On 23/09/2021 02:55, Neal Gompa wrote:
> On Wed, Sep 22, 2021 at 7:12 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
<snip>
>>
>> * Since the control plane are vm's I assume we need to drain them one at
>> a time to reboot the virthosts they are on?
Correct
>>
>> * Should we now delete the kubeadmin user? In 3.x I know they advise to
>> do that after auth is setup.
>>
>
> I'm not sure that's a good idea. I'm not even certain that was a good
> idea in the OCP 3.x days, because eliminating the kubeadmin user means
> you lose your failsafe login if all else fails.
+1 here : the reason why we decided to still keep kubeadmin on the other
OCP clusters used for CentOS CI and Stream is exactly for that reason :
still be able to login, if there is a problem with the oauth setup, and
troubleshoot issues if (for example) ipsilon or IPA have troubles ... :-)
>
>> * Right now the api is only internal. Is it worth getting a forward
>> setup to allow folks to use oc locally on their machines? It would
>> expose that api to the world, but of course it would still need auth.
That's what we decided to do for the CentOS CI ocp setup, and so CI
tenants can use oc from their laptop/infra. As long as cert exposed for
default ingress has it added in the SAN, it works fine :
X509v3 Subject Alternative Name:
DNS:*.apps.ocp.ci.centos.org, DNS:api.ocp.ci.centos.org,
DNS:apps.ocp.ci.centos.org
--
Fabian Arrotin
gpg key: 17F3B7A1 | twitter: @arrfab
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
