-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: add alternative names and wildcard support to lagoon.yml #25
Conversation
Test infra project Obviously due to the certificate limitation on wildcards, you will be presented an insecure warning. The alternative names route does have a valid certificate and you can inspect it to see the certificate subject alternative names in the certificate. I will note though, that for each alternative name, certmanager generated an individual acme challenge. So if users do use this feature, they need to ensure DNS is correct, I don't know how certmanager will behave if one of those challenges fails. |
Problem
Currently Lagoon creates 1 ingress per route defined in the
.lagoon.yml
file. This also means 1 certificate per ingress. Over time, this can result in a large number of ingress and certificates being generated.The aim of this PR is to allow routes to be defined with alternative names, this consolidates the routes into 1 ingress object, and also means that there will be 1 certificate generated for multiple domains using SAN certificates.
This is useful if you have a number of sub domains that you want to allocate to the same ingress object.
There is a limit on how many certificates that can be put into a SAN depending on the certificate generator. There appears to be no limit on the number of hosts that can be added to an ingress in kubernetes, so no limit is enforced in Lagoon.
Wildcard ingress are also supported in this. LetsEncrypt does not support http01 validation for wildcard certificates, because of this Lagoon will not support
tls-acme
generation for routes that are requested to be wildcard. If a user requests a wildcard ingress, they will have to definetls-acme: false
in their.lagoon.yml
too or the build will fail with an error.It is also not possible to generate a wildcard route with alternative names. This will also cause the build to fail.
Configuring Alternative Names
Configuring Wildcard
tls-acme
has to be set to false as lets encrypt does not support wildcard http01 requests