Expose internal HTTP endpoints through the sso-proxy
Most services with HTTP endpoints these days also have debug information etc. and it would be useful to be able to access it externally as administrators. This is doable but it's going to require care, as it would primarily rely on split DNS techniques, so we'd have to be careful to maintain strict separation of internal and external lookups (right now float does not control resolv.conf).
Steps for implementation:
-
generate DNS zones for domain - at first add them on top of /etc/hosts and do not modify host.conf
- make it so there are separate internal and external zones:
- the internal zone should match what currently is in /etc/hosts
- the external zone should point all names at the frontend hosts
-
set up NGINX sso-proxy entries for all service backends - these would match the shard.service.domain structure, without the port
-
set up ACME entries for all these names - one single certificate for all of them? one per service, with shards as subjectAltNames? a wildcard?
Alternatives to consider:
- perhaps we should simply create sharded public_endpoints manually for internal services with debug APIs? less magic, more manual work.