Closed jgmize closed 6 years ago
Blocks #448
Bedrock currently uses a git-push based method for deploying demo branches to dynamic subdomains of moz.works with TLS support.
For example, pushing a git branch named demo/feature
would create a demo instance with the following URL: https://bedrock-demo-feature.us-west.moz.works/
.
This feature is provided by the Deis Workflow router, which is now officially unsupported. To replace the functionality that Deis Workflow provides, we need a custom Kubernetes Ingress that can route traffic from a dynamic domain name to a Kubernetes deployment with TLS. Our evaluation has been primarily performed in GCP with GKE.
We'd also like to gain experience using Kubernetes Ingress and learn how it can help solve some of our infrastructure problems.
In our evaluation, we looked for the following features:
This section contains notes on products that were evaluated:
from the docs: It is built around the Kubernetes Ingress resource, using a ConfigMap to store the NGINX configuration.
TLS is supported with kube-lego, which states:
kube-lego is in maintenance mode only. There is no plan to support any new features.
The latest Kubernetes release that kube-lego officially supports is 1.8. The officially
endorsed successor is cert-manager.
kube-lego's successor is cert-manager, which states the following in it's readme:
This project is not yet ready to be a component in a critical production stack,
however it is at a point where it offers comparable features to other projects
in the space. If you have a non-critical piece of infrastructure, or are feeling
brave, please do try cert-manager and report your experience here in the issue section.
given that the two above certificate management solutions aren't suitable for production, we moved on to other products.
From the readme:
This is an early release so that we can start sharing with the community.
GKE Ingress + Certsbridge
moz.works
. Testing was performed with mozmar.org
.Voyager was the easier product to setup that met all of our requirements. A wildcard certificate per ingress seems to be the easiest way to dynamically host bedrock demo instances.
cc @bensternthal ^
Got it.. thanks for the explanations!