Hello,

I'm struggling to connect the second MAS cluster to the shared SLS installed in the first MAS cluster. The first MAS cluster uses a custom domain, i.e. in LicenseService CR the spec.domain is set to a custom domain instead of the default svc.cluster.local. However, SLS still uses internal certificates:

Server certificate:
*  subject: CN=sls.ibm-sls.svc
*  issuer: C=GB; L=London; street=London; OU=IBM Suite License Service (Internal); CN=sls.sls.ibm.com

This results in the following errors when the second MAS cluster tries to register with the shared SLS:

  - lastTransitionTime: "2024-09-16T18:34:27Z"
    message: 'SLS client registration was unsuccessful: Unable to register SLS client
      for MAS: An unhandled error was returned from SLS: Unable to register SLS client
      custom-d79eb01c: An unhandled error was returned from SLS: HTTPSConnectionPool(host=''sls.ibm-sls.custom.domain'',
      port=443): Max retries exceeded with url: /api/registrations (Caused by SSLError(CertificateError("hostname
      ''sls.ibm-sls.custom.domain'' doesn''t match either of ''sls.ibm-sls.svc'',
      ''sls.ibm-sls.svc.cluster.local'', ''sls.ibm-sls.svc.cluster.local''")))'
    reason: RegistrationFailed
    status: "False"
    type: Registered

The error literally means that the subject field of the internal certificate does not match our custom domain. I assume the solution is to issue SLS certificates differently, perhaps by providing a custom CA certificate. The ansible scripts support SLS_TLS_CERT environmental variable: sls - MAS Devops Collection Has anyone done it already? I'm wondering if I'm looking in the right direction or there is a simpler way.

Hi Ivan,

i've done a shared SLS with a custom domain and separate IngressController (or MetalLB in other cases) to handle this custom domain. The "trick" is to deploy SLS with custom domain set by installer (sls_domain variable) and not try to update it via spec.domain field in LicenseService CR. Once those certs are generated SLS is not doing the best job in creating new ones after changing this field.

Regards,

Hello,

I'm struggling to connect the second MAS cluster to the shared SLS installed in the first MAS cluster. The first MAS cluster uses a custom domain, i.e. in LicenseService CR the spec.domain is set to a custom domain instead of the default svc.cluster.local. However, SLS still uses internal certificates:

Server certificate:
*  subject: CN=sls.ibm-sls.svc
*  issuer: C=GB; L=London; street=London; OU=IBM Suite License Service (Internal); CN=sls.sls.ibm.com

This results in the following errors when the second MAS cluster tries to register with the shared SLS:

  - lastTransitionTime: "2024-09-16T18:34:27Z"
    message: 'SLS client registration was unsuccessful: Unable to register SLS client
      for MAS: An unhandled error was returned from SLS: Unable to register SLS client
      custom-d79eb01c: An unhandled error was returned from SLS: HTTPSConnectionPool(host=''sls.ibm-sls.custom.domain'',
      port=443): Max retries exceeded with url: /api/registrations (Caused by SSLError(CertificateError("hostname
      ''sls.ibm-sls.custom.domain'' doesn''t match either of ''sls.ibm-sls.svc'',
      ''sls.ibm-sls.svc.cluster.local'', ''sls.ibm-sls.svc.cluster.local''")))'
    reason: RegistrationFailed
    status: "False"
    type: Registered

The error literally means that the subject field of the internal certificate does not match our custom domain. I assume the solution is to issue SLS certificates differently, perhaps by providing a custom CA certificate. The ansible scripts support SLS_TLS_CERT environmental variable: sls - MAS Devops Collection Has anyone done it already? I'm wondering if I'm looking in the right direction or there is a simpler way.