cnoe-io / idpbuilder

Spin up a complete internal developer platform with only Docker required as a dependency.
https://cloud-native.slack.com/archives/C05TN9WFN5S
Apache License 2.0
200 stars 59 forks source link

Feature: Ability to supply own certificate #389

Open nabuskey opened 2 months ago

nabuskey commented 2 months ago

Have you searched for this feature request?

Problem Statement

Currently, idpbuilder generates self-signed certificate on startup. The purposes of the certificate are:

  1. In-cluster service to in-cluster service communication. For example, for ArgoCD to communicate with Gitea without disabling TLS verification all together. We do this by telling these services to trust the CA we created.
  2. Local client to in-cluster services. An example of this would be accessing the ArgoCD UI from a web browser.

In the second use case, end users get certificate warning because the CA that singed it is not trusted. So users need to click through and accept the risk before getting to the service they want to get to, i.e. Gitea / ArgoCD UI. You may also run into certificate issues when cloning Git repository cloning and pushing container images.

In some case, it may be desirable to have the ability to specify a certificate signed by a trusted CA. It could be an internal, company specific CA that the local machine trusts. Because *.localtest.me entries resolve to the loopback, I would imagine this is doable and plausible.

Possible Solution

idpbuilder should be able to take a file that has a certificate that's valid for the end user when creating in-cluster resources.

Alternatives Considered

No response