A Kubernetes operator to manage randomly named Ingresses with a maximum duration. When that duration is reached, the ingress is updated with a new random name.
Taking this RandomIngress resource:
apiVersion: networking.backmarket.io/v1alpha1
kind: RandomIngress
metadata:
name: example
spec:
ingressTemplate:
spec:
rules:
# The controller will enforce that a |RANDOM| tag is present in every host, and refuse to create the Ingress otherwise
- host: "|RANDOM|.example.com"
http:
paths:
- backend:
service:
name: example-service
port:
number: 80The operator will create this Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: exampleingress-123456ab12ef
annotations:
networking.backmarket.io/expires-at: 2021-09-02T21:08:08Z
spec:
rules:
- host: "a2e7a42e-3be2-4921-b187-0f067dbd6520.example.com"
http:
paths:
- backend:
serviceName: example-service
port:
number: 80The UUID will be changed periodically (by default every eight hours).
Keeping the ingresses really hidden
If you expose HTTPS endpoints, you should avoid creating one certificate per ingress, and use a wildcard instead. Public certificate creation is recorded in Certificate Transparency Logs nowadays, which can be queried by anyone and can be used by someone to find the names of your random ingresses.
Using a wildcard certificate instead will avoid this exposure.