Network authentication support in Refinery

[VinozzZ]

Is your feature request related to a problem? Please describe.

Managing and maintaining separate clusters for each environment is a significant burden for our customers. Currently, because Refinery lacks TLS support, we cannot expose it directly to the public internet to handle traffic across multiple environments.

Describe the solution you'd like

Enable network authentication support in Refinery, allowing a single cluster to securely manage traffic for all environments.

Describe alternatives you've considered

• Using Collectors to route traffic to a centralized Refinery cluster
• Configuring AWS ALB to direct traffic to different Refinery clusters
• Placing Refinery behind an nginx or similar proxy to manage authentication
• Utilizing VPC for controlled access

[kentquirk]

A few notes as to why we haven't done this already:

• Adding TLS adds a bunch of code and configuration, which adds surface area to the product that needs ongoing maintenance.
• There are many different kinds of TLS configuration and they vary widely; we can't test it all or know what's needed so it adds support load over time. Things like certificate management are complex and requirements vary from place to place.
• Adding TLS requires adding a bunch of security-related dependencies.
• Those dependencies are more volatile (change more often) and when they change, it's often a security fire. Normal deps are managed with Dependabot, but security deps often require a fire drill and immediate release to avoid zero-day issues.

There are other systems -- load balancers and things like nginx -- that are already coping with all of these things and that are well-hardened. They are relatively easy to add to existing clusters to do TLS termination, so up to now, it hasn't felt like the cost has justified the benefit.