I'm trying to set up GitHub webhooks for triggering buildconfigs (see https://pagure.io/fedora-infrastructure/issue/10521). However, currently the API server cert is signed by the default internal OpenShift CA, whose cert is self-signed. GitHub is not happy about this and so forces us to disable SSL verification for the webhooks to work.
Could we set up a Let's Encrypt cert for the API server? Relevant docs is: https://docs.openshift.com/container-platform/4.10/security/certificates/api-server.html
This also would allow oc login to work without bypassing cert checking.
oc login
No set date. We can work around this for now by disabling SSL verification in GitHub webhooks and on the command-line.
👍
@dkirwan Can you take a look at this?
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
That's what we did for the CentOS Cluster (CI ocp one) a long time ago, and on each renewed TLS cert, it's applied automatically (for reference)
ok, so I went to do this and got confused. :)
The doc says:
"Do not provide a named certificate for the internal load balancer (host name api-int.<cluster_name>.<base_domain>). Doing so will leave your cluster in a degraded state."
We currently have a cert for api-int.ocp.fedoraproject.org and api.ocp.fedoraproject.org which we use in haproxy.
I guess I need to split that and get two certs here? or perhaps this isn't even possible due to the way we have things setup?
ie, we have:
proxy -> haproxy -> cluster
ok, got this sorted. The cert should be valid now.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Thanks @kevin! I've re-enabled SSL verification on the GitHub webhooks and I can confirm it's working fine.
Log in to comment on this ticket.