Cray System Management Documentation > Cray System Management (CSM) Administration Guide > multi tenancy > TAPMS (Tenant and Partition Management System) Overview

TAPMS (Tenant and Partition Management System) Overview

Overview

tapms is the primary Kubernetes operator through which tenant creation and management is handled. This operator interacts with several other services in the CSM software stack to provision the necessary components for a given tenant. This document gives an overview of its functionality.

Tenant schema

See the Tenant Custom Resource Definition for the full schema. Below is a description of the required fields for a tenant:

Field	Description
`tenantname`	Name of the tenant. See Tenant naming requirements for restrictions on tenant naming.
`childnamespaces`	List of namespaces that should be created for the tenant. These namespaces be created with the name specified here, prepended with the required HNC prefix.
`tenantresources`.`type`	Only `compute` is supported in the initial release of `tapms`.
`tenantresources`.`hsmgrouplabel`	The name of the HSM group label for the `xnames` specified below (mutually exclusive from `hsmpartitionname`).
`tenantresources`.`hsmpartitionname`	The name of the HSM partition to create and assignments for the `xnames` specified below (mutually exclusive from `hsmgrouplabel`).
`tenantresources`.`enforceexclusivehsmgroups`	If `true`, tenants that share this setting will not be allowed to specify the same `xname` (only appropriate if `hsmgrouplabel` is also specified).
`tenantresources`.`xnames`	List of compute component names (xnames) that this tenant is allowed to use for running jobs.

Reconcile operations

When a tenant CR is applied, tapms will:

Create a tenant and Kubernetes namespace with the specified name. Note that when hnc is deployed, it will be configured with a required prefix for tenant names ensuring that namespaces not associated with multi-tenancy are not managed by hnc. The default prefix is vcluster, and this can be changed during the deployment of the cray-hnc-manager Helm chart.
Create namespaces specified in the childnamespaces with the tenant-specific prefix.
Add the specified xnames to an HSM group or partition.
Apply the valued specified in hsmgrouplabel
If the enforceexclusivehsmgroups flag is true, tapms will ensure xnames cannot be specified in multiple tenants (that also have the flag set to true for their hsmgrouplabel).
Create a Keycloak group with the name <tenant-name>-tenant-admin which can be assigned to users intended to be tenant administrators.

Tenant states

tapms will report one of the following states for a tenant, depending on the current state of the tenant:

State	Description
`New`	`tapms` has begun reconciliation for a newly created tenant.
`Deploying`	`tapms` is in the process of deploying the tenant.
`Deployed`	The tenant reconciliation is complete (from the perspective of `tapms`).
`Deleting`	`tapms` has begun deleting the tenant.