fix: user context in labs (#110)

Author: srodenhuis

docs/for-ops/console/usermgnt.md

@@ -16,19 +16,18 @@ User Management can only be used to manage the users of the platform instance (s
 
 What you need to know about the User Management feature:
 
-- Only Platform admins can create or delete users in the platform view.
-- A Platform admins can assign users the role of `platform admin`, `Team admin` or `Team member`.
+- Only Platform administrators can create or delete users in the platform view.
+- A Platform administrator can assign users the role of `platform administrator`, `team administrator` or `team member`.
 - Users can be created without assigning them directly to a Team.
-- Team admins can assign users the role of Team member of the Team they administer.
-- Team admins can not remove themselves from Teams they administer (this can only be done by the platform admin).
-- Team admins can not remove other Team admins from their teams (this can only be done by the platform admin).
-- Team admins can not add Platform admins to their Teams.
+- Team administrators can assign users the role of Team member of the Team they administer.
+- Team administrators can not remove themselves from Teams they administer (this can only be done by the platform admin).
+- Team administrators can not remove other Team administrators from their teams (this can only be done by the platform admin).
+- Team administrators can not add Platform administrators to their Teams.
 - Team members are not able to see the User Management section in the menu.
-- Users are stored encrypted in the `values` repository `env/secrets.users.yaml` file.
-- The initial login credentials of a new User can be copied from the platform view user management page by Platform admins only.
+- Users are stored encrypted in the `values` repository.
+- The initial login credentials of a new User can be copied from the platform view user management page by Platform administrators only.
 - Users’ passwords are not stored in the values repo (except initial password).
-- A password reset can only be performed by a Platform admin. Password restest need to be done in the Keycloak app using the `otomi-admin` credentials. As an alternative Platform admin can also re-create a user.
-- The User management feature follows the Single Source of Truth principle by referencing the `env/secrets.users.yaml` file in the `values` repository. If a new user is created directly in Keycloak, this user will be deleted at the next commit.
+- A password reset can only be performed by a Platform admin. A password reset needs to be done in the Keycloak app using the `otomi-admin` credentials. As an alternative a user with the platform administrator role can also re-create a user.
 - Kubernetes secrets are used to pass user data between Pods, but there is a limit for user-defined variables. The maximum size of a user-defined environment variable is 32,767 characters. This limits the amount of users that can be created to around 200.
 
 ## Creating Users

docs/for-ops/how-to/make-owner-in-gitea.md

@@ -0,0 +1,21 @@
+---
+slug: make-owner-in-gitea
+title: Make user Owner of a Gitea Organization
+sidebar_label: Make user Gitea Org Owner
+---
+
+Follow these steps to add a user with the platform administrator role to the Owners group of a Team Organization in Gitea:
+
+1. Open the Gitea app.
+
+2. In the top right, click on your profile icon.
+
+3. Click `Site Administration`.
+
+4. Click on `Identity & Access` in the `Admin Settings` on the left and then click on `Organizations`.
+
+5. Click on the Organization where you want to become an owner of.
+
+6. In the `Teams` section, click on `Owners`.
+
+7. In the `Owners` section, click `Join`.

docs/for-ops/how-to/overview.md

@@ -12,8 +12,6 @@ sidebar_label: Overview
 
 ### [Managing Ingress Controllers](ingress-classes.md).
 
-### [Use the team-admin](use-team-admin.md).
-
 ### [Using Core only](core-only.md).
 
 ### [Create and restore backups](backups.md).
@@ -26,3 +24,5 @@ sidebar_label: Overview
 
 ### [Change or reset user passwords](change-user-passwords.md).
 
+### [Make a platform admin Owner of a Team Organization in Gitea](make-owner-in-gitea.md)
+

docs/for-ops/how-to/use-team-admin.md

@@ -8,35 +8,46 @@ sidebar_label: Detect Threats
 Falco needs to be activated for this lab.
 :::
 
+:::info
+This lab requires a user with the `platform-administrator` role!
+:::
+
 Falco is a cloud native security tool that provides runtime security. It leverages custom rules on Linux kernel events and other data sources through plugins, enriching event data with contextual metadata to deliver real-time alerts. Falco enables the detection of abnormal behavior, potential security threats, and compliance violations.
 
 ## Generate threats
 
-For this lab we'll deploy the `event-generator` in a Team namespace. The event-generator is a tool designed to generate events for both syscalls and k8s audits. The tool can be used to check if Falco is working properly. It does so by performing a variety of suspects actions which trigger security events. The event-event generator implements a minimalistic framework which makes easy to implement new actions.
+For this lab we'll install the `event-generator` in a Team namespace. The event-generator is a tool designed to generate events for both syscalls and k8s audits. The tool can be used to check if Falco is working properly. It does so by performing a variety of suspects actions which trigger security events. The event-event generator implements a minimalistic framework which makes easy to implement new actions.
 
-:::info
-Installing the `falcosecurity/event-generator` can only be done by a user with the platform admin role.
-:::
 
-1. Add the falcosecurity charts repository:
+1. Sign in with a user that has the `platform-administrator` role.
+
+2. Select view `team` and team `admin`.
+
+3. In the left menu, click on `Shell.
+
+4. Add the falcosecurity charts repository:
 
 ```bash
 helm repo add falcosecurity https://falcosecurity.github.io/charts
 helm repo update
 ```
 
-2. Install the chart in the team namespace:
+5. Install the chart in the team namespace:
 
 ```bash
 helm install team-labs falcosecurity/event-generator -n team-labs
 ```
 
+6. Sign out
+
 ## See the events in the detected threats in containers dashboard
 
-1. In the left menu, click on `Apps` and open `Grafana`.
+1. Sign in as a Team member (using the `[email protected]` user).
+
+2. In the left menu, click on `Apps` and open `Grafana`.
 
-2. Click on the `Detected threats in containers` dashboards
+3. Click on the `Detected threats in containers` dashboards.
 
-3. See all the generated threat events
+4. See all the generated threat events:
 
 ![falco-dashboard](../../img/falco-dashboard.png)

docs/get-started/labs/detect-threats.md

@@ -6,11 +6,13 @@ sidebar_label: Lab Prerequisites
 
 ## Prerequisites
 
-1. DNS is configured. See [here](get-started/installation/overview.md). Not needed when using the LKE automatic installation.
+1. Make sure App Platform is installed with DNS. See [here](get-started/installation/overview.md). Not needed when using the LKE automatic installation.
 
-2. Prometheus is enabled on the platform level.
+2. Sign in with a user that has the `platform-administrator` role
 
-2. Enable additional App on the platform level to support the following labs:
+3. Enable Prometheus on the platform level.
+
+4. Enable additional Apps on the platform level to support the following labs:
 
 | Lab                                         | App                                 |
 |---------------------------------------------|-------------------------------------|
@@ -26,22 +28,24 @@ sidebar_label: Lab Prerequisites
 For the [Tracing with Open Telemetry](use-otel.md) Lab, tracing needs to be configured in the `Istio` and `Nginx Ingress` apps.
 :::
 
-3. A team called `labs` is created with `Dashboards` and `Alerts` enabled. See [here](docs/for-ops/console/teams.md) how to create Teams.
+5. Create a Team called `labs` with `Dashboards` and `Alerts` enabled. See [here](docs/for-ops/console/teams.md) how to create Teams.
 
-4. A user account is created and added to the `labs` Team. In the labs we'll be using the user `[email protected]`. See [here](docs/for-ops/console/usermgnt.md) how to create users and assign them to Teams.
+6. Create a user and make this user a member of the `labs` Team. In the labs we'll be using the user `[email protected]`. See [here](docs/for-ops/console/usermgnt.md) how to create users and assign them to Teams.
 
-:::note
-An organization in Gitea is automatically created for each Team. Only members of the Team are added to the `Owners` group of this organization. When using the `platform-admin` account, make sure to add your account to the `Owners` group of the Team's organization in Gitea.
+:::info
+The App Platform will automatically create an organization for each Team in Gitea. Only members of the Team are added to the `Owners` group of this organization. It is possible to go through the labs using the (default) `platform-admin` user account that was created during the installation of the App Platform. When using the `platform-admin` user, then make sure to add your account to the `Owners` group of the Team's organization in Gitea. Follow the instruction for adding the platform-admin user to the Owners group of a Team's organization in Gitea [here](../../for-ops/how-to/make-owner-in-gitea.md)
 :::
 
-5. The Kube API URL has been added to the [Cluster Settings](../../for-ops/console/settings/cluster.md). Select the `platform` view and click on `Settings` in the left menu. Then click on `Cluster`. When using LKE: You can find the Kube API URL in the Summary of your LKE cluster. Here it is called the `Kubernetes API Endpoint`. You can remove `:443` at the end.
+6. Add the Kube API to the [Cluster Settings](../../for-ops/console/settings/cluster.md). Select the `platform` view and click on `Settings` in the left menu. Then click on `Cluster`. When using LKE: You can find the Kube API URL in the Summary of your LKE cluster. Here it is called the `Kubernetes API Endpoint`. You can remove `:443` at the end.
 
-## Sign in to the Console
+## Start with the labs
 
-- Go to the provided URL. The URL will look like this: https://console.yourdomain.com
+- Go to https://console.yourdomain.com.
 
-- Sign in with the created user account.
+- Sign in with the created user account ([email protected]) and change the initial password.
 
 After sign in, you will see this page (with Dashboards enabled):
 
 ![Team dashboard](../../img/team-dashboard.png)
+
+- Start with the [first lab](create-repos.md) to create a code repository in Gitea (the self-hosted Git service in the App Platform).

docs/get-started/labs/labs-prerequisites.md

@@ -4,9 +4,13 @@ title: Scan your images for vulnerabilities
 sidebar_label: Scan Images
 ---
 
+:::info
+This lab requires a user with the `platform-administrator` role!
+:::
+
 ## Prerequisites
 
-To automatically scan images for vulnerabilities, `Automatically scan images on push` in the Team project settings in Harbor needs to be enabled by the platform administrator:
+To automatically scan images for vulnerabilities, `Automatically scan images on push` in the Team project settings in Harbor needs to be enabled by a user with the `platform-administrator` role:
 
 ![image vulnerabilities](../../img/harbor-config.png)
 

docs/get-started/labs/scan-images.md

@@ -4,11 +4,15 @@ title: OpenTelemetry
 sidebar_label: Use OpenTelemery
 ---
 
+:::info
+This lab requires a user with the `platform-administrator` role!
+:::
+
 In order to make a system observable, it must be instrumented. Language specific implementation of OpenTelemetry provides a way to instrument your application without touching your source code. In this lab we're going to instrument a Java application.
 
 ## Prerequisites
 
-Make sure the following Apps are enabled: 
+Make sure the following Apps are enabled on the platform (requires a user with the `platform-administrator` role): 
 
 - `Tempo` on Platform
 - `Otel` on Platform
@@ -41,6 +45,10 @@ Setting the `samplingRatio` to `100` is only done for this lab to make sure all
 
 7. Repeat step 2 to 6 for the `ingress-nginx-platform` app.
 
+:::note
+Sometimes instrumenting the nginx-ingress controller requires a restart of the pods. Restart the `ingress-nginx-platform-controller` Pod if you don't see any traces from nginx.
+:::
+
 ## Build an image from source code
 
 For this lab we're going to use the [Spring PetClinic Sample Application](https://github.com/spring-projects/spring-petclinic). Follow these steps to build an image from source code:

docs/get-started/labs/use-otel.md

@@ -5,7 +5,7 @@ sidebar_label: View Container Metrics
 ---
 
 :::info
-Prometheus and Grafana for the Team need to be activated for this lab.
+Prometheus on the Platform and Dashboards for the Team need to be enabled
 :::
 
 When your application is deployed, you would of course like to be able to see container metrics for debugging purposes. Prometheus is used for collecting metrics. When Prometheus is enabled on the platform level and Grafana is enabled for the Team, general container metrics (provided by the Platform Prometheus) can be used in Grafana dashboards.

docs/get-started/labs/view-metrics.md

@@ -112,13 +112,13 @@ module.exports = {
           "for-ops/how-to/overview",
           "for-ops/how-to/use-catalog",
           "for-ops/how-to/ingress-classes",
-          "for-ops/how-to/use-team-admin",
           "for-ops/how-to/backups",
           "for-ops/how-to/clone-apl",
           "for-ops/how-to/manage-age",
           "for-ops/how-to/change-admin-password",
           "for-ops/how-to/change-user-passwords",
           "for-ops/how-to/use-the-cli",
+          "for-ops/how-to/make-owner-in-gitea",
         ],
       },
       {