Managing multi-tenants DNS Subdomain with scoped security
The scenario we are faced with and the solution we are asking about.
- we deploy apps in kubernetes that are expose via ingress
- we want to use ingress-nginx to create the ingress, external-dns to create dns records for the app, and cert-manager to create ssl certs tls communication
- this pattern involves using a token to be stored as a kuberenetes secret
- the kuberenetes cluster is accessible by that clients they are assigned to
- we don't want to use the same token in each clients cluster for security reasons.
- we want to instead give each client a subdomain for their apps url, and each of their clusters have a unique token that is scoped to their subdomain. that way, a client would only be able to access a token that has access only to their subdomain.
