Using a dedicated domain for environments

1 minute read

The installation example Installation of CloudBees Previews with TLS enabled uses a single domain and TLS secret. In the example, the CloudBees Previews webhook component uses the hostname webhook.previews.acme.com. The wildcard certificate copied to the environment namespace covers *.previews.acme.com. This can create a conflict with the user’s Kubernetes resources and gives the created preview environment access to the single global TLS secret creating a potential security risk.

A more secure configuration is to use independent domains and TLS secrets for the CloudBees system components and preview environments.

Installation of CloudBees Previews with TLS and separated domains
export system_ingress_host=previews.acme.com export system_tls_secret_name=preview-system-cert-secret export system_ingress_class=nginx export environment_ingress_host=environment.${system_ingress_host} export environment_tls_secret_name=acme-wildcard-cert-secret export environment_ingress_class=nginx kubectl create namespace previews kubectl create secret generic --namespace previews license \ --from-file=cert=cloudbees-ci-license.cert \ --from-file=key=cloudbees-ci-license.key kubectl create secret tls --namespace previews ${system_tls_secret_name} \ --cert=system-tls.cert --key=system-tls.key kubectl create secret tls --namespace previews ${environment_tls_secret_name} \ --cert=environment-tls.cert --key=environment-tls.key helm install --namespace previews previews cloudbees/cloudbees-previews -f - <<EOF global: license: secret: license analytics: enabled: true ingress: class: ${system_ingress_class} (1) tlsSecret: ${system_tls_secret_name} (2) webhook: ingress: host: webhook.${system_ingress_host} (3) apiserver: ingress: host: api.${system_ingress_host} (4) environments: ingress: class: ${environment_ingress_class} (5) host: ${environment_ingress_host} (6) tlsSecret: ${environment_tls_secret_name} (7) EOF
1 Specifies the IngressController class used for all Ingresses, by default.
2 Specifies the name of a Secret containing the TLS certificate and private key for webhook.previews.acme.com and api.previews.acme.com.
3 Specifies the SCM webhook component’s hostname.
4 Specifies the API server component’s hostname.
5 Specifies the IngressController class, in case it differs from the global IngressController.
6 Specifies the domain used for environment ingresses.
7 Specifies the name of a Secret containing the wildcard TLS certificate and private key for *.environment.previews.acme.com.