Skip to content

[codex] Fix serverless certificate domains#107

Merged
arjunkomath merged 1 commit into
mainfrom
feat/serverless-cert-domains
Jul 7, 2026
Merged

[codex] Fix serverless certificate domains#107
arjunkomath merged 1 commit into
mainfrom
feat/serverless-cert-domains

Conversation

@techulus-agent

Copy link
Copy Markdown
Collaborator

Summary

  • Select Traefik certificates from runtime public HTTP domains instead of only emitted HTTP routes.
  • Keep suppressed serverless HTTP domains in the proxy certificate bundle.
  • Add a regression test for suppressed serverless routes still contributing certificate domains.

Why

Serverless HTTP routes can be intentionally suppressed on non-owner proxies, but certificate selection was derived from the emitted routes. That meant a serverless domain could be omitted from a proxy's TLS config even when the proxy might terminate TLS for that host, leading to certificate errors.

Validation

  • npm run test -- expected-state.test.ts
  • npx tsc --noEmit
  • npx biome check lib/agent/expected-state.ts tests/expected-state.test.ts exits successfully but reports existing as-any warnings in expected-state.test.ts.
  • Reviewed with smart-review/Claude Opus: no correctness bugs found; only non-blocking notes.

@arjunkomath arjunkomath marked this pull request as ready for review July 7, 2026 07:22

@techulus-agent techulus-agent left a comment

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review — Fix serverless certificate domains

Reviewed against main. The fix is correct and the reasoning in the PR description checks out.

Verified

  • The root cause is real: certificate selection was derived from routes.httpRoutes, so a domain whose route is intentionally suppressed on a non-owner proxy (serverless) would be dropped from the TLS bundle even when that proxy may terminate TLS for the host. Deriving from routePorts (all public HTTP ports) instead fixes that.
  • buildTraefikCertificateDomains correctly filters to isPublic && protocol === "http", trims/deduplicates via Set, drops empty domains, and sorts for stable output.
  • Confirmed this is safe: getAllCertificatesForDomains (acme-manager.ts) just selects existing domainCertificates rows and filters by domains.includes(...). It does not issue/provision certs, so passing a superset of domains can only ever include an existing cert — it can never trigger spurious ACME issuance. Extra domains with no matching cert are simply no-ops.
  • Good regression test: asserts the suppressed serverless service produces httpRoutes: [] yet still contributes sleepy.example.com to certificate domains.

Ran vitest run tests/expected-state.test.ts locally — 19/19 pass.

Result: No correctness issues. LGTM 👍

@arjunkomath arjunkomath merged commit 2c88ffd into main Jul 7, 2026
9 checks passed
@arjunkomath arjunkomath deleted the feat/serverless-cert-domains branch July 7, 2026 07:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants