ibm-mas
How to use shared SLS externally using a custom domain
Hello Team,
How do we use SLS_DOMAIN to leverage existing base domain to make SLS available externally outside Openshift Cluster especially when it is hosted in a Private mode(Private Link). There is no option to provide cluster issuer as in MAS Suite which takes care of certificates for MAS Core and Manage.
Regards Srinivasa
To leverage the sls domain you would typically add the below to the LicenseService CR:
spec:
domain: >-
YOUR_DOMAIN.com
which causes the sls operator to create a Route:
https://<slsInstanceId>.<slsNamespace>.YOUR_DOMAIN.com
Eg:
http://sls.ibm-mas.YOUR_DOMAIN.com
Happy to dig further if your use-case isn't working as intended with this method.
Thanks Team, while the route is created for this, how is certificate issuance handled? For Manage and Core, the Suite definition pointing to specific cluster issuer (Eg: LetssEncrypt) handles the cert issuance,
In this case we need the cert issued by Lets Encrypt for this domain by LicenseService CR but except for providing domain name there is no snippet to handle cert issuance. I have tested with the base domain that the custom ingress is setup with.
At the moment it is only working internal to the cluster with default domain as we have only custom ingress accessible from internet.
Regards Srinivasa
On Fri, Aug 23, 2024 at 8:46 PM JonahLuckett @.***> wrote:
To leverage the sls domain you would typically add the below to the LicenseService CR:
spec: domain: >- YOUR_DOMAIN.com
which causes the sls operator to create a Route: https://<slsInstanceId>.<slsNamespace>.YOUR_DOMAIN.com
Eg: http://sls.ibm-mas.YOUR_DOMAIN.com
Happy to dig further if your use-case isn't working as intended with this method.
— Reply to this email directly, view it on GitHub https://github.com/ibm-mas/ansible-devops/issues/1300#issuecomment-2306824293, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE5UE5UCJ7SXW6NSFDFZDB3ZS4HI7AVCNFSM6AAAAABHOYKJN6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBWHAZDIMRZGM . You are receiving this because you authored the thread.Message ID: @.***>
-- LIFE IS BEAUTIFUL
Apologies for the delayed response. You should be able to make use of this field in the LicenseService CR
spec:
ca:
secretName: <Name of the secret that contains the CA keypair that will be used to generate SLS certificates. If not set, SLS will create its own root CA>
What are the implications of moving from Self signed certificates to Lets Encrypt Certificates for SLS ?
I can setup Certificate issued by LetsEncrypt to be renewed every 3 months stored in a secret which can be referenced in License Service. Do I need to updated mongocfg/MAS configurations reflecting new SLS cert with every renewal?
To leverage the sls domain you would typically add the below to the LicenseService CR:
spec: domain: >- YOUR_DOMAIN.comwhich causes the sls operator to create a Route:
https://<slsInstanceId>.<slsNamespace>.YOUR_DOMAIN.comEg:
http://sls.ibm-mas.YOUR_DOMAIN.comHappy to dig further if your use-case isn't working as intended with this method.
Team,
apiVersion: sls.ibm.com/v1 kind: LicenseService metadata: name: licenseservice namespace: masdemo-ibm-sls spec: domain: licenseservice.masdemo.ibm.com ca: secretName: licenseservice-tls license: accept: true mongo: nodes: - host: mongo-db1.example.com port: 27017 configDb: licenseDB secretName: mongo-credentials
Should we create routes explicitly??
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: licenseservice-route
namespace: masdemo-ibm-sls
spec:
host: licenseservice.masdemo.ibm.com
to:
kind: Service
name: licenseservice
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
certificate: |
Also should we update mongocfg and any other CRDS with new cert/secret?
This is to share the SLS instance between multiple MAS Instances across the cluster