You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(decoredirect): auto-heal failed certs and add retry-cert API route (#19)
* feat(decoredirect): auto-heal failed certs and add retry-cert API route
When a Certificate enters cert-manager's exponential backoff (Issuing=False,
Reason=Failed), the controller now automatically detects it and checks whether
the domain DNS is correctly pointing to Deco's redirect infrastructure. If both
an HTTP check (X-Redirect-By: deco) and an AAAA check (no GCP 2600:1901::/32
range) pass, the Certificate is deleted so cert-manager retries without backoff.
Also adds POST /redirects/{domain}/retry-cert API route that performs the same
DNS checks and forces an immediate retry for operators who don't want to wait
for the next 30s reconcile cycle.
Root cause addressed: domains migrating from Deno Deploy sometimes retain AAAA
records in GCP range (2600:1901::/32). cert-manager's self-check uses IPv4 and
passes, but Let's Encrypt validates via IPv6, hits Deno Deploy, and fails —
leaving the Certificate stuck in multi-hour backoff.
* fix(decoredirect): skip cert mutation while DeletionTimestamp is set
* fix(lint): use _ to discard resp.Body.Close error (errcheck)
* feat(decoredirect): remove retry-cert endpoint — controller auto-heals
* test(decoredirect): add auto-healing scenarios and make DNSReadyFunc injectable
Tests cover:
- cert Failed + DNS ready → cert deleted (healed)
- cert Failed + DNS wrong → cert untouched
- cert Issuing=True → cert untouched (noop)
- cert Ready=True → cert untouched (noop)
- cert doesn't exist → no error
Also skips healing when cert has DeletionTimestamp to avoid
acting on a cert that is already being deleted.
* feat(decoredirect): make blocked IPv6 CIDRs configurable via --redirect-blocked-ipv6
Removes the hardcoded GCP/Deno Deploy IPv6 range (2600:1901::/32) and replaces it
with a configurable list of blocked CIDRs. When empty (default), no AAAA check is
performed. Configure for Deco's deployment with:
--redirect-blocked-ipv6=2600:1901::/32
Also accepts REDIRECT_BLOCKED_IPV6 env var.
* Revert "feat(decoredirect): make blocked IPv6 CIDRs configurable via --redirect-blocked-ipv6"
This reverts commit f626842.
* feat(decoredirect): make blocked IPv6 CIDRs configurable via --redirect-blocked-ipv6
Removes hardcoded GCP range. Configure blocked CIDRs via:
- --redirect-blocked-ipv6=2600:1901::/32 (flag)
- REDIRECT_BLOCKED_IPV6=2600:1901::/32 (env)
- redirect.blockedIPv6CIDRs in Helm values
Default is empty (no AAAA check).
* fix(helm): add blockedIPv6CIDRs arg to helm-generator
0 commit comments