FR: Wildcard Domains Usage Prevents Deployment with French Government URLs (ANSSI Compliance)

[YFrendo]

Description:

The current implementation of Onyxia uses wildcard domains (e.g., *.datalab.fr) to expose services. However, this approach conflicts with ANSSI (Agence nationale de la sécurité des systèmes d'information) guidelines, which prohibit government-approved Certificate Authorities (CAs) from issuing wildcard certificates.

As a result, it is not possible to deploy Onyxia with official French government URLs, since those CAs no longer provide wildcard certificate.

page 15 anssi-fondamentaux-securisation-acme-v1-0.pdf

Proposed Solution:

To ensure compatibility with ANSSI-compliant environments, it would be beneficial to introduce a mechanism that proxies the traffic internally. This would remove the need for wildcard certificates and allow services to be exposed under individually named subdomains or paths, in accordance with CA policies.

[fcomte]

Hello @YFrendo

If you are talking about the service that onyxia starts (vscode, jupyter or any ), you should be able to make it work with cert manager. With that you can have one certificate per service. Any problem with that configuration ?

We have no plan to make onyxia a proxy for everything as onyxia is agnostic of what it starts Do not hesitate to reach us on slack as we are working for the same government.

[olevitt]

Hi !

Having a wildcard certificate is not a requirement although it obviously simplifies the handling.
Here are some supported alternatives to having a wildcard certificate :

• Using cert-manager with a compatible ACME backend
• Customizing your instance schemas to hardcode the tls secret name or to let the user specify the tls secret to be used

Onyxia will also support Gateway API at some point as it appears to be the future of Kubernetes reverse proxies although the adoption appears to still be very low at this time