search

nerc-project / operations

Issues related to the operation of the NERC OpenShift environment
1 stars 0 forks source link

Add AWS Route 53 and GH OAuth secrets to vault #622

Open tssala23 opened 5 days ago

tssala23 commented 5 days ago

Add AWS Route 53 and GH OAuth secrets to vault for the new nerc-ocp-test-2 cluster

larsks commented 4 days ago

@tssala23 I have added the github oauth secret to the vault (as nerc-ocp-test-2/openshift-config/github-client-secret).

@jtriley will need to provide appropriate route53 keys; I don't have access to the NERC AWS credentials.

larsks commented 4 days ago

@jtriley re: AWS credentials, this is for cert-manager to resolve LetsEncrypt DNS-01 challenges. For this sort of thing, we generally create a cluster-specific IAM user, set up a hosted zone for the subdomain, and then attach a policy like this to that user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "arn:aws:route53:::hostedzone/<hosted_zone_id>"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ListHostedZonesByName",
            "Resource": "*"
        }
    ]
}