-
Notifications
You must be signed in to change notification settings - Fork 27
Platform Wildcard Certificates #655
Description
This EPIC is to track outstanding certificate requests and provide a summary view.
Artifactory
The Artifactory repository service has been launched with the artifacts.developer.gov.bc.ca service name. There is an additional requirement to provide proxied image-registry service names with a naming convention of {image-repo}.artifacts.developer.gov.bc.ca. This requires a wildcard certificate for the proxied services.
A request for the following wildcard certificate was made, and has been rejected. An exception process is underway.
*.artifacts.developer.gov.bc.ca- proxied repository names
See the following project tickets:
#651
bcgov/developer-experience#96
OCP 4
Api and wildcard certificates are required for the OCP 4 platform. Currently we have identified the following names (and certificate requirements) for 3 of the OCP 4 clusters (Note: if names are required to change, we need to adjust ASAP as we are already rolling with these names and will need to change some existing work) Requests have been made, and are pending additional information to be sent, however it is expected that the requests will be rejected and will require some sort of exemption.
Kamloops Operations Lab
*.apps.cowichan.devops.gov.bc.ca- wildcard for application proxy serviceapi.cowichan.devops.gov.bc.ca- api endpoint for automation and tool access
Calgary Operations Lab
*.apps.thetis.devops.gov.bc.ca- wildcard for application proxy serviceapi.thetis.devops.gov.bc.ca- api endpoint for automation and tool access
Kamloops Developer-Prod-1
*.apps.pacific.devops.gov.bc.ca- wildcard for application proxy serviceapi.pacific.devops.gov.bc.ca- api endpoint for automation and tool access
See the following project ticket:
https://app.zenhub.com/workspaces/openshift-4-build-out-5db73142897668000144f22b/issues/bcdevops/openshift4-rollout/176
KeyCloak (SSO)
The KeyCloak SSO service is being re-branded to leverage its own service name instead of the sso.pathfinder.gov.bc.ca service name. The name of the new service is oidc.gov.bc.ca. A request for a wildcard certificate for *.oidc.gov.bc.ca was requested and rejected. The following is an idea for modifying our certificate request to specific DNS names (which may be easier to get approval for):
oidc.gov.bc.ca(possiblyprod.oidc.gov.bc.caas well?)test.oidc.gov.bc.cadev.oidc.gov.bc.ca
In order to develop and test new features for integration into the service, the following is an idea for a wildcard service name:*.sandbox.oidc.gov.bc.ca
See the following project ticket:
Create DNS record + SSL Cert for new KC SSO developer-experience#138