Using a dedicated domain for environments

1 minute read

The installation example Installation of CloudBees Previews with TLS enabled uses a single domain and TLS secret. In the example, the CloudBees Previews webhook component uses the hostname webhook.previews.acme.com. The wildcard certificate copied to the environment namespace covers *.previews.acme.com. This can create a conflict with the user’s Kubernetes resources and gives the created preview environment access to the single global TLS secret creating a potential security risk.

A more secure configuration is to use independent domains and TLS secrets for the CloudBees system components and preview environments.

Installation of CloudBees Previews with TLS and separated domains
export system_ingress_host=previews.acme.com
export system_tls_secret_name=preview-system-cert-secret
export system_ingress_class=nginx

export environment_ingress_host=environment.${system_ingress_host}
export environment_tls_secret_name=acme-wildcard-cert-secret
export environment_ingress_class=nginx

kubectl create namespace previews
kubectl create secret generic --namespace previews license \
  --from-file=cert=cloudbees-ci-license.cert \
  --from-file=key=cloudbees-ci-license.key
kubectl create secret tls --namespace previews ${system_tls_secret_name} \
  --cert=system-tls.cert --key=system-tls.key
kubectl create secret tls --namespace previews ${environment_tls_secret_name} \
  --cert=environment-tls.cert --key=environment-tls.key

helm install --namespace previews previews cloudbees/cloudbees-previews -f - <<EOF
global:
  license:
    secret: license
  analytics:
    enabled: true
  ingress:
    class: ${system_ingress_class}             (1)
    tlsSecret: ${system_tls_secret_name}       (2)
webhook:
  ingress:
    host: webhook.${system_ingress_host}       (3)
apiserver:
  ingress:
    host: api.${system_ingress_host}           (4)
environments:
  ingress:
    class: ${environment_ingress_class}        (5)
    host: ${environment_ingress_host}          (6)
    tlsSecret: ${environment_tls_secret_name}  (7)
EOF
1 Specifies the IngressController class used for all Ingresses, by default.
2 Specifies the name of a Secret containing the TLS certificate and private key for webhook.previews.acme.com and api.previews.acme.com.
3 Specifies the SCM webhook component’s hostname.
4 Specifies the API server component’s hostname.
5 Specifies the IngressController class, in case it differs from the global IngressController.
6 Specifies the domain used for environment ingresses.
7 Specifies the name of a Secret containing the wildcard TLS certificate and private key for *.environment.previews.acme.com.