Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(IAC-581) V4_CFG_TLS_TRUSTED_CA_CERTS is required for TLS enabled Viya on AWS clusters #251

Merged
merged 6 commits into from
Aug 2, 2022
Merged

(IAC-581) V4_CFG_TLS_TRUSTED_CA_CERTS is required for TLS enabled Viya on AWS clusters #251

merged 6 commits into from
Aug 2, 2022

Conversation

dhoucgitter
Copy link
Member

Issue Description: When deploying Viya4 to IAC created AWS clusters (in particular those using the sassoftware/viya4-iac-aws software to create the cluster), and when either full-stack or front-door TLS is configured for the deployment, it is mandatory that a value be set for the configuration variable V4_CFG_TLS_TRUSTED_CA_CERTS.

@dhoucgitter dhoucgitter added the documentation Improvements or additions to documentation label Jul 5, 2022
thpang
thpang requested changes Jul 6, 2022
View reviewed changes
Copy link
Member

@thpang thpang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this only needed for AWS? I see no description or reasoning behind the need for the certs. No conversation here or detailed outline of the reason. Please provide.

@dhoucgitter
Copy link
Member Author

When I was working on development tests for verifying the logging and monitoring behavior for the OpenSearch update last sprint, I was unable to get the AWS TLS enabled Viya deployment to stabilize. You and I had a chat about the certificate oriented log messages that I noticed in the pods having trouble which led to our discussion that for AWS deployed clusters that have TLS enabled, it was necessary to provide a certificate bundle that contains both the intermediate and root certificates for all AWS Regions obtained from AWS here by pointing to them using the V4_CFG_TLS_TRUSTED_CA_CERTS configuration variable. Once I did that, the pods that were failing started as expected.

@AWSmith0216
Copy link
Contributor

Were you using an external DB provisioned in AWS?

@dhoucgitter
Copy link
Member Author

Were you using an external DB provisioned in AWS?

Yes, I was allowing IAC to provision an external postgres DB, both in AWS and in Azure.

@thpang
Copy link
Member

thpang commented Jul 6, 2022

For AWS the certs are needed for the external postgres server; however, I don't believe they are needed if you use the internal database. So that's the focus of my question why are they needed? We document the scenario where the external postgres server needs a cert.

@dhoucgitter
(IAC-581) Address PR review comment and fix V4_CFG_TLS->V4_CFG_TLS_MODE
b5608fc 
Summary:
- add self-signed cert and external postgres database as indications for
  when V4_CFG_TLS_TRUSTED_CA_CERTS value is required.
@dhoucgitter dhoucgitter requested a review from thpang July 6, 2022 15:59
@dhoucgitter dhoucgitter self-assigned this Jul 6, 2022
thpang
thpang requested changes Jul 6, 2022
View reviewed changes
Copy link
Member

@thpang thpang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need clarity.

docs/CONFIG-VARS.md Outdated Show resolved Hide resolved
@thpang
Copy link
Member

thpang commented Jul 7, 2022

I looked at this yesterday. The table and text just seem to be there, no description. I would just rather have text in the note that says when using an external database on AWS/Open Source please refer to this doc. And then have a doc that outlines what to do in terms of using AWS and Open Source showing how where to get the files and copy those into the correct location. I believe somewhere we have this in the docs, but don't know where.

@dhoucgitter dhoucgitter requested a review from thpang August 2, 2022 16:50
thpang
thpang previously approved these changes Aug 2, 2022
View reviewed changes
Copy link
Member

@thpang thpang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jarpat
jarpat reviewed Aug 2, 2022
View reviewed changes
docs/user/TrustedCACerts.md Outdated Show resolved Hide resolved
@dhoucgitter @jarpat
Update docs/user/TrustedCACerts.md
5375af5 
Co-authored-by: Jay Patel <78554593+jarpat@users.noreply.github.com>
jarpat
jarpat reviewed Aug 2, 2022
View reviewed changes
docs/CONFIG-VARS.md Outdated Show resolved Hide resolved
@dhoucgitter @jarpat
Update docs/CONFIG-VARS.md
d2f113f 
remove duplicated lines left over after table removal

Co-authored-by: Jay Patel <78554593+jarpat@users.noreply.github.com>
thpang
thpang approved these changes Aug 2, 2022
View reviewed changes
Copy link
Member

@thpang thpang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dhoucgitter dhoucgitter merged commit 1b743a9 into main Aug 2, 2022
@dhoucgitter dhoucgitter deleted the f-iac-581 branch August 2, 2022 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thpang thpang thpang approved these changes

@jarpat jarpat jarpat approved these changes

@riragh riragh Awaiting requested review from riragh

Assignees

@dhoucgitter dhoucgitter

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dhoucgitter @AWSmith0216 @thpang @jarpat