Apply suggestions from code review

Co-authored-by: Simon Gerber <[email protected]>
appuio · Jan 8, 2024 · e513311 · e513311
1 parent 0ec72e1
commit e513311
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 18 deletions.
diff --git a/docs/modules/ROOT/assets/images/ocp4-architecture-exoscale.svg b/docs/modules/ROOT/assets/images/ocp4-architecture-exoscale.svg
diff --git a/docs/modules/ROOT/pages/references/exoscale/architecture.adoc b/docs/modules/ROOT/pages/references/exoscale/architecture.adoc
@@ -10,9 +10,9 @@ include::partial$architecture/overview.adoc[]
 
 APPUiO Managed OpenShift 4 on {infra-type} needs a https://docs.openshift.com/container-platform/4.14/installing/installing_bare_metal/installing-bare-metal.html#installation-load-balancing-user-infra_installing-bare-metal[Load Balancer setup] that must meet the following requirements:
 
-1. API load balancer: Provides a common endpoint to interact with the OpenShift and Kubernetes.
+1. API load balancer: Provides a common endpoint to interact with OpenShift and Kubernetes.
 
-2. Ingress load balancer: Provides an ingress point for application traffic flowing in from outside the cluster.
+2. Ingress load balancer: Provides an endpoint for application traffic flowing in from outside the cluster.
 
 See the https://docs.openshift.com/container-platform/latest/installing/installing_bare_metal/installing-bare-metal.html#installation-requirements-user-infra_installing-bare-metal[upstream documentation] for details on {infra-type} requirements.
 
@@ -21,11 +21,13 @@ See the https://docs.openshift.com/container-platform/latest/installing/installi
 
 === Security Groups
 
-On {infra-type} APPUiO Managed OpenShift 4 uses public ips for each node in the cluster.
+On {infra-type}, APPUiO Managed OpenShift 4 uses public IPs for each node in the cluster.
 See https://kb.vshn.ch/oc4/explanations/exoscale/limitations.html#_private_networks[Limitations] of the {infra-type} environment.
 
 The individual VMs are placed in https://community.exoscale.com/documentation/compute/security-groups[Security Groups] to restrict access and isolate the nodes from the public internet.
 
+NOTE: On the {infra-type} environment there is no single stable egress IP. Every node uses a dynamic public IP for egress traffic, which it is not suited for any forms of whitelisting.
+
 === Virtual IPs
 
 To expose applications and the Kubernetes API outside the cluster, APPUiO Managed OpenShift 4 manages two floating IPs:
@@ -43,20 +45,7 @@ include::partial$architecture/networking-pods.adoc[]
 
 === Exposing the cluster
 
-On {infra-type} infrastructure two Load Balancer instances provide ingress to the cluster.
-The Load Balancer setup exposes two public IPs:
-
-1. A public IP for the API.
-Traffic to port `6443/tcp` on this IP must be forwarded to the control plane nodes in the machine network.
-The forwarding of this traffic must happen transparently.
-In particular, no TLS interception can be performed as the Kubernetes API depends on mutual TLS authentication.
-VSHN will manage a DNS record pointing to this IP.
-2. A public IP for HTTP(s) ingress.
-Traffic to ports `80/tcp` and `443/tcp` on this IP must be forwarded to the infrastructure nodes in the machine network.
-The PROXY protocol should be enabled to preserve source IPs.
-Forwarding should happen transparently in TCP mode.
-VSHN will manage a wildcard DNS record pointing to this IP.
-Additional DNS records can be pointed to this IP by the customer.
+We provide a CNAME target record to point additional DNS records to.
 
 === External services