I thought letsencrypt offered wildcard certs?

Yes, they do. But if you use a wildcard cert for your review app, then you are not testing the same cert machinery as your production application. (Unless you want to use wildcard certs for your prod app too, which I'd rather not do.)

What’s a “review app” in this context? Are you talking about instances spun up to preview/review a pull request?

Yep, Review Apps are spinning up a full copy of your application per PR.

https://docs.gitlab.com/ee/ci/review_apps/

As part of my pre-merge pipeline I deploy the application to k8s, create a public IP, DNS entry from the branch slug, TLS-to-the-pod with wildcard cert, and then run the full end-to-end test suite. If you get your docker caching right, it can be as little as a couple minutes to deploy the whole stack

This makes it a lot easier for engineers to iterate on their changes with stakeholders, not to mention it lets you test infra and API changes before actually merging them.

We got to tens of engineers using this, so I didn't optimize utilization heavily; this ends up being a bit expensive, but I think worth it.

How do you incorporate databases and testing data into this?

I take a nightly dump of my dev environment database, and then bake that into a thin docker image based on the MySQL image. I’m not dealing with huge datasets so this isn’t expensive. You can then start up a mysql pod and it comes up with a copy of the dev DB data.

(I also give developers a script to run this fixture DB locally too - it makes the onboarding process a lot easier if you don’t need to run the DB init and migrations, and generally means developers have a more robust set of test data to work with. )