feat: playbook to update the letsencrypt certificate on the ocp cluster #366
Conversation
|
|
||
| [.fuchsia]#string# / [.red]#required# | ||
|
|
||
| a| Name of the site that will be used to fetch the certificates from. |
There was a problem hiding this comment.
This wording is a bit confusing: "Name of the site". What is a site ? Is it a domain name, something else ?
There was a problem hiding this comment.
That's a tough one, it's the name of the prefix given to the TLS secret which coincides with the OCP cluster name.
$ kc --namespace snowdrop-site get secret
...
qshift-snowdrop-dev-tls kubernetes.io/tls 2 96d
www-snowdrop-dev-tls kubernetes.io/tls 2 68dThere was a problem hiding this comment.
Ok. That corresponds to a TLS secret which has been created part of a namespace.
Historically the certificate's related stuffs have been created under 2 namespaces using an ansible playbook: snowdrop-site and halkyon-site.
I'm not against the fact to keep this convention and that we create additional secrets, certificates request under the namespace which match a DNS domain (example: snowdrop-site => snowdrop.dev) BUT that should be clear to the user and that they know which namespace they should use. As we only manage one domain name, we could set as default snowdrop-site to avoid issues. WDYT ? @jacobdotcosta
ansible/playbook/README.adoc
Outdated
| -e source_kubeconfig=${HOME}/.kube/snowdrop-rhosp-snowdrop-k8s-config \ <1> | ||
| -e target_kubeconfig=${HOME}/.kube/rh-ocp-qshift-drp2b-config \ <2> |
There was a problem hiding this comment.
Is it documented how users can fetch such config files ?
There was a problem hiding this comment.
Updated the documentation.
There was a problem hiding this comment.
Instead of asking to the user to get/copy the kubeconfig file locally, why don't you get it using a password command ?
-e source_kubeconfig=${HOME}/.kube/snowdrop-rhosp-snowdrop-k8s-config
to
-e source_kubeconfig=$(pass ....)
Closes #365