Is it possible to request a block of subdomains but only apply one to an ingress?

[oliverkane]

TL:DR;

Allowing some sort of intelligent pre-fetch of multi-domain certs would reduce burden for similar use cases by 100 fold.

Let's say I have a Continuous Deployment system setup, which is a reflection of a git repository. A common practice I'd do, is to create a new subdomain for each branch. Think Heroku ["Review Apps"]("review app" (https://devcenter.heroku.com/articles/github-integration-review-apps))

This works out well, until I hit my rate-limit. 20 isn't all that large, in even a small dev shop to go through in a week.

I'd like to be able to have kube-lego fetch certs in pre-formatted blocks of max size (I believe 100), but only a single one should be applied to the specific ingress.

Eg:

Production website: https://example.com
Issue 1: https://issue-1.example.com
Issue 2: https://issue-2.example.com
Issue 3: not created yet

If there was a convention being followed, it would make sense to pre-emptivly grab a single cert for issues 1-100, right?

[munnerz]

So one thing that is on our roadmap is to create Certificate resource type, that represents a certificate request from the ACME server. Specifically, the idea is to use it to support DNS based challenge responses. I believe this would be a solution to your use case, as you could create a certificate request for issue-[1..100].example.com, and have your review environments reference this one domain.

I don't think some kind of intelligence in terms of predicting future domains that may be requested is within scope for kube-lego.

[oliverkane]

That's spot on what I'm looking to do! I'd love to help contribute to that part of the roadmap. If you can point me to relevant places in your source to start study, I'll try my hand at a fork.

Thanks for the awesome tool!

[munnerz]

So I've started getting some work done over at github.com/munnerz/cert-manager. Once done, the intent is to move the cert-manager project into the kubernetes-incubator! There's been some discussion on how this will work here: https://github.com/PalmStoneGames/kube-cert-manager/issues/33

Let me know if you have any Qs or want to get involved!

[munnerz]

To clarify, this functionality wouldn't allow you a unique certificate per ingress - all of the ingresses would simply be able to share the same secret, that is valid for all 100 domain names.

The only way to get 100 unique certificates is to perform 100 API calls to the acme server.