Hello 1Password Support -
I'm taking over management of our 1Password SCIM bridge from a previous employee who left our organization. I'm kinda new to Kubernetes, but I'm fairly comfortable with Docker and Docker Compose, so this has been an interesting learning experience!
Using these instructions, the previous employee deployed the SCIM bridge using Kubernetes in Azure. So far, everything has worked great, except the Let's Encrypt certificate just doesn't seem to be renewing itself.
A couple of months ago, we updated the SCIM bridge from 2.2.1 to 2.3.0 - we had noticed the certificate expired, and since the SCIM bridge was out of date, it seemed like a good time to take care of both issues. It looked like the lack of certificate renewal might have been a bug that was resolved with the SCIM bridge. However, we found the certificate still didn't auto-renew (and was due to expire this week), so we updated to 2.3.1 this afternoon. This generated a new certificate, which gives us some time to determine what's not working properly.
I noticed in the installation instructions, this note is included:
If you use Azure Firewall, open ports 80 and 443 for your Azure Kubernetes cluster. The Let’s Encrypt service uses port 80 to renew the SSL certificate every 60 days. All other SCIM bridge traffic uses port 443.
We don't use Azure Firewall, but I noticed that the yaml files for the SCIM bridge container only open port 443, so I was wondering if that could be related. The file 'op-scim-service.yaml' includes a commented section for opening port 80 to the container, but I wanted to ask if that would be the right approach or not - we're not using a reverse proxy, so I don't want to open our SCIM bridge to anything that could be dangerous. Plus, I don't know if that'd actually solve the Let's Encrypt issue.
Please let me know if I forgot any details that'd be useful in troubleshooting this. Thanks for the help!
EDIT: I forgot - I wanted to post this, which shows port 80 is not currently open:
% kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP <redacted> <none> 443/TCP 343d op-scim-bridge LoadBalancer <redacted> <redacted> 443:31887/TCP 343d op-scim-redis ClusterIP <redacted> <none> 6379/TCP 343d
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided