Return the internal FQDN when a subdomain is reserved (#734)

charts/server/templates/registrar/secret.yaml

@@ -5,13 +5,20 @@
     (deepCopy .Values.common.ingress)
     (deepCopy .Values.registrar.ingress)
 }}
+{{-
+  $targetNamespace := default
+    .Values.common.kubernetes.targetNamespace
+    .Values.registrar.config.crdTargetNamespace
+}}
+baseDomain: {{ $ingress.baseDomain }}
+internalBaseDomain: {{ $targetNamespace }}.svc.cluster.local
 reservedSubdomains:
   {{- range .Values.registrar.config.reservedSubdomains }}
   - {{ tpl . $ }}
   {{- end }}
   - {{ tpl .Values.registrar.ingress.subdomain . }}
 subdomainAsPathPrefix: {{ $ingress.subdomainAsPathPrefix }}
-crdTargetNamespace: {{ .Values.common.kubernetes.targetNamespace }}
+crdTargetNamespace: {{ $targetNamespace }}
 {{- end }}
 
 {{- if .Values.registrar.enabled }}

charts/server/values.yaml

@@ -122,9 +122,7 @@ sshd:
 registrar:
   enabled: true
   # The registrar configuration
-  config:
-    baseDomain: "{{ pluck \"baseDomain\" .Values.common.ingress .Values.global.ingress | first }}"
-    reservedSubdomains: []
+  config: {}
   # The registrar ingress configuration
   ingress:
     # The subdomain that will be reserved for the registrar

registrar/zenith/registrar/app.py

@@ -160,6 +160,8 @@ async def reserve_subdomain(request: Request, req: t.Optional[ReservationRequest
                 status_code = 409,
                 detail = "Public key is already associated with another subdomain."
             )
+    # The internal FQDN never uses a path prefix
+    internal_fqdn = f"{subdomain}.{settings.internal_base_domain}"
     # The FQDN is the requests subdomain combined with the configured base domain
     if settings.subdomain_as_path_prefix:
         fqdn = f"{settings.base_domain}/{subdomain}"
@@ -170,14 +172,20 @@ async def reserve_subdomain(request: Request, req: t.Optional[ReservationRequest
         return Reservation(
             subdomain = subdomain,
             fqdn = fqdn,
+            internal_fqdn = internal_fqdn,
             # Return a fingerprint that can be compared with the output of OpenSSH
             fingerprint = fingerprint(req.public_key)
         )
     else:
         # If no key was given, return a token that can be used to associate a key
         signature = generate_signature(subdomain)
         token = base64.urlsafe_b64encode(f"{subdomain}.{signature}".encode()).decode()
-        return Reservation(subdomain = subdomain, fqdn = fqdn, token = token)
+        return Reservation(
+            subdomain = subdomain,
+            fqdn = fqdn,
+            internal_fqdn = internal_fqdn,
+            token = token
+        )
 
 
 @app.post(

registrar/zenith/registrar/config.py

@@ -37,6 +37,8 @@ class RegistrarConfig(
     #: Because we want to have at least 16 characters of randomness to use for subdomains,
     #: we limit the base domain to 47 characters (16 for subdomain plus a joining dot)
     base_domain: constr(min_length = 1, max_length = 47)
+    #: The base domain that Zenith services are proxied under internally
+    internal_base_domain: constr(min_length = 1) = "zenith-services.svc.cluster.local"
     #: A list of subdomains that are reserved and cannot be used for Zenith services
     reserved_subdomains: t.List[str] = Field(default_factory = list)
 

registrar/zenith/registrar/models.py

@@ -98,6 +98,8 @@ class Reservation(BaseModel):
     subdomain: Subdomain
     #: The FQDN for the subdomain that was reserved
     fqdn: constr(min_length = 1)
+    #: The internal FQDN for the subdomain that was reserved
+    internal_fqdn: constr(min_length = 1)
     #: The token to use to associate public keys with the subdomain if no keys were given
     token: t.Optional[str] = None
     #: The fingerprint of the key that was registered, if given