On Thu, Sep 23, 2021 at 07:44:49AM +0200, Fabian Arrotin wrote: > On 23/09/2021 02:55, Neal Gompa wrote: > > On Wed, Sep 22, 2021 at 7:12 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > <snip> > > >> > >> * Since the control plane are vm's I assume we need to drain them one at > >> a time to reboot the virthosts they are on? > > Correct > > >> > >> * Should we now delete the kubeadmin user? In 3.x I know they advise to > >> do that after auth is setup. > >> > > > > I'm not sure that's a good idea. I'm not even certain that was a good > > idea in the OCP 3.x days, because eliminating the kubeadmin user means > > you lose your failsafe login if all else fails. > > +1 here : the reason why we decided to still keep kubeadmin on the other > OCP clusters used for CentOS CI and Stream is exactly for that reason : > still be able to login, if there is a problem with the oauth setup, and > troubleshoot issues if (for example) ipsilon or IPA have troubles ... :-) We can keep it if folks like. I'd really prefer we don't use it except for emergency though. Having people do things as their user will make it way easier to see who did what. ;) > >> * Right now the api is only internal. Is it worth getting a forward > >> setup to allow folks to use oc locally on their machines? It would > >> expose that api to the world, but of course it would still need auth. > > That's what we decided to do for the CentOS CI ocp setup, and so CI > tenants can use oc from their laptop/infra. As long as cert exposed for > default ingress has it added in the SAN, it works fine : > > X509v3 Subject Alternative Name: > DNS:*.apps.ocp.ci.centos.org, DNS:api.ocp.ci.centos.org, > DNS:apps.ocp.ci.centos.org Yeah, thats all fine, but to make it work for our setup, I would need to get RHIT to nat in port 6443 to proxy01/10 from the internet. At least I think thats the case. Openshift 3 could just use https, but alas, I fear OCP4 needs that 6443 port. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
