I've set up a solid continuous integration and continuous deployment (CI/CD) system for our infrastructure, which includes Kubernetes. We have a comprehensive suite of tests and conduct compatibility reboot tests. While it runs well, albeit not super fast - which seems reasonable for self-service Kubernetes - I'm facing a dilemma.
The part that bothers me is that my CI pipeline updates the Cloudflare domain records on every pull request (PR). This is standard in CI/CD practices, but each run generates entries in the certificate transparency log, which are permanent. Already, there are over 1,000 entries for our test domain since the CI/CD began about a month ago, and I worry this could be a greater evil.
It feels off that my ephemeral tests are contributing to a growing global database. Is it wrong to have this setup? I understand SSL is necessary, but with SSL through Cloudflare, we get new certificates for every new domain record. Does anyone have thoughts on whether this is a bad practice?
5 Answers
Have you considered if it's necessary to update the records for every single PR? Maybe you can adjust your CI pipeline to avoid updating them every time? That could help reduce the log entries.
Using a wildcard certificate could be a solution here. It can reduce the number of new entries since you'd only need to update one certificate for multiple subdomains. Just make sure your security team is on board, as some might have concerns about their use.
There are alternative approaches to managing this. For instance, you could reuse the same subdomains along with a load balancer, then just rotate the nodes behind it in your pipeline. Terminating the certificates at the load balancer is one method to consider – that's a bit similar to the AWS model.
Some services like Let's Encrypt offer a testing endpoint. Is there a similar option with Cloudflare? That could reduce the need for constant updates.
Yeah, definitely look into certificate wildcards. Just ensure your namespace is separated; this way, if one certificate gets compromised, the impact won't be too severe for your whole system.
Totally agree! But be careful; there are still some security teams that dislike wildcards for various reasons.