Bug 2102230

Summary: Need to add rhcos.mirror.openshift.com to firewall docs
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: DocumentationAssignee: Jesse Dohmann <jdohmann>
Status: CLOSED CURRENTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact: Latha S <lmurthy>
Priority: unspecified    
Version: 4.6CC: gpei, jdohmann, travier
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2102228 Environment:
Last Closed: 2022-09-08 22:57:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Dodson 2022-06-29 13:52:05 UTC 
The page here needs to have rhcos.mirror.openshift.com added, duplicate the entry at the top for "Provides Red Hat Enterprise Linux CoreOS (RHCOS) images" with this hostname. Do not remove the current hostname for now, it can likely be removed for 4.12.

+++ This bug was initially created as a clone of Bug #2102228 +++

Copied from ane mail Yuxiang sent to aos-devel

The RHCOS redirector [1] is hosted on the ART OSD cluster. It redirects file download requests to a regional S3 bucket. Disruptions to this service can block OpenShift installations because references to the redirector hostname are baked into the OpenShift installer [2]. This service and its location creates unnecessary risk for ART and gives prodsec yet another service to have to worry about. To eliminate this kind of risk, ART has set up a CloudFront CDN distribution [3] to provide RHCOS image downloads at https://rhcos.mirror.openshift.com. With this new CloudFront distribution, we can get very reliable, fast, and cheap world-wide distribution for the files.

To move to the CloudFront distribution, we need to get all references to the redirector hostname (rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com) replaced with the CDN distribution hostname (rhcos.mirror.openshift.com). e.g. https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/rhcos-4.11-aarch64/411.85.202205040359-0/aarch64/rhcos-411.85.202205040359-0-aws.aarch64.vmdk.gz ==> https://rhcos.mirror.openshift.com/art/storage/releases/rhcos-4.11-aarch64/411.85.202205040359-0/aarch64/rhcos-411.85.202205040359-0-aws.aarch64.vmdk.gz.

We should backport this change to 4.8.
Comment 1 Timothée Ravier 2022-07-20 15:46:05 UTC 
We've made the hostname change for 4.11 in https://github.com/openshift/installer/pull/6130 so we are going to need the docs update for 4.11 here: https://bugzilla.redhat.com/show_bug.cgi?id=2102228

It should be mostly https://docs.openshift.com/container-platform/4.10/installing/install_config/configuring-firewall.html

Other releases have not been updated yet.
Comment 2 Jesse Dohmann 2022-07-27 14:34:33 UTC 
4.11 PR has been merged: https://github.com/openshift/openshift-docs/pull/48037

4.10 PR is in progress: https://github.com/openshift/openshift-docs/pull/48134

the other backports will come when installer PRs land

@sdodson can you confirm that the first table of registry URLs is the only one that needs updating? Or are there other tables on this page that need to be updated with this new redirector URL?
Comment 3 Scott Dodson 2022-07-27 15:17:14 UTC 
@jdohmann that's fine
Comment 4 Scott Dodson 2022-07-27 15:18:12 UTC 
@jdohmann Actually, given that some 4.10.z will use the old hostname and some will use the new hostname we should list both of them in all versions older than 4.11.
Comment 5 Jesse Dohmann 2022-09-08 22:57:19 UTC 
These are all live now except for 4.6, so I am going to close this ticket. If there is more to be done please open a JIRA ticket in the OCPBUGS project. Thanks all!