From 7e88a88e04db20b0c5552742dae78ae50d3f4318 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Sat, 8 Jun 2024 17:14:44 +0200 Subject: [PATCH] prod: garage: Enable on-demand-tls check for *.garage S3 endpoint We were hitting Let's Encrypt rate limits because we were generating thousands of non-sense certificates like "foo.bar.baz.garage.deuxfleurs.fr" See https://crt.sh Subdomains of garage.deuxfleurs.fr only make sense when accessing buckets through S3 with vhost-style, so let's enable the on-demand-tls check to make sure that the bucket exists in Garage. In the long term, we might want to have a wildcard certificate for this usage, or simply stop supporting vhost-style S3 access. --- cluster/prod/app/garage/deploy/garage.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl index aad5c9b..68edc94 100644 --- a/cluster/prod/app/garage/deploy/garage.hcl +++ b/cluster/prod/app/garage/deploy/garage.hcl @@ -104,6 +104,7 @@ job "garage" { "garage_api", "tricot garage.deuxfleurs.fr", "tricot *.garage.deuxfleurs.fr", + "tricot-on-demand-tls-ask http://garage-admin.service.prod.consul:3903/check", "tricot-site-lb", ] port = "s3"