Access to Deployed Setup

Introduction

The table below enumerates various admin/user access to the entire deployment. This includes access to machines, Rancher, Kubernetes cluster as well as OpenG2P application.

Access matrix

Resource	Role	Password/key	Access method	Providing further access
Compute nodes	DevOps Super Admin	SSH Key	SSH into the node via private IP (via Wireguard) with the root user using SSH key	Users generate their own SSH Keys whose public keys are added to the nodes.
Wireguard node	DevOps Super Admin	SSH Key	SSH into the node via public IP with the root user using SSH key	To provide Wireguard access to users/clients refer to the guide below.
Rancher (global)	Rancher Super Admin	Password	Open Rancher URL on browser and login via password	Individual cluster administrators can be created from Rancher UI.
Rancher (cluster)	Cluster Admin	Password	Open Rancher URL on browser and login via password	Users can be added and provided RBAC by Cluster Administrator using Rancher UI.
OpenG2P Application	Odoo Super Admin	Password	Open OpenG2P URL on browser and login via password	Users can be created and assigned fine-grained roles.

Resource

Role

Password/key

Access method

Providing further access

Compute nodes

DevOps Super Admin

SSH Key

SSH into the node via private IP (via Wireguard) with the root user using SSH key

Users generate their own SSH Keys whose public keys are added to the nodes.

Wireguard node

DevOps Super Admin

SSH Key

SSH into the node via public IP with the root user using SSH key

To provide Wireguard access to users/clients refer to the guide below.

Rancher (global)

Rancher Super Admin

Password

Open Rancher URL on browser and login via password

Individual cluster administrators can be created from Rancher UI.

Rancher (cluster)

Cluster Admin

Password

Open Rancher URL on browser and login via password

Users can be added and provided RBAC by Cluster Administrator using Rancher UI.

OpenG2P Application

Odoo Super Admin

Password

Open OpenG2P URL on browser and login via password

Users can be created and assigned fine-grained roles.

Wireguard access to users

The guide below provides steps to provide Wireguard access to users' devices (called peers). Note that the access must be provided to each unique device (like a desktop, laptop, mobile phone etc). Multiple logins with same conf file is not possible.

The Wireguard conf file MUST NOT be shared with any other users for security reasons.

Steps

Login to the Wireguard node via SSH.
```
> ssh -i <SSH key pem file> <user>@<ip>
```
Navigate to Wireguard conf folder
```
> cd /etc/wireguard_general
```
You will see several pre-created peer config files. You may assign any one of the file (not assigned before) to a new peer/user.
Editassigned.txt file to assign a new the peer (client/user). Make sure a conf file is assigned to a unique user, already assigned file is never re-assigned to another user.
```
> vim assigned.txt
```
Add the peers with name as mentioned below. Example:
```
> peer1 : <peer name>
```
Share the conf file with the peer/user securely. Example: peer1/peer1.conf

Wireguard client installation

Follow the guide here.

PreviousSSL Certificates using Letsencrypt NextPost Install Configuration

Last updated 10 months ago