Glossary

A flat index of the terms this site uses when talking about Kestrel and the Alliance account / identity layer it sits on. Each entry is a short definition; deeper explanations live on the page that owns the concept.

Alliance

The Digital Research Alliance of Canada (alliancecan.ca) --- the national organization that funds and operates advanced research computing for researchers at CFI-eligible Canadian institutions. The Alliance owns the identity model (CCDB, CCRI roles, LDAP group membership) and the allocation model (RAS and RAC competitions, HPC and Cloud RAPs) that Kestrel sits on top of. RCS operates Kestrel at UVic on the Alliance’s Arbutus cloud site.

App-of-apps

An ArgoCD pattern where a single root Application resource points at a directory of child Application manifests, so registering one app adds every subsequent app by git push. On Kestrel, tenants fork an RCS-provided template and own the resulting repo.

Arbutus

The Alliance cloud site operated at UVic. Arbutus is one of the Alliance’s national cloud sites and runs on OpenStack. Kestrel is a Kubernetes service layered on top of Arbutus --- you get a Kestrel tenant by having a Cloud RAP on Arbutus, not by directly running OpenStack instances. The public Kestrel hostname is kestrel.arbutus.cloud.

Capsule

The multi-tenancy operator running on Kestrel. Capsule defines the Tenant custom resource and enforces namespace prefixing, network isolation, resource pool quotas, and service-type restrictions at the Kubernetes admission layer.

CCDB

The Compute Canada Database (ccdb.alliancecan.ca) --- the Alliance’s identity and allocation registry. Every researcher who uses any Alliance service (HPC, cloud, including Kestrel) has a CCDB account with a CCI and one or more CCRI roles. PIs create and manage their RAPs in CCDB, including adding and removing users from Cloud RAPs. Tenant membership on Kestrel is managed here, not in Keycloak.

CCI

Compute Canada Identifier --- your permanent national identifier across every Alliance service. Format: abc-123 (three letters, a dash, three digits). You get a CCI when you register at ccdb.alliancecan.ca. Your CCI stays with you for the duration of your research career across institutions.

CCRI

Compute Canada Role Identifier --- the triple of position + institution + sponsor that represents one role you hold at a time. Format: <cci>-NN (your CCI followed by a two-digit role number, e.g. abc-123-01). Faculty roles are auto-approved; sponsored roles (graduate student, postdoc, research staff, external collaborator) require a PI to sponsor the request. The CCRI is what grants you access to an Alliance service under a particular sponsor.

Cloud RAP

A Resource Allocation Project for an Alliance cloud site, held by a PI. On Arbutus, a Cloud RAP backs a Kestrel tenant 1:1: one Cloud RAP = one Capsule Tenant, and the tenant name matches the RAP’s POSIX group name. Group naming conventions:

• def-profname --- default Cloud RAP, allocated via RAS when a PI requests basic cloud access.
• crg-profname-xx --- RAC Cloud RAP, allocated via the annual Resource Allocation Competition (competitive process for larger allocations).
• cpp-profname-xx --- Cloud Persistent RAP, allocated for long-running persistent cloud infrastructure.

Cloud RAPs do not auto-add sponsored users

Alliance HPC RAPs (rrg-*, rpp-*) automatically include all sponsored users from the PI’s CCDB roster. Cloud RAPs do not. The PI must add each user explicitly in CCDB at ccdb.alliancecan.ca. This is the single most common “why can’t I access my tenant?” question on Kestrel. See Requesting access for the add-a-user flow.

Ingress

A Kubernetes resource that maps an external hostname and path to a Service inside the cluster. On Kestrel, Ingresses are served by Traefik with ingressClassName: traefik and tenant-scoped hostnames.

Keycloak

Kestrel’s OIDC broker. Keycloak’s upstream identity provider is Alliance LDAP (dc=computecanada,dc=ca) --- it federates the Alliance’s LDAP-backed identity store and re-issues it as OIDC id_tokens that kubelogin can consume. The groups claim in the OIDC token carries the Alliance LDAP POSIX group names backing your active Cloud RAPs. Keycloak does not federate UVic institutional SSO, and there is no SAML assertion from UVic in the chain.

kubelogin

CLI tool that performs the OIDC browser flow against Keycloak and writes a short-lived token into ~/.kube/config for kubectl to use. The upstream project is int128/kubelogin --- not the Microsoft Azure AD tool of the same name.

Namespace

A Kubernetes scope that holds workloads, services, and configuration. On Kestrel, every tenant namespace name must begin with the tenant’s own prefix (<tenant>-*) because Capsule’s forceTenantPrefix rejects names that do not.

OIDC

OpenID Connect --- the authentication protocol Keycloak uses to issue identity tokens. kubectl validates these tokens at the kube-apiserver to authorize your requests. On Kestrel, the OIDC groups claim names your Cloud RAP group memberships from Alliance LDAP.

RAP

Resource Allocation Project --- the Alliance’s unit of allocation. Every RAP is owned by a PI and has one or more associated Alliance LDAP POSIX groups representing the users covered by the allocation. There are two families: HPC RAPs (prefixes rrg-*, rpp-*) which back scheduler submission on Alliance HPC systems (Cedar, Graham, Narval, etc.), and Cloud RAPs (prefixes def-*, crg-*, cpp-*) which back cloud access on Alliance cloud sites including Arbutus. Only Cloud RAPs back Kestrel tenants --- HPC RAPs are for a different family of services. See Cloud RAP for the Kestrel-specific conventions.

RAS

Rapid Access Service --- the Alliance’s default allocation tier. Any eligible PI can request a default Cloud RAP (def-profname) via RAS without going through the annual Resource Allocation Competition (RAC). RAS is the common starting point for PIs onboarding to Kestrel; larger allocations migrate to RAC over time. (Note: RAS is an Alliance allocation process, not to be confused with OpenStack’s historical “Resource Allocation Service” component, which is not part of the Kestrel identity or tenancy model.)

ResourcePool

A Capsule custom resource that scopes a shared quota across every namespace in a tenant. Tenants see one pool per tier (sandbox, standard, premium, or custom); any namespace in the tenant can consume any fraction of it, so organizing work across namespaces does not isolate quota. See Resource pools and quotas.

Tenant

A Capsule Tenant custom resource. On Kestrel, one tenant = one Alliance Cloud RAP, 1:1. The tenant name matches the Cloud RAP’s POSIX group name; the owner group is oidc:<rap-group-name> (the oidc: prefix is added by the kube-apiserver when it validates the OIDC id_token from Keycloak). The Tenant resource allowlists namespace names under a tenant prefix, sets service-type and ingress restrictions, and points every namespace it owns at a shared ResourcePool. Tenant membership is managed by the PI in CCDB, not in Keycloak.