cert-manager fails for long branch names
Some pipelines with long branch names fail to get let's encrypt certificates. I investigated this one when it failed:
https://open.greenhost.net/openappstack/openappstack/-/jobs/40222
Several certificate orders failed:
root@564-service-cert-manager-webhook-not-found:~# kubectl get cert -A
NAMESPACE NAME READY SECRET AGE
oas-apps oas-nextcloud-files False oas-nextcloud-files 36m
oas-apps oas-nextcloud-office False oas-nextcloud-office 36m
oas-apps oas-rocketchat False oas-rocketchat 35m
oas-apps oas-wordpress True oas-wordpress 34m
oas grafana-tls False grafana-tls 22m
oas hydra-public.tls False hydra-public.tls 36m
oas single-sign-on-userpanel.tls False single-sign-on-userpanel.tls 36m
When I described the order, it said:
Reason: Failed to finalize Order: 400 urn:ietf:params:acme:error:badCSR: Error finalizing order :: issuing precertificate: CSR doesn't contain a SAN short enough to fit in CN
According to this cert-manager issue (closed as won't fix): https://github.com/jetstack/cert-manager/issues/2794
this fails because Let's Encrypt doesn't support domain names over 64 characters.
We probably want to truncate these subdomains, which are currently a whole branch slug. Maybe we can truncate them to the string before the first dash (usually the issue number, unless you manually created a branch).
I tried working with the $CI_MERGE_REQUEST_ID
variable too, but that works in a very weird way. You need to add only: merge_requests
to each job that uses the variable, and then GitLab creates 2 pipelines, only 1 of which actually has access to that variable: