A Layer 7 firewall rule that can filter traffic by FQDN (domain name) and may perform TLS inspection. More flexible than network rules but can cause certificate issues.
An Azure CLI command that builds container images remotely in Azure Container Registry, replacing docker build + docker push. Works inside private networks where Docker Hub access is unavailable.
Azure Command-Line Interface — the primary CLI tool for managing Azure resources. Used for az login, az acr build, az container create, and other Azure operations.
An Azure service for storing and distributing VM images. OpenShift uses gallery images to provision cluster nodes. MachineSet templates reference specific gallery image versions.
A variable passed to a Docker build (ARG in Dockerfile) that parameterises the image — e.g. OCP_INSTALL_VERSION pins openshift-install, oc, and ccoctl to the same release.
Cloud Credential Operator utility — an OpenShift CLI tool that manages cloud provider credentials for cluster components. Must be the same version as openshift-install to process manifests correctly.
A pattern where each CI/CD job provisions a fresh container, runs a single command inside it, and the container exits. The workflow controls what happens.
A pattern where a container registers itself as a GitHub Actions runner, receives and executes jobs, then self-deletes. The container controls its own lifecycle.
A Terraform error that typically means a network operation timed out. Often caused by missing service endpoints — control plane calls work but data plane calls to storage cannot route through the firewall.
The management layer of a system (e.g. the Kubernetes API server) that handles configuration, scheduling, and orchestration — as opposed to the data plane which handles actual workloads.
DeployIfNotExists — an Azure Policy effect that automatically deploys a resource or configuration if it does not already exist, e.g. automatically creating diagnostic settings on new resources.
DNSNetworking
Domain Name System — translates human-readable domain names (e.g. github.com) into IP addresses that computers use to communicate.
A feature of Azure Firewall that forwards DNS queries on behalf of VNet resources. Spokes set the firewall as their DNS server, and the firewall resolves against Private DNS zones in the hub.
A platform for building, shipping, and running applications in containers. In GHES private networks, docker build/push is often replaced by az acr build because the runner cannot reach Docker Hub.
A text file containing instructions for building a Docker container image — specifying the base image, dependencies, files to copy, and the command to run.
The command or script that runs when a container starts. In the context of a runner container, this is the script that registers the runner and starts listening for jobs.
A behaviour where changes take time to propagate across a distributed system. The Azure ARM API exhibits this — a newly created resource group may return 404 for a brief period after creation.
GitHub Enterprise Cloud — the cloud-hosted version of GitHub Enterprise, managed by GitHub on their infrastructure with added enterprise features like SAML SSO and audit log streaming.
GitHub Enterprise Server — a self-hosted version of GitHub that you install and run on your own infrastructure, typically inside a private network for compliance and data residency requirements.
An environment variable that tells Git to skip TLS certificate verification. Required when cloning from a GHES instance that uses a self-signed certificate.
GitHub's built-in CI/CD platform that lets you automate workflows directly from your repository — building, testing, and deploying code triggered by events like pushes and pull requests.
A runner managed by GitHub (e.g. ubuntu-latest) that is provisioned on-demand in GitHub's cloud. Not available on GHES — you must use self-hosted runners instead.
A package manager for Kubernetes that uses charts (pre-configured resource templates) to deploy applications. Used in OCP workflows to install operators and services onto clusters.
A network topology where a central hub VNet connects to multiple spoke VNets. All traffic between spokes passes through the hub, which typically contains shared services like a firewall and DNS resolver.
Infrastructure as Code — managing and provisioning cloud infrastructure through machine-readable definition files (e.g. Terraform, ARM templates) rather than manual configuration.
The primary configuration file for openshift-install that defines the cluster name, base domain, platform settings, networking, and compute/control plane node counts.
Installer-Provisioned Infrastructure — an OpenShift installation method where openshift-install creates and manages all the underlying cloud infrastructure (VMs, networking, DNS) automatically.
An open-source container orchestration platform for automating deployment, scaling, and management of containerised applications. OpenShift is built on top of Kubernetes.
An OpenShift resource that defines a template for creating worker nodes. References the cloud provider, VM size, image, and network settings. Must be updated when changing OCP versions or Compute Gallery images.
Pre-built, reusable GitHub Actions (e.g. actions/checkout, azure/login) published on the GitHub Marketplace. On GHES without internet access, these must be manually synced or replaced with inline scripts.
Managed Service Identity — another name for Azure Managed Identity. ACI containers can have user-assigned MSIs attached via --assign-identity, allowing passwordless authentication to Azure services.
A Node.js environment variable — set to 0 to disable TLS certificate validation. Needed when Node.js tools interact with services using self-signed certificates.
A DNS query tool used to check whether a domain name resolves to the expected IP address. Critical for debugging Private DNS zone and Private Link issues.
The OpenShift authentication endpoint at oauth-openshift.apps.<cluster>.<domain>. Separate from the API endpoint — both must have firewall ports open for oc login to work.
The OpenShift CLI — an extended version of kubectl with additional commands for OpenShift-specific resources. Used for oc login, oc apply, oc get, and managing cluster resources.
OpenID Connect — an identity layer on top of OAuth 2.0 that allows applications to verify user identity and obtain basic profile information. Used for federated authentication with GitHub Actions.
The CLI tool used to create and destroy OpenShift clusters. In IPI mode it provisions all infrastructure automatically. Must be version-matched with oc and ccoctl to avoid manifest compatibility issues.
Personal Access Token — a token used as an alternative to a password for authenticating to GitHub APIs and Git operations. Scoped with specific permissions.
An Azure DNS zone that resolves domain names only within your virtual networks — not visible on the public internet. Used with Private Link to route traffic to Azure services over private IPs.
A network interface with a private IP address that connects you to an Azure service (e.g. Storage, Key Vault) over your VNet instead of the public internet.
Azure Private Link — a service that lets you access Azure PaaS services over a private endpoint in your VNet, keeping traffic on the Microsoft backbone network.
Role-Based Access Control — a system for managing who can do what with Azure resources by assigning roles (e.g. Reader, Contributor, Owner) to users, groups, or service principals.
A Python environment variable that specifies the CA certificate bundle path. Set to an empty string to bypass certificate verification for Python HTTP libraries.
Red Hat Enterprise Linux — a commercial Linux distribution. OpenShift tooling (openshift-install, oc, ccoctl) is built and tested on RHEL, making it the preferred base for OCP runner images.
An Azure resource containing rules that determine where network traffic is directed. In hub-spoke networks, route tables force spoke traffic through the hub firewall via 0.0.0.0/0 next-hop rules.
The machine (physical, virtual, or container) that executes GitHub Actions workflow jobs. Can be GitHub-hosted (managed by GitHub) or self-hosted (managed by you).
A GitHub Actions runner that you provision and manage yourself — required on GHES since GitHub-hosted runners are not available. Can run on a VM, in a container, or on bare metal.
A TLS certificate not issued by a trusted Certificate Authority. Common on GHES instances in private networks. Requires tools to skip verification (curl -k, GIT_SSL_NO_VERIFY, NODE_TLS_REJECT_UNAUTHORIZED=0).
A VNet feature that provides direct, optimised connectivity to Azure services over the Azure backbone network. Simpler than Private Link but does not assign a private IP.
An Azure AD identity created for applications, services, and automation tools to access Azure resources with specific permissions — like a service account.
When an operation fails without producing an error message. On GHES, missing secrets resolve to empty strings instead of erroring, and actions/checkout can produce an empty workspace without warning.
A virtual network that connects to a central hub VNet in a hub-spoke topology. Each spoke typically hosts a specific workload or environment (e.g. dev, production).
A range of IP addresses within a VNet that lets you segment your network. Resources in a subnet can have NSGs and route tables applied to control traffic.
An open-source Infrastructure as Code tool by HashiCorp that lets you define cloud resources in declarative configuration files and manage their lifecycle.
A thin wrapper around Terraform that provides extra tools for keeping configurations DRY, managing remote state, and working with multiple Terraform modules.
Transport Layer Security — the protocol that encrypts data in transit (HTTPS). In a private network with a firewall doing TLS inspection, self-signed certificates can cause verification failures.
A firewall feature that decrypts HTTPS traffic to inspect it, then re-encrypts it with the firewall's own certificate. Can break tools that expect trusted certificates.
Universal Base Image — Red Hat's freely redistributable container base image built from RHEL. Used as the base for OCP runner containers (e.g. registry.access.redhat.com/ubi9/ubi:9.5).
User Defined Route — a custom routing rule in Azure that overrides default system routes, typically used to force traffic through a firewall or network virtual appliance.
Explicitly locking a tool or dependency to a specific version rather than using 'latest'. Critical for OCP tooling where mixing versions (e.g. openshift-install 4.16 with ccoctl 4.15) causes silent failures.
Virtual Network — the fundamental building block for private networking in Azure. It provides an isolated network where you can deploy and connect Azure resources.
A connection between two VNets that allows resources in each to communicate with each other over the Azure backbone — used to connect hub and spoke networks.
A GitHub Actions automation defined in a YAML file under .github/workflows/. Triggered by events (push, pull request, schedule) and composed of one or more jobs.