You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The combination of External Network and Network Security Policy resources can be used to control access from a given pod/namespace out to external network resources. Following are some examples. The BC Government's OCP environment also does a much better job at DNS resolution, allowing host names to be defined via DNS names rather than IP addresses in many cases.
Allow a backup-container to post notifications to rocket.chat:
Managing creation/update of Network Security Policy and External Network resources:
Network Security Policy and External Network resources are defined statically, meaning you can not use something like,
valueFrom:
secretKeyRef:
....
to dynamically reference a secret.
In order to better facilitate the management of the parameters for such resources, the BCDevOps/openshift-developer-tools have been updated to allow hostname parameters to be parsed from user provided endpoints, be stored in secrets, and then read back from secrets during updates. Allowing the static resources to be updated, while the settings are retained.
The resulting create and update flows then look like this:
Create:
$ genDepls.sh -e dev -c backup
Loading settings ...
Loading settings from /c/family-law-act-app/openshift/settings.sh ...
Switching to 09e0c5-dev ...
Configuring the dev environment for . ...
Processing deployment configuration; ../openshift/templates/backup/backup-deploy.yaml ...
Reading config from ../openshift/templates/backup/backup-deploy.param ...
Reading config from ../openshift/templates/backup/backup-deploy.dev.param ...
Loading parameter overrides for ../openshift/templates/backup/backup-deploy.yaml ...
Initializing backup-deploy.overrides ...
Generating ConfigMap; backup-conf ...
WEBHOOK_URL - Please provide the webhook endpoint URL. If left blank, the webhook integration feature will be disabled:
https://chat.pathfinder.gov.bc.ca/hooks/...
Parsing WEBHOOK_URL_HOST from WEBHOOK_URL; 'https://chat.pathfinder.gov.bc.ca/hooks/...' => 'chat.pathfinder.gov.bc.ca' ...
...
Removing temporary param override files ...
Deleting override param file; ./backup-deploy.overrides.param ...
Deploying deployment configuration files ...
...
Update:
Wade@hvWin10x64 MINGW64 /c/family-law-act-app/openshift (master)
$ genDepls.sh -e dev -c backup -u
Loading settings ...
Loading settings from /c/family-law-act-app/openshift/settings.sh ...
Switching to 09e0c5-dev ...
Configuring the dev environment for . ...
Processing deployment configuration; ../openshift/templates/backup/backup-deploy.yaml ...
Reading config from ../openshift/templates/backup/backup-deploy.param ...
Reading config from ../openshift/templates/backup/backup-deploy.dev.param ...
Loading parameter overrides for ../openshift/templates/backup/backup-deploy.yaml ...
Initializing backup-deploy.overrides ...
Generating ConfigMap; backup-conf ...
Update operation detected ...
Skipping the prompts for the WEBHOOK_URL secret ...
Getting WEBHOOK_URL_HOST for the ExternalNetwork definition from secret ...
Preparing deployment configuration for update/replace, removing any 'Secret' objects so existing values are left untouched ...
...
Removing temporary param override files ...
Deleting override param file; ./backup-deploy.overrides.param ...
Deploying deployment configuration files ...
...
The text was updated successfully, but these errors were encountered:
WadeBarnes
changed the title
Network Security Policy and External Network Examples
Network Security Policy and External Network Examples and Management Strategy
Jan 7, 2021
The combination of External Network and Network Security Policy resources can be used to control access from a given pod/namespace out to external network resources. Following are some examples. The BC Government's OCP environment also does a much better job at DNS resolution, allowing host names to be defined via DNS names rather than IP addresses in many cases.
Allow a backup-container to post notifications to rocket.chat:
Allow a pod to access KeyCloak and other Organization specific resources:
The template snippets for the above configurations:
Other Examples
Access to an external oracle database:
The IP in this example was randomly generated for demo purposes
Access to an Indy Blockchain Ledger:
Managing creation/update of Network Security Policy and External Network resources:
Network Security Policy and External Network resources are defined statically, meaning you can not use something like,
to dynamically reference a secret.
In order to better facilitate the management of the parameters for such resources, the BCDevOps/openshift-developer-tools have been updated to allow hostname parameters to be parsed from user provided endpoints, be stored in secrets, and then read back from secrets during updates. Allowing the static resources to be updated, while the settings are retained.
Examples of this can be found here:
The resulting create and update flows then look like this:
Create:
Update:
The text was updated successfully, but these errors were encountered: