Open jonnyry opened 1 month ago
BiologyGeek
commented
1 month ago You can find some insights here: https://github.com/microsoft/AzureTRE/issues/3908#issuecomment-2079385374 If it works, it would be nice if you could share a more detailed instruction about the steps to set up a custom domain.
tim-allen-ck
commented
3 weeks ago Hi @jonnyry I've got this to add to the docs, but I'll add it here too
A certificate named 'letsencrypt' has been generated in the primary TRE KeyVault. This must be substituted with a certificate for your DNS name. Terraform has been configured to ignore modifications to this resource, eliminating the possibility of any overwrites or conflicts when rerunning the pipelines. Additionally, a user with domain access will be required to redirect a custom domain name to the public IP of the App Gateway. The TRE UX App Registration within the Authentication section will require an update to include the new custom DNS and its corresponding 'oauth2-redirect'.
jonnyry
commented
3 weeks ago Thanks @tim-allen-ck I've requested a new subdomain so I'll let you know how it goes.
jonnyry
commented
2 weeks ago Is it possible to add the custom domain as part of the TRE deployment build?...(rather than a manual fix up afterwards).
I noticed the following in config.yaml, though I'm not clear on what the comments mean:
# If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider
# uncomment and set this variable
# tre_url: __CHANGE_ME__Is it possible to add the custom domain as part of the TRE deployment build?...(rather than a manual fix up afterwards).
I noticed the following in config.yaml, though I'm not clear on what the comments mean:
# If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider # uncomment and set this variable # tre_url: __CHANGE_ME__
Hey @jonnyry, I've not tried adding the custom domain to the TRE deployment build. I was assuming that that was the config value to change to be able to use a custom domain, but that comment doesn't make sense. Maybe @marrobi can shed some light?
jonnyry
commented
2 weeks ago I'm also thinking that was the intention, though this line overwrites the value of TRE_URL with the native .cloudapp.azure.com domain:
So guessing tre_url in the config.yaml is now redundant.
tim-allen-ck
commented
2 weeks ago I'm also thinking that was the intention, though this line overwrites the value of TRE_URL with the native .cloudapp.azure.com domain:
So guessing tre_url in the config.yaml is now redundant.
Yes, I saw this looking through the code to find where that tre_rul went.
I think you're right, it must be redundant. There's another place where it constructs that URL too.
marrobi
commented
2 weeks ago I believe I've used tre_url to configure the end to end tests to point to my local running API. Maybe it should be under developer settings. Not sure its related to custom domain configuration.
jonnyry
commented
2 weeks ago Hi @jonnyry I've got this to add to the docs, but I'll add it here too
Using a custom DNS and custom cert
A certificate named 'letsencrypt' has been generated in the primary TRE KeyVault. This must be substituted with a certificate for your DNS name. Terraform has been configured to ignore modifications to this resource, eliminating the possibility of any overwrites or conflicts when rerunning the pipelines. Additionally, a user with domain access will be required to redirect a custom domain name to the public IP of the App Gateway. The TRE UX App Registration within the Authentication section will require an update to include the new custom DNS and its corresponding 'oauth2-redirect'.
Got it working with the instructions above thanks :-)
Managed to piggyback the existing letsencrypt.sh script to request & install the custom domain cert:
TRE_ID=mytre \
FQDN=mycustomdomain.org \
STORAGE_ACCOUNT=stweb$TRE_ID \
RESOURCE_GROUP_NAME=rg-$TRE_ID \
APPLICATION_GATEWAY=agw-$TRE_ID \
KEYVAULT=kv-$TRE_ID \
core/terraform/scripts/letsencrypt.sh@tim-allen-ck @marrobi
In terms of supporting a custom domain within the codebase (and not requiring a post deployment manual fix up)... how about the following?
Add a new parameter CUSTOM_DOMAIN in config.yaml (by default commented out).
Feed the new parameter into the make auth target which adds SSO redirect URLs for the custom domain in addition to the default Azure one here:
Feed the new parameter into the make letsencrypt target which when populated, generates a uploads a certificate for the custom domain instead of the cloudapp.azure.com domain. If not populated, it runs as the behaves as it does now generating a certificate for the default Azure domain.
Modify Lets Encrypt GitHub Action to look for a CUSTOM_DOMAIN GH secret and pass in to the make letsencrypt flow. Again if CUSTOM_DOMAIN is present a cert is generated for it, if not it reverts to generating a cert for the default domain.
What configuration is required in order to apply a custom domain name to a TRE instance?
I'm assuming you will need to create a DNS record to your TRE instance along the lines of:
treinstance.mydomainname.co.uk CNAME treinstance.region.cloudapp.azure.comWhat is then required in terms of Azure TRE configuration? Is this just setting the TRE_URL in config.yaml / env vars and redeploying? Will the letsencrypt make action still work for custom domains?
Thanks