From 734be06d76f13402bdc7777c32275c777587dc2d Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 20 Jul 2023 13:30:20 +0100 Subject: [PATCH 1/6] Add limitiations doc for manageTLS Document that runtime components are responsible for making use of the TLS certificates created by the operator when mangeTLS=true --- doc/user-guide-v1.adoc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/user-guide-v1.adoc b/doc/user-guide-v1.adoc index b711f7540..6ccbde0d9 100755 --- a/doc/user-guide-v1.adoc +++ b/doc/user-guide-v1.adoc @@ -343,3 +343,10 @@ NOTE: The `RuntimeOperation` CR must be created in the same namespace as the Pod === Troubleshooting See the link:++troubleshooting.adoc++[troubleshooting guide] for information on how to investigate and resolve deployment problems. + +== Limitations +=== Using certificates when manageTLS=true +If `manageTLS=true` is specified in the CR YAML file, then the operator will manage the creation of a TLS secret for the runtime component. +However, it is the responsibility of the runtime component to make appropriate use of the secret. The runtime component can use the +value of the `TLS_DIR` environment variable to discover the directory where the certificate files are mounted inside the runtime component's +pods. From 952d7eddfb6fa46c8f691d9f48015a41d7469af6 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Tue, 19 Sep 2023 14:29:12 +0100 Subject: [PATCH 2/6] Remove 0.5.0 known issues As this version of the operator is no longer supported --- doc/troubleshooting.adoc | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/doc/troubleshooting.adoc b/doc/troubleshooting.adoc index 5c4ca245d..3d6ec00ee 100644 --- a/doc/troubleshooting.adoc +++ b/doc/troubleshooting.adoc @@ -136,13 +136,3 @@ Check the `status` section of the CR. If the application is successfully reconci + -== Known Issues - -Operator versions < 0.5.0 might crash on startup when optional CRDs API group (eg. serving.knative.dev/v1alpha1) is -available, but actual CRD (Knative Service) is not present. - -Version 0.5.0 of operator can crash when creating Ingress with `spec.expose` is set to `true` and `spec.route` is not provided or set (nil). -Possible fixes are to set `spec.route` to `{}` or disable Ingress if not used by setting `spec.expose` to `false`. - -Knative Serving / OpenShift Serverless sidecar container can only connect to the application's container over HTTP connection. Application -must be listening on HTTP port to use Knative. From 25602eef037400fbd90d78f72779b48b9addb340 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 20 Sep 2023 12:03:37 +0100 Subject: [PATCH 3/6] reword to show that 'true' is the default for manageTLS --- doc/user-guide-v1.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user-guide-v1.adoc b/doc/user-guide-v1.adoc index 6ccbde0d9..f667ebe14 100755 --- a/doc/user-guide-v1.adoc +++ b/doc/user-guide-v1.adoc @@ -346,7 +346,7 @@ See the link:++troubleshooting.adoc++[troubleshooting guide] for information on == Limitations === Using certificates when manageTLS=true -If `manageTLS=true` is specified in the CR YAML file, then the operator will manage the creation of a TLS secret for the runtime component. +If `manageTLS=true` is specified in the CR YAML file (or if `manageTLS` is not set, as `true` is the default), then the operator will manage the creation of a TLS secret for the runtime component. However, it is the responsibility of the runtime component to make appropriate use of the secret. The runtime component can use the value of the `TLS_DIR` environment variable to discover the directory where the certificate files are mounted inside the runtime component's pods. From 89eb9cd515eecedda014e7bd40539202a8f6d915 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 20 Sep 2023 17:16:01 +0100 Subject: [PATCH 4/6] Update troubleshooting.adoc --- doc/troubleshooting.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/troubleshooting.adoc b/doc/troubleshooting.adoc index 3d6ec00ee..25031945e 100644 --- a/doc/troubleshooting.adoc +++ b/doc/troubleshooting.adoc @@ -133,6 +133,7 @@ Check the `status` section of the CR. If the application is successfully reconci ---- $ oc describe runtimecomponent ---- -+ +=== TLS Connections +If `expose=true` is set in the CR, then `manageTLS=true` and `.spec.route.termination=reencyrpt` are set by default. With these setting, the application _must_ have TLS enabled on the port configured in `.spec.service.port`. Otherwise, the application will not recieve any requests. From 2475d433f1f7e5a948a377c4329d19eeee33b93e Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 21 Sep 2023 11:18:07 +0100 Subject: [PATCH 5/6] Add some alternatives. --- doc/troubleshooting.adoc | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/doc/troubleshooting.adoc b/doc/troubleshooting.adoc index 25031945e..95b436d51 100644 --- a/doc/troubleshooting.adoc +++ b/doc/troubleshooting.adoc @@ -136,4 +136,33 @@ Check the `status` section of the CR. If the application is successfully reconci === TLS Connections -If `expose=true` is set in the CR, then `manageTLS=true` and `.spec.route.termination=reencyrpt` are set by default. With these setting, the application _must_ have TLS enabled on the port configured in `.spec.service.port`. Otherwise, the application will not recieve any requests. +If `.spec.expose=true` is set in the CR, then `.spec.manageTLS=true` and `.spec.route.termination=reencyrpt` are set by default. With these settings, the application _must_ have TLS enabled on the port configured in `.spec.service.port`. Otherwise, the application will not recieve any requests. The application must also use the TLS certificates mounted by the operator in the application pods. If this configuration is not possible, some alternatives are listed below. Other configurations are possible, but are beyond the scope of this document. + +==== Application uses its own certificates +[source,sh] +---- + apiVersion: rc.app.stacks/v1 + kind: RuntimeComponent + ... + spec: + route: + termination: passthrough +---- +In this case, TLS traffic will be passed directly through to the application pods. The application can use its own certificates. + +==== Application uses HTTP inside the cluster +[source,sh] +---- + apiVersion: rc.app.stacks/v1 + kind: RuntimeComponent + ... + spec: + route: + termination: edge + insecureEdgeTerminationPolicy: Redirect +---- +In this case, insecure external traffic will be redirected to the secure port, but all secure connections will be terminated by the cluster, and the application will only receive HTTP connections. + + + + From 31b9d0473909bb57bff8475f89340eeff1ecaa4b Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 21 Sep 2023 11:19:15 +0100 Subject: [PATCH 6/6] spelling --- doc/troubleshooting.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/troubleshooting.adoc b/doc/troubleshooting.adoc index 95b436d51..d4910972b 100644 --- a/doc/troubleshooting.adoc +++ b/doc/troubleshooting.adoc @@ -136,7 +136,7 @@ Check the `status` section of the CR. If the application is successfully reconci === TLS Connections -If `.spec.expose=true` is set in the CR, then `.spec.manageTLS=true` and `.spec.route.termination=reencyrpt` are set by default. With these settings, the application _must_ have TLS enabled on the port configured in `.spec.service.port`. Otherwise, the application will not recieve any requests. The application must also use the TLS certificates mounted by the operator in the application pods. If this configuration is not possible, some alternatives are listed below. Other configurations are possible, but are beyond the scope of this document. +If `.spec.expose=true` is set in the CR, then `.spec.manageTLS=true` and `.spec.route.termination=reencyrpt` are set by default. With these settings, the application _must_ have TLS enabled on the port configured in `.spec.service.port`. Otherwise, the application will not receive any requests. The application must also use the TLS certificates mounted by the operator in the application pods. If this configuration is not possible, some alternatives are listed below. Other configurations are possible, but are beyond the scope of this document. ==== Application uses its own certificates [source,sh]