RFE: Enable TLS by default for routes

[larsks]

Nathan Weeks asks on Slack:

Is there a way to enable TLS termination for Routes created in OpenShift by default? e.g., when instantiating a "Django + PostgreSQL" template from the Developer Catalog, it doesn't seem that the user is presented with an option to enable HTTPS. I can manually enable this after it's deployed via Administrator > Networking > Routes > Edit Route, and modifying the Route spec manually:

spec:
  tls:
    termination: edge

But it seems most users would not be aware of this, and would just, e.g., send their Django admin password (in this case) over unencrypted HTTP. If it's possible for a Route to have spec.tls.termination: edge set by default (unless explicitly set otherwise), or some equivalent mechanism for making TLS is "opt-out" instead of "opt-in" for Routes, that could reduce the likelihood of users shooting themselves in the foot.

[larsks]

To which I replied:

There's always a way! :slightly_smiling_face: One option we can investigate is the use of a mutating webhook (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook), which can be used to modify resources when they are submitted to the cluster. We may not even have to write our own; there are some policy enforcement frameworks out there that may provide the necessary capabilities out of the box. I'll have to take a look, and I'll also look to see if there's any static configuration that would simply enable edge encryption by default.

[larsks]

I've been looking into this a bit and it looks like Gatekeeper can do what we want:

Gatekeeper is a validating and mutating webhook that enforces CRD-based policies executed by Open Policy Agent, a policy engine for Cloud Native environments hosted by CNCF as a graduated project.

GateKeeper since version 3.something has support for mutating resources as well as validating them, so we should be able to create a policy that will enable edge encryption for any routes that haven't explicitly configured TLS.

I'll be putting together some pull requests at the beginning of next week to enable this feature.

[joachimweyl]

@larsks with the Noobaa issue that cropped up is this still an issue we plan to resolve this sprint?

[larsks]

@joachimweyl yes, the pr that implements that majority of this has been waiting for reviews for about 5 days. https://github.com/OCP-on-NERC/gatekeeper/pull/2 (previously https://github.com/OCP-on-NERC/gatekeeper/pull/1, which was erroneously closed)

[larsks]

Support for enforcing TLS routes has been added to nerc-ocp-prod. We need to deploy a new release of openshift-acct-mgt for this to be enabled by default for new projects, but we can add enforcement to existing projects by adding the appropriate label.