Automate Subdomain & SSL With GitHub Repo Name

by Alex Johnson 47 views

This article explores the process of automating the creation of DNS subdomains and SSL certificates for each application deployment, leveraging the GitHub repository name. The goal is to streamline the deployment process, ensure secure access, and eliminate manual configuration.

Objective

The primary objective is to automatically create DNS subdomains and SSL certificates for each deployed application, using the repository name as the foundation for the subdomain. This approach simplifies application access, enhances security through SSL, and reduces the operational overhead associated with manual configuration.

Requirements

The system must meet several key requirements to achieve the desired automation and efficiency. These requirements cover subdomain creation, SSL certificate management, HAProxy configuration, and the overall deployment flow.

1. Subdomain Creation

Subdomain creation is a critical aspect of this automation process. The system should automatically generate subdomains based on the GitHub repository name, following a predefined pattern. Specifically:

  • Use GitHub repository name as subdomain: The subdomain should be derived directly from the repository name to maintain consistency and ease of identification.
  • Pattern: {repo-name}.fleexstack.com: The subdomain should follow this pattern, where {repo-name} is replaced with the actual repository name.
  • Example: fleexstack-sample-app.fleexstack.com for https://github.com/MikeBild/fleexstack-sample-app: This example illustrates how a repository named fleexstack-sample-app would be translated into a subdomain.
  • Automatic DNS record creation in DigitalOcean: The system should automatically create DNS records in DigitalOcean to map the subdomain to the appropriate server IP address. This eliminates the need for manual DNS configuration.

2. SSL Certificate Management

SSL certificate management is essential for securing the application. The system should automate the process of obtaining, installing, and renewing SSL certificates for each subdomain.

  • Automatic Let's Encrypt certificate for each subdomain: Let's Encrypt should be used to generate free SSL certificates automatically.
  • Certificate generation during deployment: The SSL certificate should be generated as part of the deployment process to ensure that the application is secured from the moment it is deployed.
  • Automatic renewal setup: The system should automatically renew SSL certificates before they expire to prevent any interruption in service.
  • HAProxy SNI routing: HAProxy should be configured to use Server Name Indication (SNI) to route traffic to the appropriate backend based on the domain name.

3. HAProxy Configuration

HAProxy configuration is vital for routing traffic to the correct application instance. The system should configure HAProxy to use SNI for routing, allowing multiple applications to share the same infrastructure.

  • Route by domain name (SNI) instead of port numbers: HAProxy should use SNI to determine which backend to route traffic to, eliminating the need to manage port numbers.
  • Support multiple apps on same infrastructure: The system should support multiple applications running on the same infrastructure, each with its own subdomain and SSL certificate.
  • Automatic backend configuration: HAProxy backend configuration should be automated to ensure that new deployments are automatically added to the routing configuration.

4. Deployment Flow

Deployment Flow defines the steps involved in deploying an application, from pushing code to GitHub to making the application accessible via a secure subdomain.

Push to GitHub
  ↓
Webhook received
  ↓
Extract repo name (e.g., fleexstack-sample-app)
  ↓
Create DNS: fleexstack-sample-app.fleexstack.com → LB IP
  ↓
Obtain SSL certificate for subdomain
  ↓
Deploy to Blue/Green
  ↓
Configure HAProxy with SNI routing
  ↓
App accessible at https://fleexstack-sample-app.fleexstack.com

Implementation Tasks

To implement the automated subdomain and SSL certificate management system, several tasks must be completed. These tasks involve integrating with various services and configuring the deployment pipeline.

  • [ ] Extract repository name from GitHub webhook payload
  • [ ] Create DigitalOcean DNS subdomain API integration
  • [ ] Modify SSL setup to support multiple domains
  • [ ] Update HAProxy config for SNI-based routing
  • [ ] Add subdomain to deployment tracking
  • [ ] Update health checks to use domain names
  • [ ] Test with multiple apps deployed simultaneously

Benefits

Implementing this automated system offers several significant benefits, including cleaner URLs, elimination of port management, automatic SSL, scalability, and a more professional appearance.

  1. Clean URLs: Apps accessible via memorable subdomains. Having clean URLs makes it easier for users to remember and access applications, enhancing the user experience. Subdomains that are based on the repository name provide a logical and intuitive naming scheme.
  2. No Port Management: Eliminate port conflicts. By eliminating port management, the system avoids potential conflicts and simplifies the configuration process. SNI routing allows multiple applications to share the same port (443 for HTTPS) without any issues.
  3. Automatic SSL: Each app gets trusted certificate. With automatic SSL, each application deployed through the system automatically receives a trusted SSL certificate, ensuring secure communication and enhancing trust with users. This is achieved through Let's Encrypt integration.
  4. Scalability: Support unlimited apps on same infrastructure. The system offers scalability, allowing for the support of unlimited applications on the same infrastructure. HAProxy's SNI routing capabilities enable efficient traffic management and resource utilization.
  5. Professional: Production-ready URLs for all deployments. Using subdomains and SSL certificates provides professional, production-ready URLs for all deployments, enhancing the credibility and trustworthiness of the applications.

Example Deployment

To illustrate the benefits of the automated system, consider the following example deployment scenario before and after implementation.

Before:

  • App: http://104.248.42.29:3000
  • No SSL for individual apps
  • Port conflicts possible

After:

  • App: https://fleexstack-sample-app.fleexstack.com
  • Automatic SSL certificate
  • Clean, professional URL
  • No port management needed

Technical Details

This section provides technical details on how to implement the key components of the automated system, including DNS management, SSL certificate handling, and HAProxy SNI routing.

DNS Management

DNS management involves automatically creating DNS records in DigitalOcean for each subdomain. This can be achieved using the doctl command-line tool.

# Create A record for subdomain
doctl compute domain records create fleexstack.com   --record-type A   --record-name fleexstack-sample-app   --record-data 104.248.42.29   --record-ttl 300

SSL Certificate

SSL certificates are obtained using Let's Encrypt and certbot. The following command demonstrates how to obtain a certificate for a subdomain.

# Obtain certificate for subdomain
certbot certonly --standalone   -d fleexstack-sample-app.fleexstack.com

HAProxy SNI Routing

HAProxy SNI routing is configured using the crt-list.txt file, which maps domain names to SSL certificates. The following configuration snippet shows how to route traffic based on the domain name.

# Route based on domain
frontend https_frontend
  bind *:443 ssl crt-list /etc/haproxy/certs/crt-list.txt
  
  acl is_sample_app hdr(host) -i fleexstack-sample-app.fleexstack.com
  use_backend sample_app_backend if is_sample_app

Dependencies

Implementing this system requires several dependencies, including access to DigitalOcean DNS, Let's Encrypt, HAProxy, and the ability to parse GitHub webhook payloads.

  • DigitalOcean DNS access (doctl)
  • Let's Encrypt certbot
  • HAProxy SNI support
  • GitHub webhook payload parsing

Time Estimate

The estimated time to implement this system is approximately 3-4 hours.

⏱️ 3-4 hours

Priority

This system is a high priority, as it is required for production multi-app deployments.

🔴 High - Required for production multi-app deployments

In conclusion, automating subdomain and SSL certificate management is crucial for modern application deployments. By integrating tools like DigitalOcean, Let's Encrypt, and HAProxy, developers can create a streamlined, secure, and scalable environment for their applications. This approach not only simplifies the deployment process but also enhances the overall user experience by providing clean, professional URLs and trusted SSL certificates.

For more information on SSL certificates, visit Let's Encrypt.