Closed migmartri closed 4 months ago
I think this article can help (I'm trying to get it working) : https://www.redhat.com/en/blog/grpc-or-http/2-ingress-connectivity-in-openshift
Thanks @hanygirgis for the pointer.
It seems that with H/A proxy we'll have the problem we had with AWS ALB or Google Load Balancer, basically for the gRPC endpoint, we are going to need http2 and TLS termination in the pod.
TLS encryption is doable today in the control-plane and CAS pods, you can provide them using these options in the Helm Chart https://github.com/chainloop-dev/chainloop/blob/4801f98dba175b5b5038522ac99384436ffcf39c/deployment/chainloop/values.yaml#L112-L115
This will run the gRPC servers with tls enabled, next, I'd set the cert in the route and enable re-encryption
We do support the three kinds of routes, edges
, reencrypt
and passthrough
The latter two can be enabled with a combination of a) setting server certs for CAS and Controlplane
cas:
tlsConfig:
secret:
name: custom-cert
controlplane:
tlsConfig:
secret:
name: custom-cert
****
and b) adding custom CAs for CP -> CAS communication.
auth:
oidc:
customCAs:
- |-
-----BEGIN CERTIFICATE-----
both of those can be performed via the Helm Chart values.yaml file.
For passthrough, the CLI now supports receiving a custom CA as well to verify the self-signed cert loaded in the pods https://github.com/chainloop-dev/chainloop/pull/1017
Chainloop can be deployed in Kubernetes through our provided Helm Chart. Our chart support exposing services through K8s Ingresses, but in the case of OpenShift, there is an alternative construct called Route
This task is about looking into Chainloop's compatibility with routes, document it and potentially add these k8s primitives in our Chart too.
The biggest unknown is how to configure such route entries to support
GRPC
, similarly to what we do with nginx ingress controller.or AWS ALBs
cc/ @hanygirgis