Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify third-party certificate for additional subdomains. #35

Open
axisofentropy opened this issue Sep 14, 2022 · 1 comment
Open

Specify third-party certificate for additional subdomains. #35

axisofentropy opened this issue Sep 14, 2022 · 1 comment

Comments

@axisofentropy
Copy link
Member

Child of https://github.com/UffizziCloud/uffizzi_platform/issues/239#issuecomment-1244492724

On our production platform, we're using a purchased wildcard TLS certificate for *.app.uffizzi.com. For customers requiring additional subdomains, we must instead configure cert-manager to provision a new certificate for all subdomains.

UX described in related ticket UffizziCloud/uffizzi#257

When a customer specifies any number of additional subdomains, our controller should add to the deployment's Ingress resource, including:

  • Add annotation cert-manager.io/cluster-issuer: letsencrypt.
  • Add additional rules for each subdomain (wildcard would probably work here as well.)
  • Add to list of tls.hosts.
  • Add tls.secretName (can be same as "root" hostname.)

Example result Ingress in YAML:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: nginx
  labels:
    app: controller
    app.kubernetes.io/managed-by: uffizzi
  name: ingress-1663013659
  namespace: deployment-5713
spec:
  rules:
  - host: deployment-5713-my-application.app.uffizzi.com
    http:
      paths:
      - backend:
          service:
            name: service-1663013657
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: foo.deployment-5713-my-application.app.uffizzi.com
    http:
      paths:
      - backend:
          service:
            name: service-1663013657
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: bar.deployment-5713-my-application.app.uffizzi.com
    http:
      paths:
      - backend:
          service:
            name: service-1663013657
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - deployment-5713-my-application.app.uffizzi.com
    - foo.deployment-5713-my-application.app.uffizzi.com
    - bar.deployment-5713-my-application.app.uffizzi.com
    secretName: deployment-5713-my-application.app.uffizzi.com

Note that this change is almost, but not quite, the opposite of changes made earlier this year to enable using the single wildcard certificate. Do not revert these changes, do NOT use the CERT_MANAGER_CLUSTER_ISSUER environment variable as-is. https://gitlab.com/dualbootpartners/idyl/uffizzi_controller/-/merge_requests/178/diffs
@gadkins gadkins mentioned this issue Nov 15, 2022
Open
@axisofentropy
Copy link
Member Author

If this was implemented, and it looks like it was, then this ticket should be closed.

@axisofentropy axisofentropy mentioned this issue Apr 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@axisofentropy