Closed hardillb closed 2 months ago
Just to confirm this should be a FQDN per project rather than a domain per team
Would this mean the FQDN would be domain.com
for flowforge then each project would be a a subdomain or project folder?
project.domain.com
would point to localhost:7880
or w/e?
@cgsmith This is specifically talking about running with the docker or kubernetes container drivers not the localfs.
With k8s and docker drivers, the projects run in containers so do not have different port numbers on the host and are all mapped to unique hostnames on a single fixed domain at the moment. This epic is about allow teams to have their own root domain. e.g. team one can have <project name>.one.com
and team two would have <project name>.two.com
You can not host projects (Node-RED instances) on different paths on a single domain (e.g. example.com/<project name>
) due to the way browser local storage works as Node-RED use it as part of the editor authentication. This is a limitation of Node-RED, not the FlowForge platform.
I have customers that would love to use the FF service but, depend on custom domains to serve their clients. Being able to tie a wildcard SSL to an account would be even better. That way new projects could all be under that domain automatically.
First pass I see the following points that would need working on
The first 3 items are relatively simple to implement, the last point will need very careful planning and may vary based on host environment. I can see a possible k8s approach, but docker may be different.
May be able to make use of letsencrypt to issue individual certs for each project.
The use case of setting a domain for a team is separate to the original issue which is to set a custom FQDN for a project.
The Initial story is just per project not team domains and wildcards
All the same problems still apply re TLS, the user is probably going to need to supply a certificate for the given domain. I suspect it will be easier to implement at a team level rather than per-project.
@Pezmc stick a slot in the calendar and we can talk about how this will work. I think most of the work will actually be in the UI/UX apart from working out how to handle the TLS certs.
Notes:
Pez:
Ben:
Note: Host names need to be valid and unique across all projects
Blocking issue for deploying this to FlowForge Cloud https://github.com/flowforge/CloudProject/issues/110
This feature has been put on hold due to the above blocking issue. Progress, before it was put on hold, is as follows:
Work in progress client-side support for setting hostname: https://github.com/flowforge/flowforge/tree/wip-feat-hostname-field
When it is picked up again, the next steps were to:
Putting this back on to the Product board for future prioritisation once https://github.com/flowforge/CloudProject/issues/110 has been planned.
@MarianRaphael interest from a prospect: https://app-eu1.hubspot.com/contacts/26586079/record/0-1/7563151
Interest from an existing customer - https://app-eu1.hubspot.com/contacts/26586079/record/0-2/8209301981
The hardest part of this will be TLS certificates for HTTPS.
There is a PR to add cert-manager support to the k8s container driver which would allow the use of LetsEncrypt to issue certificates. We may be able to leverage this, but will need to work out how it will work/play with the current ingress set up on production.
I wonder if we could add a second ingress entry point to handle custom domains, this might make things easier
@MarianRaphael @hardillb Is this currently still blocked? Or is this only blocked on priority?
There are still technical problems to solve, mainly around issuing certificates for the hostnames using the custom domain. We still need to test running a second ingress instance
I have now got a second ingress-nginx controller installed in a test cluster using
controller:
ingressClass: "custom-nginx"
ingressClassByName: true
ingressClassResource:
enabled: true
name: "custom-nginx"
controllerValue: "flowfuse.com/ingress-nginx-2"
config:
proxy-body-size: "0"
use-gzip: true
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "ssl"
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "120"
externalTrafficPolicy: Local
allowSnippetAnnotations: true
Important note, the helm release name must not match the existing nginx-ingress release (otherwise the webhook and rbac entries clash)
Once you've caught back up with this @hardillb - can you update here with a status of the outstanding items before this can be considered finished please?
Current state:
UI and hostname storage work started in FlowFuse Project
Any draft PR or linked issues for this?
I've updated the description with a task list based on the latest status update.
Status update from Ben:
Wednesday next week is when Ben hope it'll be rounded off
I have this working properly in my local K8s environment.
Following the change to make the authentication redirect to the right place I will need to add a launcher version check to the UI so it's only offered on new launchers/stacks.
HTTPS support appears to be working...
Can I get a status update on this please @hardillb? How are we looking for 2.5 release, or earlier?
There is a large amount of extra things that will need configuring in the production cluster to enable this, it should be part of the 2.5 release, even once this is merged.
I'm currently struggling to get the UI to track when the instance is restarted properly. It just gets stuck in the suspended state.
Once that is fixed then all the code should be finished.
Once coding is done, can we open relevant issues (and link back to here) to document outstanding work required to get this live please?
Can this be closed off now?
@joepavitt it's only because its being used as the overriding epic for the 2 bits of future work.
I can be closed for me.
Can close this once https://github.com/FlowFuse/terraform-aws-flowfuse/issues/8 is resolved, https://github.com/FlowFuse/flowfuse/issues/3982 will stay open as a follow-on task should the demand for it be there
Closing as majority of work is done
Description
As a Team Owner, I want to be able to supply a custom domain to be used with my projects to differentiate them from other projects hosted on the system
Customer requests