Re: Openshift 4 SOP PR review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 23, 2021 at 07:44:49AM +0200, Fabian Arrotin wrote:
> On 23/09/2021 02:55, Neal Gompa wrote:
> > On Wed, Sep 22, 2021 at 7:12 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> <snip>
> 
> >>
> >> * Since the control plane are vm's I assume we need to drain them one at
> >> a time to reboot the virthosts they are on?
> 
> Correct
> 
> >>
> >> * Should we now delete the kubeadmin user? In 3.x I know they advise to
> >> do that after auth is setup.
> >>
> > 
> > I'm not sure that's a good idea. I'm not even certain that was a good
> > idea in the OCP 3.x days, because eliminating the kubeadmin user means
> > you lose your failsafe login if all else fails.
> 
> +1 here : the reason why we decided to still keep kubeadmin on the other
> OCP clusters used for CentOS CI and Stream is exactly for that reason :
> still be able to login, if there is a problem with the oauth setup, and
> troubleshoot issues if (for example) ipsilon or IPA have troubles  ... :-)

We can keep it if folks like. I'd really prefer we don't use it except
for emergency though. Having people do things as their user will make it
way easier to see who did what. ;) 

> >> * Right now the api is only internal. Is it worth getting a forward
> >> setup to allow folks to use oc locally on their machines? It would
> >> expose that api to the world, but of course it would still need auth.
> 
> That's what we decided to do for the CentOS CI ocp setup, and so CI
> tenants can use oc from their laptop/infra. As long as cert exposed for
> default ingress has it added in the SAN, it works fine :
> 
> X509v3 Subject Alternative Name:
>                 DNS:*.apps.ocp.ci.centos.org, DNS:api.ocp.ci.centos.org,
> DNS:apps.ocp.ci.centos.org

Yeah, thats all fine, but to make it work for our setup, I would need to
get RHIT to nat in port 6443 to proxy01/10 from the internet. At least I
think thats the case. Openshift 3 could just use https, but alas, I fear
OCP4 needs that 6443 port. 

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux