cpln.app
controlplane.us
HOST
) environment variable that will be set on a running workload will be based on the type of Workload and which domain was used for the request.
For serverless workloads, even if the request was served using a custom domain, the hostname will be the canonical name.
For standard or stateful workloads, the hostname will be set to the name of domain used for the request.
sub.example.com
is configured to point to the GVC that contains workload_one
and workload_two
. The path workload_one
can be configured to route requests to workload_one
and the path workload_two
can be configured route requests to workload_two
.
https://sub.example.com/users/
can have the path prefix /users/
replaced with the path prefix /v2/users/
when forwarding the request internally to the target Workload.
/
path will match any unmatched path prefixes for the subdomain.
/
path prefix with other path prefixes, the /
path will automatically be placed last in the list because it matches
ALL requests./user/.*/profile
to match routes like: /user/bob/profile
or /user/mary/profile
sub.example.com
is configured to the GVC that contains workloads named workload_one
and workload_two
, Control Plane will create
the following subdomains and route requests to the respective workloads:
Advanced Mode
.
x-forwarded-client-cert
(XFCC) HTTP header will contain the client certificate details.
The certificate authority PEM, stored as a TLS Secret, can be associated with the Domain and used to verify the authority of the client certificate. The only verification performed checks that the CN of the PEM matches the Domain (i.e., CN=*.DOMAIN).
If a certificate authority PEM is not associated with a Domain, no verification is performed.
CRL lists are not verified / checked, but they can be checked by the Workload by keeping a list of allowed or revoked client certificate hashes. When a request is received by the Workload, the hash field in the XFCC header can be checked against the allowed or revoked list and an allow / deny decision can be made.
To generate the certificate hash, execute the following command:
*
https://example.com
443
and 80
.
Accept All Hosts
configures the domain to allow all traffic (i.e. wildcard support) to the configured workloads, regardless of what the Host header or SNI is for the request.
Host Prefix
will be enabled and can be used for each path when the domain has the Accept All Hosts
property enabled.
This option allows forwarding traffic for different host headers to specific workloads.
stateful
workload, for replica direct endpoints.
These links will direct traffic directly to the specified replica of a workload.
workloadLink
property on the Domain to the link of the workload.
The domain will also need to be configured as a cname
domain with the dns01
cert challenge type.
The domain needs at least one port with at least one route to work.
<workload-name>-<replica>-<location>.<domain>
my-workload-0-aws-us-west-2.example.com
Host | TTL | Type | Value |
---|---|---|---|
_acme-challenge | 300 | CNAME | _acme-challenge.cpln.app |
Host | TTL | Type | Value |
---|---|---|---|
my-workload-0-aws-us-west-2 | 300 | CNAME | my-workload-<gvcAlias>-0.aws-us-west-2.controlplane.us |
my-workload-1-aws-us-west-2 | 300 | CNAME | my-workload-<gvcAlias>-1.aws-us-west-2.controlplane.us |
my-workload-2-aws-us-west-2 | 300 | CNAME | my-workload-<gvcAlias>-2.aws-us-west-2.controlplane.us |
Permission | Description | Implies |
---|---|---|
create | Create new domain | |
delete | Delete a domain | |
edit | Modify existing domains (only tags can be changed) | view, use |
manage | Full access | create, delete, edit, manage, use, view |
use | Allow a principal to use this domain | view |
view | Read-only access |
http://${domain}/.well-known/acme-challenge/
, allowing Let’s Encrypt to issue a certificate.
Control Plane configures the Domain with a redirect to our HTTP-01 solver, and then the certificate is issued by Let’s Encrypt.
Wildcard certificates cannot be created using the HTTP-01 verification process, so CNAME Domains should not be attached to a GVC unless a custom server certificate is used.
domain_warning
metric.
A default alert is also created to notify the default contact when any Domain is in a warning state.
Below are some common issues and their implications: