 |
Please close this ticket. I created the same one in Centos-CI namespace: https://bugs.centos.org/view.php?id=17549 |
|
|
Please ignore previous comment :-( |
 |
Hi astepano, Hmm you shouldn't need to do any of this, we already have edge encryption available for use on our routes/ingresses eg: https://asdf-route-test.apps.ocp.stg.ci.centos.org/ See the following example route where I have edge encryption enabled: https://paste.centos.org/view/911805b5 |
|
|
edge_encrypted_route.yaml (654 bytes) |
|
|
Just uploaded the Route as a file, as the paste.centos.org only keeps for 24 hours. |
|
|
@dkriwan, thank you for the reply. Will it work for "routes" with specified FQDN? Example: mydomain.com? We need support ACME. |
|
|
Aha I misunderstood your request.. Ok I understand what you folks are trying to achieve. Hmm from looking at the https://github.com/tnozicka/openshift-acme/blob/master/deploy/specific-namespaces/role.yaml I can't see where it is trying to grant access to create/update/patch Events ({APIGroups:[""], Resources:["events"], Verbs:["create" "update" "patch"]}). Can you try this deployment instead: https://github.com/tnozicka/openshift-acme/blob/master/deploy/single-namespace/ ? If that fails, I'll look into granting this extra permission to create Events to your group. |
|
|
@dkirwan thank you! I installed: https://github.com/tnozicka/openshift-acme/tree/master/deploy#single-namespace I do not know, there is another place where it requires 'events': https://github.com/bitsbeats/helm-charts/blob/master/charts/openshift-acme/templates/rbacRole.yaml#L52 Okay. In one place it is required, in other it is not. Ok, let's close this ticket. I will try to play if it doesn't work, I will open other ticket. |
|
|
Great :D get back to us if you run into trouble. |
|
|
Hi Astepano, Quick question just to clarify the original query. "Services can be exposed securely with: https://xxx-fedora-ci.apps.ocp.ci.centos.org" We have the cluster configured with wildcard SSL certs from letsencrypt for *.apps.ocp.ci.centos.org. This allows us to terminate SSL at the edge for all https://service-namespace.apps.ocp.ci.centos.org routes/ingresses. Is that what you need here? If so take a look at the Route example I linked earlier, it should have what you need to achieve this :) |
|
|
@dkirwan hi. It was a statement from me: services can be exposed securely with: https://xxx-fedora-ci.apps.ocp.ci.centos.org . In other words: I know, that services can be exposed securely under domain xxx.apps.ocp.ci.centos.org I just wanted to say: we use a different approach. Thank you. |
 |
@astepano Do we have an idea of which domains outside of apps.ocp.ci.centos.org we're looking to use here? I'd really like to be sure we have a good handle on the endpoints where traffic might come in. |
|
|
Reply to bstinson@. Example of running site: https://osci-jenkins-2.ci.fedoraproject.org/ |
|
|
ok, so *.ci.fedoraproject.org Is hosting this on *.ci.fp.o a hard requirement? Or just for looks? |
|
|
Hello. This is for mobility/flexibility. Let's take jenkins-continuous-infra.apps.ci.centos.org. The functionality is hard-bound to the 3.9 cluster. There is no way to flawlessly move the service from jenkins-continuous-infra.apps.ci.centos.org to new apps.ocp.ci.centos.org . We want to break connection between service name with the platform where it is hosted. On the other hand: unification. |
- Anonymous
