So, I setup the CNAME, but that won't work because the ssl cert is not for that host. ;)

So, we could redirect to it?
Or proxy it.

Do folks have a pref? redirect or proxy?

@ralph Hey Ralph. The team would like to be able to help with this, but having spoken to @mattdm we're still in need of an answer from you. Can you take a look when you get a few moments, please? Thanks

Any thoughts here?

I would go for redirect, but it's on requester to say if that is OK.

I've emailed this to Ralph too. If there is nothing back before Friday please go ahead with whatever solution you feel is best, update and then close this ticket @kevin Thank you

Well, redirect is the easiest but it won't help with the "temporary excitement" issue in Matt's summary. A proxy would be best for the experience, I think, no?

Sounds like proxy is the way forward!

Cool. ok.

I can look at it at some point here... or perhaps @phsmoura would be willing to make a pr?

@phsmoura Thoughts? :smile:

I opened the PR (https://pagure.io/fedora-infra/ansible/pull-request/2493), not sure about the variables.. let me know if I should fix anything

We were talking in the Fedora + Konflux SIG today, and @gbenhaim had the good idea that perhaps the best integration here would be if we could set the cname directly for ingress on the rosa cluster. It would require transferring the TLS cert securely to be put in place, but it would take the proxy layer out of the loop - one less thing to go wrong. WDYT?

If we were to go that route, I think https://docs.openshift.com/rosa/applications/deployments/rosa-config-custom-domains-applications.html is the right guide.

Hum. So, if we just point to your cluster with a CNAME, shouldn't you be able to get a cert for that name from say letsencrypt?

I guess there's a bit of a loop there where you need the cert to setup things, but need things setup to get the cert?

Yeah, and to complicate it, I'm not sure we'd get it right on a first pass and I don't have a staging environment available - just one production cluster. We'd almost certainly break it for a while until we fixed it.

@ralph What would you like us to do in order to move this forward?

Either a proxy or pointing the cname right at the cluster could work. Both have some unknowns.

I suppose we'll get the best outcome by pointing the cname directly at the cluster. We'll just need some time to hack on it and fiddle with the rosa config knobs and the letsencrypt cert. Let's try that first.

I'm unsure of exactly what order works best for things, but @kevin and/or @phsmoura could you do anything required from our end to enable this for Ralph at your next earliest convenience, please? Thank you

Thanks @ancarrol and @ralph. I'll talk with @phsmoura shortly and see if we can point the CNAME at the cluster soon. Once it is pointing at the cluster we will close this ticket but after y'all have played with the config and letsencrypt please open a new ticket with any updates/changes/etc.. that may be needed and we'll pick it up from there. Sound like a plan?

In our DNS repo we have konflux.fedoraproject.org as a CNAME for konflux.apps.kfluxfedorap01.toli.p1.openshiftapps.com already.. Does it help to solve it?

That should do it for this specific ticket. Once the admins of the cluster have the time to update configs/enable letsencrypt there may be a new ticket to ask for a change. I believe this can be closed from our side.

I agree - let's close it out. I'll mess with the cluster configs next chance and let you know how it goes in matrix.