its operator-friendly dashboard, features and extensive automation capabilities, Greenhouse empowers organizations to optimize their cloud operations, reduce manual efforts, and achieve greater operational efficiency.
Value Propositions
Roadmap
The Roadmap Kanban board provides an overview of ongoing and planned efforts.
Architecture & Design
The Greenhouse design and architecture document describes the various use-cases and user stories.
3 - Quick start guide
This section provides a step-by-step walkthrough for new users to navigate the initial stages of the Greenhouse platform.
Sign up
You’re an administrator and organization lead and want to register for Greenhouse?
We got you covered!
During phase 1 and 2 of the roadmap Greenhouse is only open to selected early adopters.
Please reach out to the Greenhouse team to register and create your organization via Slack or DL Greenhouse.
Prerequisites:
CAM Profile
A CAM profile is required to configure the administrators of the organization.
Please include the name of the profile in the message to the Greenhouse team when signing up.SAP ID service
The authentication for the users belonging to your organization is based on the OpenID Connect (OIDC) standard.
For SAP, we recommend using a SAP ID service (IDS) tenant.
Please include the parameters for your tenant in the message to the Greenhouse team when signing up.If you don’t have a SAP ID Service tenant yet, please refer to the SAP ID Service section for more information.
Already a member
You’re a member of an existing organization and want to manage your teams, clusters or plugins?
Please refer to the user guides to find out more.