OpenShift registry behind registry auth issues

[Joel Pearson]

Hi,

I spend most of the day debugging why my OpenShift registry wasn’t working
because the cluster lives behind a http proxy. I can see OpenShift ansible
configured the registry with proxy settings including no_proxy, but in the
error logs I could see during authentication it was trying to talk to the
master api server at 172.30.0.1, but that wasn’t in the no_proxy env
setting so the proxy was trying to resolve it and failing.

So that can be fixed by adding 172.30.0.1 to no_proxy, but it felt a bit
hacky. A dns name would be better as they’re easier to wildcard in
no_proxy.

I want to know how the registry knows to use the IP address of the master
api server instead of a dns name? I couldn’t see a reference to the api
server in /etc/registry. Where does it get that from? Is it part of a
docket secret?

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Service Account for Deployment Trigger

[Frank Liauw]

Hi,

I'm trying to use a service account on the oapi to instantiate deployments
from outside my cluster, but am hitting 403 errors on everything. The token
auth works, as I can see the SA username in the failure message.

Even basic listing deployment configs are denied
(/oapi/v1/namespaces/microsvc/deploymentconfigs):

User "system:serviceaccount:microsvc:git" cannot list deploymentconfigs in
project "microsvc"

My service account has the following rolebindings:

system:deployers
system:deployment-controller
system:deploymentconfig-controller

My references for:
oapi:
https://docs.openshift.org/latest/rest_api/oapi/v1.DeploymentConfig.html
authorization:
https://docs.openshift.com/container-platform/3.3/admin_solutions/user_role_mgmt.html

What am I missing?

Frank
Co-Lead, Server & Networks Team

VSee: fr...@vsee.com  | Cell: +65 9338 0035

Join me on VSee for Free 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to configure pod network manually

[Patrik Dufresne]

Hi Clayton,

Thanks for your reply. So if I want to use SDN plugin, I must install
openvswitch manually, on master and nodes.

In openshift ansible project, I've noticed a reference to the
"openshift/openvswitch" image. This image seems to be used to install a
containerized version of openvswitch. Is this installation path being
working ?

Just to make sure, here what I will do:
1. I will define a value for networkPluginName in master-config.yaml and
node-config.yaml (of all nodes)
2. I will install openvswitch on master and node.
3. Restart everything.

On other thought, I'm installing on bare metal, would it be easier to
install flannel ? I've read it's supported by an openstack installation.
But I guess nothing stop me from using it on bare metal.


--
Patrik Dufresne Service Logiciel inc.
http://www.patrikdufresne.com /
514-971-6442
130 rue Doris
St-Colomban, QC J5K 1T9

On Mon, Nov 20, 2017 at 12:05 AM, Clayton Coleman 
wrote:

> OpenShift includes the SDN plugin implementation as part of "openshift
> start node".  The docker image for openshift/node (in images/node) and the
> Ansible installer both rely on the RPM to set up the proper files in the
> CNI directories, and then OpenShift autodetects the SDN plugin.  OVS today
> is installed on the host, which is the only requirement.
>
> In a future release, both SDN and OVS will move to a daemon set and be
> installed on top of the cluster, and the openshift node process will stop
> launching SDN.
>
> On Sun, Nov 19, 2017 at 9:44 PM, Patrik Dufresne 
> wrote:
>
>> Hello,
>>
>> In attempt to learn more about how openshift is working, I'm trying to
>> install it manually. So far, I manage to create a master and multiple
>> nodes. Scheduling on node is working. But I'm struggling to get the pod
>> network in place.   With kubernetes, we usually load a yaml for flannel or
>> calico. Is their something similar for openshift?
>>
>> Some how, I'm expecting a daemonset for openvswitch, but I only found the
>> one here, but it seams improperly configure:
>> https://github.com/openshift/origin/tree/master/contrib/kubernetes/static
>>
>> On other though, I tried to configure the networkPluginName, but it does
>> provide the expected result...
>>
>> Thank for helping !
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users