Skip to content

Specify third-party certificate for additional subdomains. #35

New issue
New issue
Open
Open
Specify third-party certificate for additional subdomains.#35
@axisofentropy

Description

@axisofentropy
axisofentropy
opened on Sep 14, 2022

Child of https://github.com/UffizziCloud/uffizzi_platform/issues/239#issuecomment-1244492724

On our production platform, we're using a purchased wildcard TLS certificate for *.app.uffizzi.com. For customers requiring additional subdomains, we must instead configure cert-manager to provision a new certificate for all subdomains.

UX described in related ticket UffizziCloud/uffizzi#257

When a customer specifies any number of additional subdomains, our controller should add to the deployment's Ingress resource, including:

  • Add annotation cert-manager.io/cluster-issuer: letsencrypt.
  • Add additional rules for each subdomain (wildcard would probably work here as well.)
  • Add to list of tls.hosts.
  • Add tls.secretName (can be same as "root" hostname.)

Example result Ingress in YAML:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: nginx
  labels:
    app: controller
    app.kubernetes.io/managed-by: uffizzi
  name: ingress-1663013659
  namespace: deployment-5713
spec:
  rules:
  - host: deployment-5713-my-application.app.uffizzi.com
    http:
      paths:
      - backend:
          service:
            name: service-1663013657
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: foo.deployment-5713-my-application.app.uffizzi.com
    http:
      paths:
      - backend:
          service:
            name: service-1663013657
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: bar.deployment-5713-my-application.app.uffizzi.com
    http:
      paths:
      - backend:
          service:
            name: service-1663013657
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - deployment-5713-my-application.app.uffizzi.com
    - foo.deployment-5713-my-application.app.uffizzi.com
    - bar.deployment-5713-my-application.app.uffizzi.com
    secretName: deployment-5713-my-application.app.uffizzi.com

Note that this change is almost, but not quite, the opposite of changes made earlier this year to enable using the single wildcard certificate. Do not revert these changes, do NOT use the CERT_MANAGER_CLUSTER_ISSUER environment variable as-is. https://gitlab.com/dualbootpartners/idyl/uffizzi_controller/-/merge_requests/178/diffs

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions