Use AWS Load Balancers instead of LetsEncrypt for SCIM Bridge

Can you let me know the directionality of traffic in regards to LetsEncrypt? We would prefer to use certificates generated on AWS Load Balancers, rather than LetsEncrypt. It makes a difference in our topology if the deployment is listening or pushing traffic


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @joshuaevans98! Thank you for reaching out.

    You can definitely use an AWS load balancer with a TLS certificate. We provide the Let's Encrypt functionality as an option for folks that do not want to obtain their own certificate or configure their own TLS termination. If you configure the AWS load balancer to perform TLS termination, then you can safely disable the Let's Encrypt functionality on the SCIM bridge.

    The two environment variables you would want to update are:

    • OP_LETSENCRYPT_DOMAIN="" - Setting this value to an empty string disables the Let's Encrypt functionality on the SCIM bridge.
    • OP_PORT=<port number> - This overrides the default listening port of the SCIM bridge. It defaults to 3002 when Let's Encrypt is disabled. Set this to the port number you would like the load balancer to use to connect to the SCIM bridge.

    Note that the above configuration assumes that you already have the SCIM bridge credentials installed, and the value of OP_SESSION is set to the path to the credential file, or the base64 encoded contents of the file. Without OP_SESSION set the SCIM bridge will start up in setup mode.

    Let us know if you need more information.

  • timfall
    timfall
    Community Member

    Hi!
    I came across this while trying to deploy the SCIM bridge into our k8s cluster on AWS. I've set the env variables as you said above, and double checked they were all present in the pod, however the config dialog asking to verify with LetsEncrypt still comes up. We're trying to use our own certificates attached to an ingress and in order to do so we need to disable the built in TLS functionality. Was the ability to disable LetsEncrypt removed?

    Any help would be appreciated.

  • Hi @timfall. Thanks for reaching out.

    The ability to disable LetsEncrypt has not been removed. The same environment variables mentioned above should let you bypass the certificate generation process.

    Can I ask you to reach out to us via the support email with some log output from the SCIM bridge so we can look into this further for you?

    Kind regards, Hass

  • timfall
    timfall
    Community Member

    Certainly, I'll follow up.

This discussion has been closed.