The installation example Installation of CloudBees Previews with TLS enabled uses a single domain and TLS secret. In the example, the CloudBees Previews webhook component uses the hostname webhook.previews.acme.com. The wildcard certificate copied to the environment namespace covers *.previews.acme.com. This can create a conflict with the user’s Kubernetes resources and gives the created preview environment access to the single global TLS secret creating a potential security risk.
A more secure configuration is to use independent domains and TLS secrets for the CloudBees system components and preview environments.
Installation of CloudBees Previews with TLS and separated domains
export system_ingress_host=previews.acme.com
export system_tls_secret_name=preview-system-cert-secret
export system_ingress_class=nginx
export environment_ingress_host=environment.${system_ingress_host}
export environment_tls_secret_name=acme-wildcard-cert-secret
export environment_ingress_class=nginx
kubectl create namespace previews
kubectl create secret generic --namespace previews license \
--from-file=cert=cloudbees-ci-license.cert \
--from-file=key=cloudbees-ci-license.key
kubectl create secret tls --namespace previews ${system_tls_secret_name} \
--cert=system-tls.cert --key=system-tls.key
kubectl create secret tls --namespace previews ${environment_tls_secret_name} \
--cert=environment-tls.cert --key=environment-tls.key
helm install --namespace previews previews cloudbees/cloudbees-previews -f - <<EOF
global:
license:
secret: license
analytics:
enabled: true
ingress:
class: ${system_ingress_class} (1)
tlsSecret: ${system_tls_secret_name} (2)
webhook:
ingress:
host: webhook.${system_ingress_host} (3)
apiserver:
ingress:
host: api.${system_ingress_host} (4)
environments:
ingress:
class: ${environment_ingress_class} (5)
host: ${environment_ingress_host} (6)
tlsSecret: ${environment_tls_secret_name} (7)
EOF
1 | Specifies the IngressController class used for all Ingresses, by default. |
2 | Specifies the name of a Secret containing the TLS certificate and private key for webhook.previews.acme.com and api.previews.acme.com. |
3 | Specifies the SCM webhook component’s hostname. |
4 | Specifies the API server component’s hostname. |
5 | Specifies the IngressController class, in case it differs from the global IngressController. |
6 | Specifies the domain used for environment ingresses. |
7 | Specifies the name of a Secret containing the wildcard TLS certificate and private key for *.environment.previews.acme.com. |