Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certs-and-proxies: mounting certs in mirror and renaming operator service reference (PROJQUAY-3599) #699

Merged
merged 3 commits into from Apr 29, 2022
Merged

certs-and-proxies: mounting certs in mirror and renaming operator service reference (PROJQUAY-3599) #699

merged 3 commits into from Apr 29, 2022

Conversation

ricardomaraschini
Copy link
Contributor

As per each individual commit:

annotations: stop setting annotations on clair db deployment (PROJQUAY-3599)

These annotations make the database to be rolled out if one of the
annotations is change. As Clair database is not affected by these
annotations we better not set them (as we already do with the Quay
database).

cert: mount the user provided certs on mirror (PROJQUAY-3599)

If we don't mount quay-config-tls then mirror is not aware of the
cluster wildcard cert and can't access Quay through its route.

This commits mounts the cluster wildcard cert (or the cert manually
provided by the user) in the extra_ca_certs directory.

proxy: use the full service name (PROJQUAY-3599)

If we don't append the "full domain" to the service name it is quite
hard for the users to allow direct traffic to quay operator service
during reconfigure.

We want to allow users to bypass traffic to svc.cluster.local.

@ricardomaraschini
annotations: stop setting annotations on clair db deployment (PROJQUA…
af470fe 
…Y-3599)

These annotations make the database to be rolled out if one of the
annotations is change. As Clair database is not affected by these
annotations we better not set them (as we already do with the Quay
database).
@ricardomaraschini
cert: mount the user provided certs on mirror (PROJQUAY-3599)
3fc748c 
If we don't mount quay-config-tls then mirror is not aware of the
cluster wildcard cert and can't access Quay through its route.

This commits mounts the cluster wildcard cert (or the cert manually
provided by the user) in the extra_ca_certs directory.
@ricardomaraschini
proxy: use the full service name (PROJQUAY-3599)
38c34ab 
If we don't append the "full domain" to the service name it is quite
hard for the users to allow direct traffic to quay operator service
during reconfigure.

We want to allow users to bypass traffic to svc.cluster.local.
jonathankingfc
jonathankingfc approved these changes Apr 29, 2022
View reviewed changes
Copy link
Collaborator

@jonathankingfc jonathankingfc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jonathankingfc jonathankingfc merged commit 10d0ad4 into quay:master Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonathankingfc jonathankingfc jonathankingfc approved these changes

@flavianmissi flavianmissi Awaiting requested review from flavianmissi

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ricardomaraschini @jonathankingfc