Feature: add alternative names and wildcard support to lagoon.yml #25
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 tasks
shreddedbacon
changed the title
shreddedbacon
changed the title
|
Test infra project Obviously due to the certificate limitation on wildcards, you will be presented an insecure warning. The alternative names route does have a valid certificate and you can inspect it to see the certificate subject alternative names in the certificate. I will note though, that for each alternative name, certmanager generated an individual acme challenge. So if users do use this feature, they need to ensure DNS is correct, I don't know how certmanager will behave if one of those challenges fails. |
bomoko
approved these changes
Jun 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Currently Lagoon creates 1 ingress per route defined in the
.lagoon.ymlfile. This also means 1 certificate per ingress. Over time, this can result in a large number of ingress and certificates being generated.The aim of this PR is to allow routes to be defined with alternative names, this consolidates the routes into 1 ingress object, and also means that there will be 1 certificate generated for multiple domains using SAN certificates.
This is useful if you have a number of sub domains that you want to allocate to the same ingress object.
There is a limit on how many certificates that can be put into a SAN depending on the certificate generator. There appears to be no limit on the number of hosts that can be added to an ingress in kubernetes, so no limit is enforced in Lagoon.
Wildcard ingress are also supported in this. LetsEncrypt does not support http01 validation for wildcard certificates, because of this Lagoon will not support
tls-acmegeneration for routes that are requested to be wildcard. If a user requests a wildcard ingress, they will have to definetls-acme: falsein their.lagoon.ymltoo or the build will fail with an error.It is also not possible to generate a wildcard route with alternative names. This will also cause the build to fail.
Configuring Alternative Names
Configuring Wildcard
tls-acmehas to be set to false as lets encrypt does not support wildcard http01 requests