While migrating workloads from CentOS CI to the new Fedora infra OpenShift cluster, we hit upon the fact that we can no longer use GitHub webhook triggers as BuildConfig triggers because the webhook URL goes to the API server, which is not externally accessible.
This is limiting for us because we'd like to be able to redeploy some applications automatically as the upstream repo is updated.
Is the API server kept private for security or technical reasons? If it's not possible to expose it externally, we should investigate if there's some kind of proxy service we can run cluster-wide which can forward webhook events to the API server.
Example app from which we had to remove the BuildConfig trigger:
https://github.com/coreos/fedora-coreos-releng-automation/pull/148
No set date. We can work around this for now by manually redeploying.
This might do the trick: https://github.com/stakater/GitWebhookProxy We'll see if we can test it out in the stage project.
the API server kept private for security or technical reasons?
It's for technical reasons, existing network configuration, cert management, and firewall rules, access to kvmhosts etc.
At cluster installation time we wanted to go with a more conventional deployment, but given how much effort would be involved, it was decided not to do it.
With regards to a cluster-wide proxy service, I'd only entertain that idea if its installable by a supported, maintained operator! I'd prefer if you folks take ownership of the solution, and ideally deploy it within your project/namespace. Please make sure there is authentication in place... https://github.com/openshift/oauth-proxy should sit between this and the GitWebhookProxy
I'm not opposed to exposing the api... as long as it's ok risk wise. We just need to get RHIT to nat in those ports.
Metadata Update from @mohanboddu: - Issue assigned to kevin - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
I have filed internal tickets to open / nat port 6443 on our two public proxy hosts (which in turn use haproxy to proxy to the cluster).
This is done. Sorry I missed closing this.
We had them nat in port 6443 on proxy01/02 and proxy01/02.stg so both staging and prod clusters should now have api available.
Let us know if you run into any further issues or need anything else.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Thanks! Reverting back to buildconfig webhooks in https://github.com/coreos/fedora-coreos-releng-automation/pull/150.
Log in to comment on this ticket.