Support for multiple spaces

[koesper]

Am I correct in assuming that you need to run this once for each bluemix/cloudfoundry space?

If so, it would be nice if we could add support for multiple spaces within the domain.json, and perhaps run bx target --cf before processing the domains within that space?

[lmsurpre]

Am I correct in assuming that you need to run this once for each bluemix/cloudfoundry space?

Yes, Cloud Foundry routes are owned by a particular space and this script pushes an app to a specific space in order to serve traffic to a specific path within each hostname in the config.

If so, it would be nice if we could add support for multiple spaces within the domain.json, and perhaps run bx target --cf before processing the domains within that space?

Sure, we'd consider a pull request to this effect.

[koesper]

My Python-foo is weak, so i was actually already thinking about doing this with a stupid bash script infront of bluemix-letsencrypt, but I might give it a whirl to do it the proper way.

To further my understanding about how bluemix-letsencrypt works: If we generate the certificate for each space separately, the certificate will only know about the routes within that space, and thus not contain the routes for other spaces. eg, this will never work:

• mycustomdomain.com
  • space1app.mycustomdomain.com
  • space2app.mycustomdomain.com

because when you generate the certificate the second time, for space2, it will not contain the route for space1

Am i correct in assuming this? If so, using a different (sub)domain for each space would be a workaround?

• mycustomdomain.com
  • app.space1.mycustomdomain.com
  • app.space2.mycustomdomain.com

[lmsurpre]

The tricky part to model is that domains and spaces are actually peers and routes/hostnames kind of belong to each. I think its easiest just to pick one top-level thing (either domain or space) and duplicate the other thing as needed in the config. I'd lean toward keeping the current functionality as-is (scoped to a space) and then just introduce a simple way to invoke the script with multiple config files (one per space). And I think doing that as a top-level bash script would be fine. You could get fancier and try to determine which route lives within which space dynamically, but I'm not sure it buys you much.

I probably should have asked this before, but it would be useful to better understand your use case. I assume you have a number of apps in different spaces that all share the same domain and you're looking for a simple way to configure the SSL certs for them all at once?

Side-note: Let's Encrypt now supports wildcard certs and possibly that would serve this use case better. I'll open a separate issue for it.

[koesper]

Indeed, making this smart enough to work with multiple spaces is kind of hard.. then perhaps we should just make it accept the domain.json file from a command line argument, eg: python setup-app.py --config domain2.json

[koesper]

In the meanwhile, i've hacked a simple bashscript together, which expects the 'bluemix-letsencrypt' repo in the same directory. it also expects a json file per space (space1.json) which it then copies into the bluemix-letsencrypt folder as domain.json it then runs bluemix-letsencrypt, and creates a backup in a folder with the .PEM files.

Unfortunately not a very robust solution, but it kinda works for my purposes