Open tssala23 opened 5 days ago
@tssala23 I have added the github oauth secret to the vault (as nerc-ocp-test-2/openshift-config/github-client-secret
).
@jtriley will need to provide appropriate route53 keys; I don't have access to the NERC AWS credentials.
@jtriley re: AWS credentials, this is for cert-manager to resolve LetsEncrypt DNS-01 challenges. For this sort of thing, we generally create a cluster-specific IAM user, set up a hosted zone for the subdomain, and then attach a policy like this to that user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/<hosted_zone_id>"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
Add AWS Route 53 and GH OAuth secrets to vault for the new nerc-ocp-test-2 cluster