[URGENT][TODO] Move away from Heroku by Nov 28, 2022 #29
Comments
webknjaz
changed the title
|
FYI: Foreman runs an octomachinery-backed app on OpenShift. In https://github.com/theforeman/prprocessor#deployment-using-openshift I documented the steps. It may be possible to set a GH secret in another way, but those steps at least got me going. If you need more, feel free to reach out to me. |
|
@ekohl thanks, I'll take a look! I've got access to a RH-sponsored instance years ago, but it was hard to get a newer Python there back then. Need to go through DO180 to get up to speed... |
|
So I moved the bots on Nov 28, but wanted to go through some official s2i template examples that I researched years ago. I haven't moved back then, because there were no images in the image stream supporting Python 3.7, and I couldn't figure out how to change that. |
|
@ekohl one thing I haven't solved is TLS — did you figure out having HTTPS on a dedicated domain with Let's Encrypt? |
|
The instance we're on has a wildcard certificate for the domain it manages so we don't use a dedicated domain, just the one we got assigned. Since only GH connects to it I'd say a dedicated domain doesn't make sense. Perhaps @evgeni remembers better how we set it up. |
|
Yeah, we just have our app configured with |
|
Ah, too bad. It seems like my instance is also set up to drop the |
|
Is that a setup provided by osci.io or something else? |
|
I don't think so, I don't remember exactly since I got it years ago, but my console is at https://console.rh-us-east-1.openshift.com. |
|
Okay, Ours is at https://openshift-console.osci.io/ so definitely a different setup |
|
Interesting, I can log in there too. I wonder if I can just start using it 🤔 |
|
Should this now be closed? It's still a pinned issue. |
|
@ekohl I'd like to have some config-as-code committed into the repo before closing this issue. Also, apparently, the OpenShift Online Employee cluster reaches EOL on October 16, 2023 and I have to migrate again. So I'll be trying out the same cluster that you're using — OSCI (not sure if I need to ask for permission as it let's me in with the RH email but doesn't allow any other gsuite/gmail accounts). I saw that @duck-rh seems to be involved there, so I'll try asking him... P.S. Another prerequisite of closing this is having a proper TLS setup on a custom domain. |
|
When I last tried SSL with a custom domain on OSCI it wasn't really successful. You could also try fly.io, assuming their free tier is sufficient for your setup. (https://fly.io/docs/about/pricing/) |
|
I was looking into it in a different context and will probably try it out if OSCI doesn't work. |
|
@evgeni The situation with Let's Encrypt certs on Openshift is evolving and at some point we'll need to change how we do it but that's rather complicated (Misc looked into it into more details). Anyway we have been able to generate web certs so far, and I'm not aware of your specific problem; did you discuss it with Misc already? Maybe we can help? @webknjaz we can provide a namespace on our cluster. Ping me and we can set this up. |
|
We (theforeman) run our prprocessor on OSCI and it simply uses the provided domain name. That instance is set up using a wildcard certificate and that works well. |
|
@duck-rh the TLS problem is that when a route is added in openshift with a custom domain, it still serves the TLS certificate with own domain wildcard that doesn't list that custom domain. |
|
@webknjaz that's why I chose to not use a custom domain. It's just the GitHub -> App communication, so using the platform provided name was fine for us. Users don't see it anyway and it solved the TLS issue (because the wildcard cert was valid) |
Apparently, they are sunsetting the free tier.
The text was updated successfully, but these errors were encountered: