View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017549 | CentOS CI | general | public | 2020-06-29 16:10 | 2020-07-02 06:14 |
Reporter | astepano | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | assigned | Resolution | reopened | ||
Summary | 0017549: 0017548: OCP4 : ocp.ci.centos.org , please grant to "fedora-ci-admins" right to manage "events" in namespace: "fedora-ci" | ||||
Description | Hello, this ticket is about OCP4: ocp.ci.centos.org. We want to specify FQDN for routes . Services can be exposed securely with: https://xxx-fedora-ci.apps.ocp.ci.centos.org We need to use ACME/letsencrypt service that issues certificates for routes with https://FQDN. There is tool for this: https://github.com/tnozicka/openshift-acme The tool can be installed in different ways: 1) for cluster 2) for namespace. I am trying to install the tool into our namespace: fedora-ci But, I cannot create role for our namespace: https://github.com/tnozicka/openshift-acme/blob/master/deploy/specific-namespaces/role.yaml The error at this step is: Error: roles.rbac.authorization.k8s.io "acme-openshift-acme" is forbidden: user "astepano@redhat.com" (groups=["fedora-ci-admins" "system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["events"], Verbs:["create" "update" "patch"]} Please grant permission to "fedora-ci-admins" create that role for our namespace. Because we manage resources in automatic way, it would be great that we have permission to create/remove the above role with our credentials. Thank you! Regards! | ||||
Tags | No tags attached. | ||||
Please close this ticket. I created the same one in Centos-CI namespace: https://bugs.centos.org/view.php?id=17549 | |
Please ignore previous comment :-( | |
Hi astepano, Hmm you shouldn't need to do any of this, we already have edge encryption available for use on our routes/ingresses eg: https://asdf-route-test.apps.ocp.stg.ci.centos.org/ See the following example route where I have edge encryption enabled: https://paste.centos.org/view/911805b5 |
|
edge_encrypted_route.yaml (654 bytes)
kind: Route apiVersion: route.openshift.io/v1 metadata: name: asdf namespace: route-test spec: host: asdf-route-test.apps.ocp.stg.ci.centos.org to: kind: Service name: storage-test weight: 100 port: targetPort: 8000-tcp tls: termination: edge insecureEdgeTerminationPolicy: Redirect wildcardPolicy: None status: ingress: - host: asdf-route-test.apps.ocp.stg.ci.centos.org routerName: default conditions: - type: Admitted status: 'True' lastTransitionTime: '2020-06-29T16:31:55Z' wildcardPolicy: None routerCanonicalHostname: apps.ocp.stg.ci.centos.org |
|
Just uploaded the Route as a file, as the paste.centos.org only keeps for 24 hours. | |
@dkriwan, thank you for the reply. Will it work for "routes" with specified FQDN? Example: mydomain.com? We need support ACME. |
|
Aha I misunderstood your request.. Ok I understand what you folks are trying to achieve. Hmm from looking at the https://github.com/tnozicka/openshift-acme/blob/master/deploy/specific-namespaces/role.yaml I can't see where it is trying to grant access to create/update/patch Events ({APIGroups:[""], Resources:["events"], Verbs:["create" "update" "patch"]}). Can you try this deployment instead: https://github.com/tnozicka/openshift-acme/blob/master/deploy/single-namespace/ ? If that fails, I'll look into granting this extra permission to create Events to your group. |
|
@dkirwan thank you! I installed: https://github.com/tnozicka/openshift-acme/tree/master/deploy#single-namespace I do not know, there is another place where it requires 'events': https://github.com/bitsbeats/helm-charts/blob/master/charts/openshift-acme/templates/rbacRole.yaml#L52 Okay. In one place it is required, in other it is not. Ok, let's close this ticket. I will try to play if it doesn't work, I will open other ticket. |
|
Great :D get back to us if you run into trouble. | |
Hi Astepano, Quick question just to clarify the original query. "Services can be exposed securely with: https://xxx-fedora-ci.apps.ocp.ci.centos.org" We have the cluster configured with wildcard SSL certs from letsencrypt for *.apps.ocp.ci.centos.org. This allows us to terminate SSL at the edge for all https://service-namespace.apps.ocp.ci.centos.org routes/ingresses. Is that what you need here? If so take a look at the Route example I linked earlier, it should have what you need to achieve this :) |
|
@dkirwan hi. It was a statement from me: services can be exposed securely with: https://xxx-fedora-ci.apps.ocp.ci.centos.org . In other words: I know, that services can be exposed securely under domain xxx.apps.ocp.ci.centos.org I just wanted to say: we use a different approach. Thank you. |
|
@astepano Do we have an idea of which domains outside of apps.ocp.ci.centos.org we're looking to use here? I'd really like to be sure we have a good handle on the endpoints where traffic might come in. |
|
Reply to bstinson@. Example of running site: https://osci-jenkins-2.ci.fedoraproject.org/ |
|
ok, so *.ci.fedoraproject.org Is hosting this on *.ci.fp.o a hard requirement? Or just for looks? |
|
Hello. This is for mobility/flexibility. Let's take jenkins-continuous-infra.apps.ci.centos.org. The functionality is hard-bound to the 3.9 cluster. There is no way to flawlessly move the service from jenkins-continuous-infra.apps.ci.centos.org to new apps.ocp.ci.centos.org . We want to break connection between service name with the platform where it is hosted. On the other hand: unification. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2020-06-29 16:10 | astepano | New Issue | |
2020-06-29 16:10 | astepano | Status | new => assigned |
2020-06-29 16:11 | astepano | Note Added: 0037254 | |
2020-06-29 16:12 | astepano | Note Added: 0037255 | |
2020-06-29 16:35 | dkirwan | Note Added: 0037257 | |
2020-06-29 16:48 | dkirwan | File Added: edge_encrypted_route.yaml | |
2020-06-29 16:49 | dkirwan | Note Added: 0037259 | |
2020-06-29 16:52 | astepano | Note Added: 0037260 | |
2020-06-29 17:06 | dkirwan | Note Added: 0037262 | |
2020-06-29 17:37 | astepano | Note Added: 0037263 | |
2020-06-29 17:45 | dkirwan | Note Added: 0037264 | |
2020-06-29 20:51 | dkirwan | Note Added: 0037268 | |
2020-06-30 10:05 | astepano | Note Added: 0037272 | |
2020-06-30 10:50 | siddharthvipul1 | Status | assigned => resolved |
2020-06-30 10:50 | siddharthvipul1 | Resolution | open => fixed |
2020-07-01 13:41 | bstinson | Note Added: 0037285 | |
2020-07-01 13:48 | astepano | Status | resolved => feedback |
2020-07-01 13:48 | astepano | Resolution | fixed => reopened |
2020-07-01 13:48 | astepano | Note Added: 0037286 | |
2020-07-02 00:33 | bstinson | Note Added: 0037290 | |
2020-07-02 06:14 | astepano | Note Added: 0037293 | |
2020-07-02 06:14 | astepano | Status | feedback => assigned |