Using a dedicated domain for environments

1 minute read

The installation example Installation of CloudBees Previews with TLS enabled uses a single domain and TLS secret. In the example, the CloudBees Previews webhook component uses the hostname webhook.previews.acme.com. The wildcard certificate copied to the environment namespace covers *.previews.acme.com. This can create a conflict with the user’s Kubernetes resources and gives the created preview environment access to the single global TLS secret creating a potential security risk.

A more secure configuration is to use independent domains and TLS secrets for the CloudBees system components and preview environments.

Installation of CloudBees Previews with TLS and separated domains
export system_ingress_host=previews.acme.com
export system_tls_secret_name=preview-system-cert-secret
export system_ingress_class=nginx

export environment_ingress_host=environment.${system_ingress_host}
export environment_tls_secret_name=acme-wildcard-cert-secret
export environment_ingress_class=nginx

kubectl create namespace previews
kubectl create secret generic --namespace previews license \
  --from-file=cert=cloudbees-ci-license.cert \
  --from-file=key=cloudbees-ci-license.key
kubectl create secret tls --namespace previews ${system_tls_secret_name} \
  --cert=system-tls.cert --key=system-tls.key
kubectl create secret tls --namespace previews ${environment_tls_secret_name} \
  --cert=environment-tls.cert --key=environment-tls.key

helm install --namespace previews previews cloudbees/cloudbees-previews -f - <<EOF
global:
  license:
    secret: license
  analytics:
    enabled: true
  ingress:
    class: ${system_ingress_class}             (1)
    tlsSecret: ${system_tls_secret_name}       (2)
webhook:
  ingress:
    host: webhook.${system_ingress_host}       (3)
apiserver:
  ingress:
    host: api.${system_ingress_host}           (4)
environments:
  ingress:
    class: ${environment_ingress_class}        (5)
    host: ${environment_ingress_host}          (6)
    tlsSecret: ${environment_tls_secret_name}  (7)
EOF
1Specifies the IngressController class used for all Ingresses, by default.
2Specifies the name of a Secret containing the TLS certificate and private key for webhook.previews.acme.com and api.previews.acme.com.
3Specifies the SCM webhook component’s hostname.
4Specifies the API server component’s hostname.
5Specifies the IngressController class, in case it differs from the global IngressController.
6Specifies the domain used for environment ingresses.
7Specifies the name of a Secret containing the wildcard TLS certificate and private key for *.environment.previews.acme.com.