deployment: enforce hostname max length 64 characters

Author: idan-starkware

deployments/sequencer/app/service.py

@@ -481,16 +481,31 @@ def _get_volumes(self) -> typing.List[k8s.Volume]:
 
     def _get_ingress(self) -> k8s.KubeIngress:
         domain = self.service_topology.ingress["domain"]
-        self.host = f"{self.node.id}.{self.namespace}.{domain}"
-        dns_names = self.host
-        rules = [self._get_ingress_rule(self.host)]
+        default_dns_name = f"{self.node.id}.{self.namespace}.{domain}"
+        dns_name = self.service_topology.ingress.get("dns_name", None)
+        if dns_name is not None:
+            if dns_name.endswith("."):
+                raise ValueError(f"dns_name '{dns_name}' should not end with a dot.")
+            elif dns_name.endswith(domain):
+                raise ValueError(
+                    f"dns_name '{dns_name}' should not end with the domain '{domain}'."
+                )
+            self.dns_name = f"{dns_name}.{domain}"
+        else:
+            self.dns_name = default_dns_name
+        if len(self.dns_name) > 64:
+            raise ValueError(
+                f"Host name '{self.dns_name}' exceeds the maximum length of 64 characters."
+            )
+        dns_names = self.dns_name
+        rules = [self._get_ingress_rule(self.dns_name)]
         tls = self._get_ingress_tls()
 
         annotations = {
             "kubernetes.io/tls-acme": "true",
-            "external-dns.alpha.kubernetes.io/hostname": self.host,
+            "external-dns.alpha.kubernetes.io/hostname": self.dns_name,
             "external-dns.alpha.kubernetes.io/ingress-hostname-source": "annotation-only",
-            "cert-manager.io/common-name": self.host,
+            "cert-manager.io/common-name": self.dns_name,
             "cert-manager.io/issue-temporary-certificate": "true",
             "cert-manager.io/issuer": "letsencrypt-prod",
             "acme.cert-manager.io/http01-edit-in-place": "true",
@@ -504,7 +519,7 @@ def _get_ingress(self) -> k8s.KubeIngress:
         elif self.service_topology.ingress.get("alternative_names", []):
             alternative_names = self.service_topology.ingress["alternative_names"]
             for alt_name in alternative_names:
-                if alt_name != self.host:
+                if alt_name != self.dns_name:
                     dns_names += f",{alt_name}"
                     rules.append(self._get_ingress_rule(alt_name))
             annotations.update({"cert-manager.io/dns-names": dns_names})
@@ -540,11 +555,11 @@ def _get_ingress_rule(self, host: str) -> k8s.IngressRule:
         )
 
     def _get_ingress_tls(self) -> typing.List[k8s.IngressTls]:
-        hosts = [self.host]
+        hosts = [self.dns_name]
         if self.service_topology.ingress.get("alternative_names", []):
             alternative_names = self.service_topology.ingress["alternative_names"]
             for alt_name in alternative_names:
-                if alt_name != self.host:
+                if alt_name != self.dns_name:
                     hosts.append(alt_name)
         return [k8s.IngressTls(hosts=hosts, secret_name=f"{self.node.id}-tls")]
 

deployments/sequencer/schemas/deployment_config_schema.json

@@ -46,6 +46,9 @@
                   "alternative_names": {
                     "type": "array",
                     "items": { "type": "string" }
+                  },
+                  "dns_name": {
+                    "type": "string"
                   }
                 },
                 "required": ["domain", "internal", "rules"]