deployment: enforce hostname max length 64 characters

crates/apollo_deployments/resources/deployments/potc2/deployment_config_hybrid_0.json

@@ -47,6 +47,7 @@
       ],
       "ingress": {
         "domain": "starknet.io",
+        "dns_name": "apollo-potc-2-mock-sharp-0",
         "alternative_names": [
           "potc-mock-sepolia.starknet.io"
         ],

crates/apollo_deployments/resources/deployments/potc2/deployment_config_hybrid_1.json

@@ -47,6 +47,7 @@
       ],
       "ingress": {
         "domain": "starknet.io",
+        "dns_name": "apollo-potc-2-mock-sharp-1",
         "alternative_names": [
           "potc-mock-sepolia.starknet.io"
         ],

crates/apollo_deployments/resources/deployments/potc2/deployment_config_hybrid_2.json

@@ -47,6 +47,7 @@
       ],
       "ingress": {
         "domain": "starknet.io",
+        "dns_name": "apollo-potc-2-mock-sharp-2",
         "alternative_names": [
           "potc-mock-sepolia.starknet.io"
         ],

deployments/sequencer/app/service.py

@@ -34,6 +34,7 @@
 )
 from imports.io.external_secrets import ExternalSecretV1Beta1SpecTarget as ExternalSecretSpecTarget
 from services import const, topology
+from services.helpers import validate_dns_name
 
 
 class ServiceApp(Construct):
@@ -481,16 +482,20 @@ def _get_volumes(self) -> typing.List[k8s.Volume]:
 
     def _get_ingress(self) -> k8s.KubeIngress:
         domain = self.service_topology.ingress["domain"]
-        self.host = f"{self.node.id}.{self.namespace}.{domain}"
-        dns_names = self.host
-        rules = [self._get_ingress_rule(self.host)]
+        default_dns_name = f"{self.node.id}.{self.namespace}.{domain}"
+        dns_name = self.service_topology.ingress.get("dns_name")
+        self.dns_name = f"{dns_name}.{domain}" if dns_name is not None else default_dns_name
+        validate_dns_name(self.dns_name, domain)
+
+        dns_names = self.dns_name
+        rules = [self._get_ingress_rule(self.dns_name)]
         tls = self._get_ingress_tls()
 
         annotations = {
             "kubernetes.io/tls-acme": "true",
-            "external-dns.alpha.kubernetes.io/hostname": self.host,
+            "external-dns.alpha.kubernetes.io/hostname": self.dns_name,
             "external-dns.alpha.kubernetes.io/ingress-hostname-source": "annotation-only",
-            "cert-manager.io/common-name": self.host,
+            "cert-manager.io/common-name": self.dns_name,
             "cert-manager.io/issue-temporary-certificate": "true",
             "cert-manager.io/issuer": "letsencrypt-prod",
             "acme.cert-manager.io/http01-edit-in-place": "true",
@@ -504,7 +509,8 @@ def _get_ingress(self) -> k8s.KubeIngress:
         elif self.service_topology.ingress.get("alternative_names", []):
             alternative_names = self.service_topology.ingress["alternative_names"]
             for alt_name in alternative_names:
-                if alt_name != self.host:
+                if alt_name != self.dns_name:
+                    validate_dns_name(alt_name, domain)
                     dns_names += f",{alt_name}"
                     rules.append(self._get_ingress_rule(alt_name))
             annotations.update({"cert-manager.io/dns-names": dns_names})
@@ -540,11 +546,11 @@ def _get_ingress_rule(self, host: str) -> k8s.IngressRule:
         )
 
     def _get_ingress_tls(self) -> typing.List[k8s.IngressTls]:
-        hosts = [self.host]
+        hosts = [self.dns_name]
         if self.service_topology.ingress.get("alternative_names", []):
             alternative_names = self.service_topology.ingress["alternative_names"]
             for alt_name in alternative_names:
-                if alt_name != self.host:
+                if alt_name != self.dns_name:
                     hosts.append(alt_name)
         return [k8s.IngressTls(hosts=hosts, secret_name=f"{self.node.id}-tls")]
 

deployments/sequencer/schemas/deployment_config_schema.json

@@ -46,6 +46,9 @@
                   "alternative_names": {
                     "type": "array",
                     "items": { "type": "string" }
+                  },
+                  "dns_name": {
+                    "type": "string"
                   }
                 },
                 "required": ["domain", "internal", "rules"]

deployments/sequencer/services/helpers.py

@@ -74,3 +74,32 @@ def generate_random_hash(length: int = 6, from_string: Optional[str] = None) ->
         return hash_object.hexdigest()[:length]
     else:
         return "".join(random.choices(string.ascii_letters, k=length))
+
+
+def validate_dns_name(dns_name: str, domain: str) -> None:
+    if not dns_name:
+        raise ValueError(f"DNS name '{dns_name}' cannot be empty.")
+    if len(dns_name) > 64:
+        raise ValueError(
+            f"DNS name '{dns_name}' exceeds 64 characters (limit for TLS common name)."
+        )
+    if ".." in dns_name:
+        raise ValueError(f"DNS name '{dns_name}' cannot contain consecutive dots.")
+    if dns_name.endswith("."):
+        raise ValueError(f"DNS name '{dns_name}' must not end with a dot.")
+    if dns_name.count(domain) > 1:
+        raise ValueError(
+            f"DNS name '{dns_name}' cannot contain the domain '{domain}' more than once."
+        )
+    labels = dns_name.split(".")
+    for label in labels:
+        if len(label) == 0:
+            raise ValueError(f"DNS name '{dns_name}' contains an empty label.")
+        if not re.match(r"^[a-zA-Z0-9-]+$", label):
+            raise ValueError(
+                f"Label '{label}' in DNS name '{dns_name}' contains invalid characters."
+            )
+        if label.startswith("-") or label.endswith("-"):
+            raise ValueError(
+                f"Label '{label}' in DNS name '{dns_name}' cannot start or end with a hyphen."
+            )