Open zoltanpesko opened 3 weeks ago
zoltanpesko
commented
3 weeks ago Also, there is a BUG in IoT The MAS Monitor will give you an error something like this: Login error, please contact your administrator! Error message The inst1-public-tls is not updated by itself. Check the Owner of the secret! Change the inst1 YAML in spec manualCertMgmt: false
durera
commented
2 weeks ago I've been wanting to do something to improve our default install that falls into this area:
We should be able to set up LetsEncrypt using a ClusterIssuer as such:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: {{ uds contact email }}
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
ingressClassName: openshift-defaultThe use of the HTTP solver will allow use of LE for cert signing in the widest possible supported configurations without any requirement to set up anything in any DNS.
For a non-airgap install, this should become the default when you install MAS using ansible/cli - rather than self-signed as it is today.
Feature and motivation
There is a way to use Let's Encrypt without a CIS or Cloudflare, and you used the "one-click" method for installation.
The steps are quite easy.
Let’s Encrypt setup:
If you don’t want a custom DNS, just a Let’s Encrypt certificate. Check you clusterIssuer Installed Operators » cert-manager-operator » Cluster issuer. The letsencrypt-prod this one is without custom DNS. Maybe yours is different! (if you already had Cloudflare for example) Like this: {{ mas_instance_id }}-cloudflare-le-prod
Certificate setup: CustomResourceDefinition search for Suite go to the instances (inst1). Edit the YAML:
Delete the finalizer to force reconciliation! (Row 173-174, save.) Wait for a couple of minutes for the reconciliation. If it is not updating, double-check your certificate issuer name!
Usage example
Many customers want to enable Let's Encrypt after the installation. This documentation could help