From b5784d576e3952d52bd5a3a1f8786722dc6a784e Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Tue, 28 Jan 2020 12:54:09 -0800 Subject: [PATCH] modules/configuring-firewall: Document release signature sources Reflecting [1], which configures the cluster-version operator to pull signatures from Google Storage and/or Red Hat's mirrors (the search order is an internal detail [2]). Kathryn in [3]: > Since you're adding a sentence in the table, each of the equivalent > entries needs a period. So that's why I'm touching all the other entries in this table. [1]: https://github.com/openshift/cluster-update-keys/blob/cca4ce696383e70ae669e770bd63265a9540b721/manifests.rhel/0000_90_cluster-update-keys_configmap.yaml#L4-L5 [2]: https://github.com/openshift/cluster-version-operator/blob/54faf6fad0d4dfa7c2a7953076f608d018577fd1/pkg/verify/configmap.go#L33-L48 [3]: https://github.com/openshift/openshift-docs/pull/19365#pullrequestreview-352368253 --- modules/configuring-firewall.adoc | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/modules/configuring-firewall.adoc b/modules/configuring-firewall.adoc index babd548e9f..4ef8359a8b 100644 --- a/modules/configuring-firewall.adoc +++ b/modules/configuring-firewall.adoc @@ -75,23 +75,26 @@ Before you install {product-title}, you must configure your firewall to grant ac |URL | Function |`mirror.openshift.com` -|Required to access mirrored installation content and images +|Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source. + +|`storage.googleapis.com/openshift-release` +|A source of release image signatures, although the Cluster Version Operator needs only a single functioning source. |`*.apps..` -|Required to access the default cluster routes unless you set an ingress wildcard during installation +|Required to access the default cluster routes unless you set an ingress wildcard during installation. |`quay-registry.s3.amazonaws.com` -|Required to access Quay image content in AWS +|Required to access Quay image content in AWS. |`api.openshift.com` -|Required to check if updates are available for the cluster +|Required to check if updates are available for the cluster. |`art-rhcos-ci.s3.amazonaws.com` -|Required to download {op-system-first} images +|Required to download {op-system-first} images. |`api.openshift.com` -|Required for your cluster token +|Required for your cluster token. |`cloud.redhat.com/openshift` -|Required for your cluster token +|Required for your cluster token. |===