search

sassoftware / viya4-deployment

This project contains Ansible code that creates a baseline in an existing Kubernetes environment for use with the SAS Viya Platform, generates the manifest for an order, and then can also deploy that order into the Kubernetes environment specified.
Apache License 2.0
71 stars 64 forks source link

(IAC-581) V4_CFG_TLS_TRUSTED_CA_CERTS is required for TLS enabled Viya on AWS clusters #251

Closed dhoucgitter closed 2 years ago

dhoucgitter commented 2 years ago

Issue Description: When deploying Viya4 to IAC created AWS clusters (in particular those using the sassoftware/viya4-iac-aws software to create the cluster), and when either full-stack or front-door TLS is configured for the deployment, it is mandatory that a value be set for the configuration variable V4_CFG_TLS_TRUSTED_CA_CERTS.

dhoucgitter commented 2 years ago

When I was working on development tests for verifying the logging and monitoring behavior for the OpenSearch update last sprint, I was unable to get the AWS TLS enabled Viya deployment to stabilize. You and I had a chat about the certificate oriented log messages that I noticed in the pods having trouble which led to our discussion that for AWS deployed clusters that have TLS enabled, it was necessary to provide a certificate bundle that contains both the intermediate and root certificates for all AWS Regions obtained from AWS here by pointing to them using the V4_CFG_TLS_TRUSTED_CA_CERTS configuration variable. Once I did that, the pods that were failing started as expected.

AWSmith0216 commented 2 years ago

Were you using an external DB provisioned in AWS?

dhoucgitter commented 2 years ago

Were you using an external DB provisioned in AWS?

Yes, I was allowing IAC to provision an external postgres DB, both in AWS and in Azure.

thpang commented 2 years ago

For AWS the certs are needed for the external postgres server; however, I don't believe they are needed if you use the internal database. So that's the focus of my question why are they needed? We document the scenario where the external postgres server needs a cert.

thpang commented 2 years ago

I looked at this yesterday. The table and text just seem to be there, no description. I would just rather have text in the note that says when using an external database on AWS/Open Source please refer to this doc. And then have a doc that outlines what to do in terms of using AWS and Open Source showing how where to get the files and copy those into the correct location. I believe somewhere we have this in the docs, but don't know where.