-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
Testable
-
-
https://pagure.io/centos-infra/issue/1530
@ngompa and I are in the process of setting up some infra on AWS to produce compose-like artifacts for Hyperscale, and we'd like these to be accessible from https://hyperscale.sig.centos.org . Filing this ticket to get the process started, will fill in the actual IPs later once everything is agreed upon. Meanwhile, here's the template:
-
- Sig centos.org dns entries
—
This template outlines the conditions of a SIG managing infra themselves for which the centos team is not directly responsible on a centos.org subdomain.
These can also be found at https://sigs.centos.org/guide/
- A point of contact will need to be named and we will keep our own records for these contacts
@dcavalca and @ngompa will be PoC for this
- No illegal activity should occur on the hosted infrastructure
Agreed
- Only content related to the SIG and/or centos should be served from this domain
Agreed
- Centos and Red Hat will not be liable for any content served.
Agreed
- No content should be served to any [T5 country](https://centos.org/legal/)
We should be able to enforce this via a security group, which will block incoming traffic from subnets we can't serve to. Do you happen to have a list already we can consume?
- The entry will be created with the following format `<sig_name>.sig.centos.org`
Agreed
- When the entry is created a it will be a cname created with the format `<sig_name>.unmanaged-by.centos.org` for internal purposes this will then point to the A/AAAA record
Agreed
- Security best practices should be put in place including but not limited to hsts and TLS v1.2
How does this work in practice? Should I get my own SSL certificate for hyperscale.sig.centos.org, or should I use a preexisting certificate supplied by infra? I can issue certs pretty easily via ACM, but it feels iffy to get a certificate for a domain I don't actually own (and we'd still need to sort out how to do validation in that case).
- We reserve the right to temporarily remove the dns entry if these conditions are not met or in case of a serious security issue.
Agreed
By creating this ticket you are agreeing to the terms laid out above
Please provide us with the full domain name required and the A/AAAA record you wish to use. For example:
```
Domain Name: hyperscale.sig.centos.org
ip4: tbd
ip6: tbd
Point of Contact: @dcavalca, @ngompa
```