ibm-mas
Using LetsEncrypt for signing certificates with AzureDNS
LetsEncrypt is configured as ClusterIssuer but using Ansible Collection for MAS installation is not effecting the letsencrypt as signing authority. Inspite of adding ClusterIssuer Environment variable appropriately it still have the self signed certificates.
Thanks for your feedback @whoiscnu !
I personally have no understanding how Cloudfare/Let's Encrypt can be properly configured in Azure. Tipically for IBM Cloud / AWS providers we'd need a DNS management service behind the Let's Encrypt cluster issuer to manage the CName entries and the registered domain, like Cloud Internet Services for IBM Cloud and Route 53 for AWS. It seems for Azure, it is this AzureDNS that would need to have a webhook to MAS cluster issuer?
@alequint @durera @swallacertp do you know of any plans to support such capability for Azure anytime soon? I know we have plans to support Route53, but not sure about Azure's plans.
@andrercm We are looking at this from the MAS hyperscaler team but do not have concrete plans yet. I will check with the team and see where this stands and update here.
Thanks @swallacertp , for now i'll label this as low priority until changes in the plan.
Hello All,
Thanks for your email.
I was able to setup LetsEncrypt using installer from passport advantage and changing the cert manager configuration stopping the operator.
Ansible collection at the moment don’t support AzureDNS as I verify.
It will be interesting when the product is rolled out in ARO as the support needs to be in place for AzureDNS then. Also there is an Azure marketplace deploy of MAS which ideally must be using AzureDNS aswell .
Regards Srinivasa
On Thu, 23 Mar 2023 at 9:36 am, andrercm @.***> wrote:
Thanks for your feedback @whoiscnu https://github.com/whoiscnu !
I personally have no understanding how Cloudfare/Let's Encrypt can be properly configured in Azure. Tipically for IBM Cloud / AWS providers we'd need a DNS management service behind the Let's Encrypt cluster issuer to manage the CName entries and the registered domain, like Cloud Internet Services for IBM Cloud and Route 53 for AWS. It seems for Azure, it is this AzureDNS that would need to have a webhook to MAS cluster issuer?
@alequint https://github.com/alequint @durera https://github.com/durera @swallacertp https://github.com/swallacertp do you know of any plans to support such capability for Azure anytime soon? I know we have plans to support Route53, but not sure about Azure's plans.
— Reply to this email directly, view it on GitHub https://github.com/ibm-mas/ansible-devops/issues/701#issuecomment-1480345163, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE5UE5XOZ75QD2P35C6GLLTW5N5FVANCNFSM6AAAAAAV4P7EHM . You are receiving this because you were mentioned.Message ID: @.***>
-- LIFE IS BEAUTIFUL
@swallacertp , As we facilitate environment for public events or demos, we are interested in knowing plans for PublicCA cert as default...
- When will MAS on AWS BYOL will start using LetsEncrypt?
- When will MAS on Azure BYOL will start using LetsEncrypt?
@maulik-modi22 The plan is to release documentation on configuring LetsEncrypt with MAS BYOL on AWS in the upcoming release which is targeted for mid June 2023. Will update on Azure plans. This is the planned date so it is subject to change. Confirming the plans for Azure and will update once I have that.
@swallacertp , Checking back again if there's any update on incorporating it in AWS and Azure BYOL Automation?
@maulik-modi22 The BYOL/PAID offerings have documented the use of Let's Encrypt but this is post deployment. It is not in the plan to add this to the template and automation at this time. You can open an Idea for the BYOL option for consideration in future plans.