uffizzi icon indicating copy to clipboard operation
uffizzi copied to clipboard

Published 20 hours ago verified publisher icon UffizziCloud

Change preview hostname construction, enabling wildcard TLS certificates

Open axisofentropy opened this issue 2 years ago • 3 comments

We want to use "wildcard" TLS certificates to stop relying upon third-party certificate authorities for each new deployment. This should increase reliability and sometimes speed of new deployments. The easiest way to implement this is to use a single wildcard TLS certificate for all deployments. This requires that all deployments be subdomains of a single domain.

For example, a certificate for *.example.com will match foo.example.com but will not match foo.bar.example.com. As Wikipedia says:

[...] the wildcard only covers one level of subdomains (the asterisk doesn't match full stops.)

Maybe we can easily change how our app generates hostnames to only use a single level of subdomain. This could be as easy as replacing . with -. Other tickets will describe changes to our controller and infrastructure.

This is a feature we want to become the most common case, so I don't think we need a feature "gate" like an environment variable.

Be mindful of RFC 1035 which specifies "Labels must be 63 characters or less."! https://datatracker.ietf.org/doc/html/rfc1035

axisofentropy avatar May 04 '22 19:05 axisofentropy

For QA:

  • The hostname construction is changed so it consists of a single subdomain
  • If the subdomain length is bigger than 63 characters it gets cut

moklidia avatar May 05 '22 13:05 moklidia

TESTED - OK

image

NealArw avatar May 06 '22 12:05 NealArw

TESTED on prod - OK

image

NealArw avatar May 06 '22 18:05 NealArw