I am developing a SAAS platform and require a subdomain for each signup, in theory it would be possible to create a new record for each subdomain as someone signs up but this creates overhead that doesn’t exist if wildcard ssl certificates are supported.
I note from the Loadbalancer documentation they are not.
With that said, what would be your recommendation to get past this?
Please note, I am looking for a solution that doesnt require provisioning subdomains for each new sign up… Not least because of the rate limits on Lets Encrypt (50 certs a week per registered domain), we could of course use a combination of 100 names per cert to get that up to 5k a week which would probably be fine but again that is additional overhead for something which could be very simple.
Thanks
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
As per my last comment I achieved what I wanted via NGINX Ingress controller, Cert-manager and the DO load balancer.
There is an app in DO marketplace for NGINX ingress controller.
Then used Cert manager and set up an initial test as per this article: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes#step-4-—-installing-and-configuring-cert-manager
For wild cart you need to use dns01, documentation on the cert-manager site: https://cert-manager.io/docs/configuration/acme/ - config details for lets encrypt
https://cert-manager.io/docs/configuration/acme/dns01/digitalocean/ - config for DO dns01 integration. Couple of points which were not clear to me from the above are that you need to create a secret and that your api key within the secret needs to be base64 encoded. I have created a pull request to update the documentation but in case you need it before then this is an example secret:
apiVersion: v1
kind: Secret
metadata:
name: digitalocean-dns
namespace: cert-manager
data:
# insert your DO access token here
access-token: "base64 encoded access-token here"
Also, http01 confirmations can take a while so dont worry.
Having slept, I am thinking it will be possible to do pass through from the LB to my Ingress controller and have that deal with all SSL, with certificates created by cert-manager.
I am new to kube and networking for the most part… so need to test this but based on what I know it should work…