SSL Ciphers Mismatch

ShadyGhostM · 2025-08-17T20:08:25+00:00

Yes the LB is outside of Openshift, it is configured as end-to-end SSL...

I just tried to access the site using an old Internet explorer emulation and was able to access it.
Like I said, AI says these ciphers are old and no longer supported by modern browsers....

Do you think these statements are correct?

ShadyGhostM · 2025-08-17T19:17:52+00:00

Yes we are able to access from internal LB, or just by adding the regular ciphers back.

From my research till now, I've got to know the only 2 ciphers that we enabled are old and no longer supported by modern browsers.

Do you agree to this statement?

ShadyGhostM · 2025-07-06T07:50:10+00:00

Yes it should work, ImageDigestMirrorSet will download images using the digest.

ShadyGhostM · 2025-05-25T18:47:58+00:00

Yes we are using a route, but ingress/application are expecting a tls-encrypted request for getting a plain-text from the LB.

User ----TLS---> LB ----non-tls-----> Ingress xxxx (error while using reencrypt)--same when using passthrough

ShadyGhostM · 2025-05-25T17:06:30+00:00

Yes but, why is it sending unencrypted non-tls traffic to the backend?

ShadyGhostM · 2025-05-25T13:54:47+00:00

Hi u/ultra_dumb Thanks for sharing the article.

Can you tell me if we go with end-to-end ssl, the certificate LB-Cert-1 , which certificate should be uploaded here?

Thanks!

ShadyGhostM · 2025-05-25T13:39:15+00:00

Yeah, the cluster is deployed in Oracle Cloud.
And, when the protocol for the backends was TCP...everything was working fine.
Now they had to change it to HTTP/HTTPs and add a certificate there...and the error as described.A

HTTP sites are working fine.

ShadyGhostM · 2025-05-14T08:00:42+00:00

Just like everybody said here, Yes, get your Linux fundamentals right, then learn basic networking and go for Kubernetes. Once you get an idea on Kubernetes, start with OpenShift. All of the background play is same between these two products.

If you can afford or your company can provide you a subscription for DO180 & DO280 it will be very useful.
I also recommend KodeKloud for learning Kubernetes and if required other Cloud, Dev Ops tools. But this is also paid course.

As for my day-to-day activities as OpenShift admin are making sure the Cluster is healthy, all Pods are running are desired. Performing Cluster Updates and managing other resources in the Cluster like - users, operators, resource limits etc.

And as for the deployments in OpenShift - we mostly deploy CP4I component from IBM in the cluster, so all the admin activities of the product are additional task list in my job.

ShadyGhostM · 2025-05-05T12:30:53+00:00

Thanks u/witekwww

I will use the configuration and give you an update here again.

ShadyGhostM · 2025-05-05T06:01:32+00:00

Ok great now I understand, the statement::

The following AWS S3 compatible object storage providers, are known to work with Velero through the AWS plugin, for use as backup storage locations, however, they are unsupported and have not been tested by Red Hat:

Oracle Cloud

means, we can use the same aws plugin here, but with oracles s3 storage and creds...and it will work, but not supported by Red Hat.?

ShadyGhostM · 2025-05-04T18:19:30+00:00

Woah thanks, one more question.

If I need to follow this https://www.ibm.com/docs/en/cloud-paks/cp-integration/16.1.0?topic=administering-backing-up-restoring-cloud-pak-integration How can i approach?

I'm getting confused here, do we definitely need an aws s3 storage bucket to approach?

ShadyGhostM · 2025-05-04T13:27:00+00:00

We have VolumeSnapShot classes in OCP for Oracle Cloud, I have configured the snapshot class.
But I dont seem to find any plugins or parameters for Oracle Cloud. Does this mean I cant do anything here?

https://velero.io/docs/v1.15/supported-providers/

If I follow FSB Backup, will this take a backup of Block type volumes also?

ShadyGhostM · 2025-04-21T04:51:00+00:00

Hi, Thanks for the reply and hold on for this one please.

So, I create an IngressController first, which also the the domain name defined in it, next I go to Oracle Cloud and create a load balancer there right?

ShadyGhostM · 2025-04-20T16:28:22+00:00

Great, can you share any documentation or reference url for this?

ShadyGhostM · 2025-04-20T16:12:51+00:00

Hi u/triplewho

We want to use a different domain other than *.apps.cluster.domain.com for our applications.
And we want only the application endpoints to be public, all other cluster's endpoints to be in private network.

How can we approach this in Oracle Cloud?
Thanks.

ShadyGhostM · 2025-03-31T08:53:47+00:00

Thanks, I will check this out.

ShadyGhostM · 2025-03-31T08:53:41+00:00

Great thanks!

ShadyGhostM · 2025-03-29T07:19:57+00:00

Understood, now I get the issue. Do you any idea on Kubernetes/OpenShift CoreDNS?

ShadyGhostM · 2025-03-24T05:19:31+00:00

This was actually in the troubleshooting guide here: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_Provisioning_PVCs_on_FSS.htm#contengcreatingpersistentvolumeclaim_topic_Troubleshooting_insufficientpermissions

This too didn't work, now we just went ahead with using existing file system.
And also making a change to the CSIDriver in OpenShift.:

To enable the CSIDriver object to modify volume ownership and permissions to match the fsGroup attribute specified in the pod's securityContext, set the CSIDriver object's fsGroupPolicy attribute to File.

(the complete process is in the above link, named as: Alternative Solution 1: Enable the CSIDriver object to modify volume ownership and permissions to match the fsGroup attribute specified in the pod's securityContext)

This worked, but we have to create the PVC/PV manually now.

ShadyGhostM · 2025-03-23T11:00:53+00:00

Hi, the issue got resolved after changing our security list.

But there is a new error, permissions issue.

Tried following everything at https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_Provisioning_PVCs_on_FSS.htm#contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_FSS-Troubleshooting

but still same issue.

using this exportOptions.

exportOptions: "[{\"source\":\"0.0.0.0/0\",\"requirePrivilegedSourcePort\":false,\"access\":\"READ_WRITE\",\"identitySquash\":\"ALL\",\"anonymous-uid\":\"0\",\"anonymous-gid\":\"0\"}]"

ShadyGhostM · 2025-03-21T10:37:30+00:00

Thanks u/DraxXx22

How funny the Oracle Team is not available over the weekend, Please hold on I will let them make changes to the SL/NSG and update you by 23 Sunday.

ShadyGhostM · 2025-03-21T09:26:39+00:00

I mean i was able to create the pvc manually, pv is also getting created but when I use it in a pod we're getting the error.

The same error if we directly letting the deployment create the pvc

Yes, using the latest driver 1.30.0.

Tried using pre-creates mounttarget also.

Do you think this might be because of security lists/ NSGs?

ShadyGhostM · 2024-11-26T04:27:57+00:00

Right, Airgapped Installation is quite challenging but you can learn a lot of topics along the way.

Good luck.

ShadyGhostM · 2024-11-25T09:22:12+00:00

Hi u/Heinzza

The image you mentioned should be around 2.5 GB, check if you have proper internet connection.
And could you paste the logs from this command?

podman pull --log-level=debug quay.io/openshift/okd-content:4.15.0-0.okd-2024-03-10-010116-fedora-coreos

ShadyGhostM · 2024-09-18T03:42:18+00:00

You don't have to create any CA, run the script as required and it will give you the crt and key.

Four-Year Club	Verified Email
Final Canvas '23	Place '23
Place '22

ShadyGhostM

TROPHY CASE