Ahh ok. Is there some way to abuse build config‘s to push existing images
to remote OpenShift registries?
On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees wrote:
> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> So there is no way with
It works if I mount the secret on /etc/pki/tls/certs.
Yeh doco on this is non-existent. I've been struggling with this all day
but now that you say it a PV with the full ca-trust dir sounds obvious.
On 18 November 2017 at 17:52, Ben Parees wrote:
>
>
> On Sat, Nov 18, 2017
On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson wrote:
> So there is no way with the oc command to import an image and not have it
> need the remote to exist after that? I’d just have to use docker push
> instead?
currently that is correct.
>
> On Sat, 18 Nov
So there is no way with the oc command to import an image and not have it
need the remote to exist after that? I’d just have to use docker push
instead?
On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees wrote:
> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana
>
On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana wrote:
> So it sounds like the local option means after it’s pulled once it will
>> exist in the local registry?
>
>
> Hmm It always seems to do the pull-through
>
On Sat, Nov 18, 2017 at 1:31 AM, Lionel Orellana wrote:
> It doesn't look like putting the ca in /etc/pki/ca-trust/source/anchors
> is enough without running update-ca-trust
>
yeah that makes sense and unfortunately makes it difficult if you don't
mount your ca-trust via a
It doesn't look like putting the ca in /etc/pki/ca-trust/source/anchors is
enough without running update-ca-trust
On 18 November 2017 at 15:40, Lionel Orellana wrote:
> Inside the registry, curl with --cacert pointing to
> /etc/pki/ca-trust/source/anchors/.crt works.
>
> On
Thanks Lionel. I guess one way to make it secure would be to have a
certificate that’s valid on the internet. But I guess it’s not really
important if it’s all internal traffic.
I’ll try out that local option I think that’s what I want. Because I don’t
want to have to rely on the remote registry
Thanks Joel & Jordan. Deleted all the routes and created a new one with
the same name as the 127.0.0.1.nip.io host but with a new host name and
everything worked great. (Jenkins times out but i'm going to see if I just
need to add some memory to the vm. Java's CPU is spiking at 100%
On Sat, Nov
I’ve had this problem too. You need to use the original route name (you can
change the host name) as the Jenkins service account refers to the route
name for oauth purposes.
On Sat, 18 Nov 2017 at 4:13 pm, Marc Boorshtein
wrote:
> I have a fresh install of Origin 3.6.1 on
I have a fresh install of Origin 3.6.1 on CentOS 7. In my project I
created a new persistent jenkins from the template included in origin with
oauth enabled. It creates a route to 127.0.0.1.nip.io. When I create a
new route with a routable domain name, and I try to login I get the
following
Inside the registry, curl with --cacert pointing to
/etc/pki/ca-trust/source/anchors/.crt works.
On 18 November 2017 at 15:11, Lionel Orellana wrote:
> I created a secret with the remote ca, mounted it on the registry at
> /etc/pki/ca-trust/source/anchor. The registry still
I created a secret with the remote ca, mounted it on the registry at
/etc/pki/ca-trust/source/anchor.
The registry still says "certificate signed by unknown authority".
On 17 November 2017 at 23:57, Ben Parees wrote:
>
>
> On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana
Hi,
I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" to
pull an image from one openshift cluster to another. I setup the docker
secrets, and it appeared to be working as there was a bunch of metadata
visible in the image stream.
However, when actually started a pod, it
I installed openshift-origin-server-v3.6.1-008f2d5-linux-64bit.tar.gz at CentOS
7. The global template library is missing when I logon to the web console.
The Browse Catalog should show global template library. Please see
Sha1 may not even be in “old” (because I believe it’s now considered
broken. If you need it, you’ll have to edit the router template with that
cipher.
On Nov 17, 2017, at 7:49 AM, Mateus Caruccio
wrote:
What is the value of `ROUTER_CIPHERS`?
$ oc -n default env
On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana
wrote:
> Thanks Ben, that makes sense. How do I add remote CAs to the registry
> though?
>
Similar to what is described here to add certs to the registry:
What is the value of `ROUTER_CIPHERS`?
$ oc -n default env --list dc/router | grep ROUTER_CIPHERS
Maybe you need to set it to `old` in order to support sha1.
--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017
2017-11-17 10:42
Hi Mateus,
this is the output reported:
# Prevent vulnerability to POODLE attacks
ssl-default-bind-options no-sslv3
# The default cipher suite can be selected from the three sets recommended
by https://wiki.mozilla.org/Security/Server_Side_TLS,
# or the user can provide one using the
Hey Marcello.
Correct me if I'm wrong, but you could look into haproxy's config and set
all ciphers you need:
$ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers
haproxy-config.template
There is this env var `ROUTER_CIPHERS` you can choose standard profiles
Hi All,
we tried to configure a new route on Openshift Origin 3.6 to expose a pod
where the SSL termination is enabled. We have a problem to configure a
re-encrypt route because we noticed that the application is not present on
the router and after some investigation we discovered that the problem
Yes, oc import-image is for the ad-hoc imports. But if you're interested in
tweaking the re-sync interval
for the scheduled import look into master-config.yaml's Image Policy
Configuration section [1] and tweak
the value of ScheduledImageImportMinimumIntervalSeconds.
Maciej
[1]
22 matches
Mail list logo