[Epic] TLS configuration enhancements

cryostatio / cryostat-helm

Helm Chart for Cryostat

Other

4 stars 10 forks source link

[Epic] TLS configuration enhancements #168

Open andrewazores opened 3 months ago

andrewazores commented 3 months ago

Describe the feature

End users should have the following new options for TLS:

If using OpenShift, enable the serving-cert feature. This is implemented now, but only in a way where it is tied to deployment of the openshift-oauth-proxy
Supply their own custom certs
Configure the auth proxy (OpenShift or OAuth2) to use custom certs
Auto-configure the auth proxy (OpenShift or OAuth2) to use OpenShift serving-cert, if serving-cert is enabled and no custom certs are supplied

Anything other information?

No response

andrewazores commented 3 months ago

Some discussion here: https://github.com/cryostatio/cryostat-helm/pull/167#issuecomment-2218643815

tthvo commented 3 months ago

I guess there is one small thing to note is that the oauth proxy seems not to set some X-Forwarded-* header so redirect will likely fail. When ingress or route is available, those headers are set and forwarded correctly.

https://github.com/mwangggg/cryostat3/blob/35f8a9eff8a3080d2c004ac65efab6c2749ac2f3/compose/auth_proxy_alpha_config_https.yaml#L29-L35

andrewazores commented 3 months ago

The proxy seems not to set those headers on its own, but that configuration adds them in so that it does set them. So long as the relevant environment variables get set then it should work out, I think.

andrewazores commented 4 days ago

https://github.com/cryostatio/cryostat-helm/issues/115#issuecomment-2445174467