Closed steveellis closed 2 years ago
Going to try to migrate sandbox-folio.colorado.edu
first since we have certificates etc loaded up for it already.
The steps above aren't quite right. It's more like this:
k describe services
.Once all of this sticks it will "just work".
Need to think through my dual stripes container idea in this context.
Steps for generating the CSR:
https://support.sectigo.com/PS_KnowledgeDetailPageFaq?Id=kA01N000000rgRb.
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
Steps for generating the certificate from campus computing:
<ask for this>
Just noting the domains we're going for here for production:
folio.colorado.edu
okapi.colorado.edu
With this ticket I also attempted to make it possible for a cluster to serve multiple domains to eventually make switching between domains easier and also make it possible to test out a cluster before mapping a given colorado.edu domain. I was partially successful. Having multiple stripes works great. Multiple okapis doesn't yet. The error is
kubernetes:helm.sh/v3:Release (okapi-dev):
error: rendered manifests contain a resource that already exists. Unable to continue with install: ConfigMap "okapi-log4j2-configmap" in namespace "[secret]-8rvomw1v" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "okapi-dev": current value is "okapi"
The okapi helm chart creates this this config map. If we're going to have multiple okapis this will need to be resolved, or perhaps we can use an outside loadbalancer to switch between these okapis. That's something we can't do with stripes because of the need for different container builds.
In the current configuration, where certs are bound directly to the EKS created LB, and it would appear that the classic load balancer (which I believe is what we have) won't support more than one cert. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/acm-add-domain-certificates-elb/. If we had multiple certs we could easily point multiple domains to one okapi. ALBs support multiple which will make things easier when we get to that point. See #200 for more on that.
@jwfuller is this the domain or is it something else. I can check on Route 53 also if you're not sure.
I believe the steps are:If I can have both a dev and a production stripes container in the same deployment then this kind of swap will be much easier to do next time.