Add API Subdomain: api.upstream-dso.tacc.utexas.edu

[mosoriob]

Summary

Request to add a new subdomain api.upstream-dso.tacc.utexas.edu to provide dedicated API access for the upstream-dso application.

Background

Currently, the API is accessible through the main domain upstream-dso.tacc.utexas.edu. To improve organization and potentially enable different configurations for API vs web traffic, we need to add a dedicated API subdomain.

Requirements

DNS Configuration

• Add A record for api.upstream-dso.tacc.utexas.edu pointing to the same IP as upstream-dso.tacc.utexas.edu
• Verify DNS propagation

SSL Certificate

• Update/expand existing SSL certificate to include api.upstream-dso.tacc.utexas.edu
• Handle CAA record restrictions for tacc.utexas.edu domain

Infrastructure Updates

• Update Traefik configuration to route api.upstream-dso.tacc.utexas.edu to the API container
• Test both domains are accessible and properly routed

Technical Details

Current Configuration:

• Main domain: upstream-dso.tacc.utexas.edu
• API accessible at: upstream-dso.tacc.utexas.edu/docs (FastAPI docs)

Desired Configuration:

• Main domain: upstream-dso.tacc.utexas.edu (unchanged)
• API domain: api.upstream-dso.tacc.utexas.edu
• API docs: api.upstream-dso.tacc.utexas.edu/docs

Docker Compose Changes Needed:

labels:
  - traefik.enable=true
  - traefik.http.routers.app-api.rule=Host(`api.upstream-dso.tacc.utexas.edu`)
  - traefik.http.routers.app-api.tls=true
  - traefik.http.services.app-api.loadbalancer.server.port=8000

Challenges Encountered

CAA Record Issue

When attempting to generate SSL certificates with Let's Encrypt, encountered CAA policy restriction:

CAA record for tacc.utexas.edu prevents issuance

Resolution needed:

• Contact TACC IT to either:
  • Add Let's Encrypt to CAA record for tacc.utexas.edu
  • Provide alternative certificate solution
  • Create CAA exception for upstream-dso.tacc.utexas.edu subdomains

Acceptance Criteria

• api.upstream-dso.tacc.utexas.edu resolves to correct IP address
• HTTPS works without certificate warnings
• API endpoints accessible via new subdomain
• FastAPI documentation available at api.upstream-dso.tacc.utexas.edu/docs
• Original domain upstream-dso.tacc.utexas.edu continues to work
• No service interruption during deployment

Priority

Medium - Improves API organization but doesn't block current functionality

Additional Context

• Server: upstream-dso
• Current IP: [INSERT_SERVER_IP]
• Traefik version: 2.11
• Let's Encrypt integration: Existing setup using /etc/letsencrypt mount

Next Steps

1. IT Request: Submit request to TACC IT for DNS and certificate authority approval
2. DNS Update: Add A record for API subdomain
3. Certificate: Generate/expand SSL certificate
4. Deploy: Update Traefik configuration
5. Test: Verify both domains work correctly

[mosoriob]

Dear TACC IT Support Team,
I hope this email finds you well. I am writing to request assistance with DNS configuration and SSL certificate approval for a research project hosted on TACC infrastructure.

Request Summary
I need to add a new subdomain api.upstream-dso.tacc.utexas.edu to provide dedicated API access for our upstream disaster science observatory application, currently running at upstream-dso.tacc.utexas.edu.

Current Setup
Main domain: upstream-dso.tacc.utexas.edu (currently working)
Server: upstream-dso
Application: DSO API (FastAPI application)
Current SSL: Using Let's Encrypt certificates via Traefik reverse proxy

Requested Actions

1. DNS Configuration
   Please add an A record for:

Subdomain: api.upstream-dso.tacc.utexas.edu
Target IP: [Same as upstream-dso.tacc.utexas.edu]

2. Certificate Authority Authorization
   When attempting to expand our Let's Encrypt SSL certificate to include the new subdomain, we encountered a CAA (Certificate Authority Authorization) policy restriction:
   CAA record for tacc.utexas.edu prevents issuance

We need one of the following solutions:

Add Let's Encrypt (letsencrypt.org) to the CAA record for tacc.utexas.edu
Provide guidance on TACC's approved certificate process for research projects
Create a CAA exception for upstream-dso.tacc.utexas.edu subdomains
Issue certificates through TACC's preferred Certificate Authority