Request to extend cert subdomain for kubernetes-sigs-cluster-api-ibmcloud

Support
1

site name: kubernetes-sigs-cluster-api-ibmcloud.netlify.app
ref: [Support Guide] How to use Netlify’s branch deploy feature without Netlify DNS

Hey there,

We’d like to get a wildcard cert enabled for our domain: cluster-api-ibmcloud.sigs.k8s.io to support branch deploys.

DNS config can be seen here:

Example nslookup to verify config:

$ nslookup release-0-4.cluster-api-ibmcloud.sigs.k8s.io
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
release-0-4.cluster-api-ibmcloud.sigs.k8s.io	canonical name = release-0-4--kubernetes-sigs-cluster-api-ibmcloud.netlify.app.
Name:	release-0-4--kubernetes-sigs-cluster-api-ibmcloud.netlify.app
Address: 34.74.170.74
Name:	release-0-4--kubernetes-sigs-cluster-api-ibmcloud.netlify.app
Address: 54.84.236.175

Please let me know if you need anymore information.

Thanks!

2

Hi, @mrbobbytables. The only way to get a wildcard SSL certificate from Let’s Encrypt (which is how SSL is provisioned at Netlify) is by using DNS based verification.

As Netlify DNS is not used for cluster-api-ibmcloud.sigs.k8s.io, we cannot provision a wildcard SSL certificate for it.

We can manually add subdomains to the SSL certificate if these requirements are met:

  • at least one deploy of the branch has completed successfully :white_check_mark:

and:

  • the DNS record required exists :white_check_mark:

As you have already completed those steps above, I was able to extend the SSL certificate to include release-0-4.cluster-api-ibmcloud.sigs.k8s.io.

If there are other subdomains that should be added to the SSL certificate, please let us know. (You are also welcome to open support tickets to have these subdomains added to the SSL certificate if you prefer.)

3

Thanks for getting back on that so quick @luke :+1:

Those are the branches that we have for now, but the original plan was to create a new one for each subsequent release. Do you know if this was previously automatically possible? Some of our other project sites have had branches automatically created without having to contact support to extend e.g. cluster-api.sigs.k8s.io / kubernetes-sigs-cluster-api.netlify.app

It’s not documented in their the cluster-api team’s release playbook.

4

Hi @mrbobbytables,

The SSL for branches would automatically exist only if you use Netlify DNS or bring a custom wildcard SSL certificate. Did either of that apply to you previously?

5

Nope. They are not using a custom cert or netlify dns. The config for one of them is visible here:

(netlify site name: kubernetes-sigs-cluster-api )

The other possibility that I can think of is someone not on our admin team created a ticket to enable it, but the current project owners don’t know about it. Also doesn’t explain why it does continue to be updated with new branches. =/

6

That’s weird. It’s not possible to get a wildcard from Netlify unless you’re using Netlify DNS. So if your DNS was never pointing to Netlify, making a request to Support to get that enabled doesn’t sound possible.

In any case, with your current workflow, you might have to reach out to us everytime you deploy a branch and want a custom domain for it.

1 Like