Certificates for dynamic development, CI, staging environments

misha-tectonic · October 15, 2019, 11:50am

I work in a project where environments are very dynamic: every CI build creates a new testing environment from scratch (and every build uses unique DNS name) and every developer creates and destroys environments daily.

Dynamic environments all share few top-level domains, however they use unique subdomains each. Every environment needs to secure a number of endpoints.

What are the best practices for issuing LE certificates in this situation?

Maybe there is a ready-made package that requests and renews certificates for those top-level domains, and makes it available for other environments to use?

We use Kubernetes, and every environment is a separate Kubernetes cluster.

JuergenAuer · October 15, 2019, 1:33pm

Hi @misha-tectonic

the main question: How many endpoints?

If you have a working configuration, you shouldn't hit the duplicated certificates limit.

But the maximum are 50 certificates per domain per week.

Is it possible to use a wildcard per environment?

See

cpu · October 15, 2019, 2:45pm

Hi @misha-tectonic, welcome to the community forum.

This strikes me as a good fit for a wildcard certificate that covers the top-level domains as well as the one level of wildcard subdomains beneath them.

misha-tectonic · October 16, 2019, 6:01pm

Let's say a dozen.

Yes, it should be. However we're creating hundreds of environments every day, so won't it strain another limit?

misha-tectonic · October 16, 2019, 6:02pm

Yes, I figured it out too. Now the question is whether anyone has already implemented something similar, or do I need to start from scratch and implement pulling a certificate from some central storage (with associated ACL headaches).

system · November 15, 2019, 6:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.