Updates to k8s Let's Encrypt certs with domain wildcards

[gothub]

The current k8s LE certs are created for these domains:

• production
  • DNS name: docker-ucsb-4.dataone.org
    • this will be updated to: api.dataone.org when that domain name is active
• development
  • DNS name: api.test.dataone.org
  • DNS name: stage.gnis-ld.org

It has been proposed that these certs are updated to include these, and possibly other domain wildcards:

• production
  • DNS name: *.dataone.org
    • this will allow docker-ucsb-4.dataone.org, api.dataone.org, etc
  • DNS name: *.gnis-ld.org
• development
  • DNS name: *.test.dataone.org
  • DNS name: stage.gnis-ld.org

@nickatnceas indicates that updating these certs with wildcards will require using the certbot AWS Route53 plugin. In order to use this plugin it is necessary to create a locate AWS access key, from an AWS Identity and Access Management (IAM). Also, our create wildcards may interrupt his workflow and require he may need to setup a new AIM user.

I haven't setup an IAM user, so not sure of the details of the conflict here.

@mbjones instead of creating the k8s certs with wildcards, is is sufficient to just create the certs as:

• production
  • DNS name: api.dataone.org
  • DNS name: gnis-ld.org
• development
  • api.test.dataone.org
  • stage.gnis-ld.org Note that creating these certs doesn't require the certbot amazon plugin and related IAM user.

What is the use case for wildcards for k8s?

[nickatnceas]

Getting a wildcard cert from certbot requires the use of the AWS R53 API plugin, which requires read/write access to the full domain in AWS (in this case dataone.org and gnis-ld.org). We have this plugin running on a couple other hosts where it's the only option, but I try not to use it if it doesn't provide any benefit, just for security reasons.

Our docs for setting up the AWS R53 plugin: https://github.nceas.ucsb.edu/NCEAS/Computing/blob/master/ssl_certificates.md#generate-certificates-using-aws-route53-for-verification

And the official docs (see the Caution warning): https://certbot-dns-route53.readthedocs.io/en/stable/

[mbjones]

Yeah, we don't have to use wildcards. I was just curious if it would make adding new services under new hostnames easier -- sounds like it will be harder, and that we should stick with updating the LE certs each time we need a new hostname added for a new service. Many of the DataONE services will be under api.dataone.org, so hopefully it will be relatively rare.

[gothub]

cert-manager is installed and running on dev k8s, and soon on prod k8s. cert-manager handles creation of multi-domain LE certificates (Subject Alternative Name) automatically, based on the domain names that are entered for an application in the application Ingress manifest.

The process for specifying the domains needed in an Ingress is described here.