nerc-project / operations

Issues related to the operation of the NERC OpenShift environment
2 stars 0 forks source link

Fix externalsecret configuration on ocp-beta-test cluster #694

Open larsks opened 3 months ago

larsks commented 3 months ago

The ExternalSecrets configuration on the ocp-beta-test cluster is currently degraded:

NAMESPACE             NAME                                 STORE               REFRESH INTERVAL   STATUS              READY
group-sync-operator   github-group-sync                    nerc-secret-store   1h                 SecretSyncedError   False
openshift-config      aws-route53-credentials              nerc-secret-store   1h                 SecretSyncedError   False
openshift-config      github-client-secret                 nerc-secret-store   1h                 SecretSyncedError   False
openshift-ingress     aws-route53-credentials              nerc-secret-store   1h                 SecretSyncedError   False
openshift-storage     rook-ceph-external-cluster-details   nerc-secret-store   1h                 SecretSyncedError   False

A side effect of this is that the cluster does not have valid certificates. It's not really ready to hand off to another team yet. I'll try to take a look at this today, since I believe @tssala23 is on PTO.

tssala23 commented 3 months ago

@larsks I never did the vault config for this cluster, I manually added the necessary secrets to start off with so the and it looks like the certs are there:

[tsalawu@tsalawu-thinkpadx1nanogen2 nerc-ocp-beta-test]$ oc get certs -A
NAMESPACE          NAME                          READY   SECRET                        AGE
openshift-config   default-api-certificate       True    default-api-certificate       2d23h
openshift-config   default-ingress-certificate   True    default-ingress-certificate   2d23h

However, I have just realized an issue with the templates as the ingress cert is being placed in the wrong namespace, I will note down to make that change to the templates.

This is another cluster where they will not be doing things in a Gitops fashion so won't be storing there secrets in vault.

Additionally, this cluster will not be ready to hand off until it has GPU nodes attached to it and we are trying to figure out what A100s are available to be attached to this cluster.

joachimweyl commented 2 months ago

@larsks can you please provide an update on this issue?