enable cert auth for default admin

[qrkourier]

https://openziti.discourse.group/t/admin-life-cycle-from-password-to-long-lived-cert/1127/7?u=qrkourier

[qrkourier]

Now that the ziti CLI supports certificate authentication, setting the default admin user's password as an environment variable is no longer necessary. This will improve the security posture of the controller container by reducing exposure of that vital secret.

1. Change the ziti-controller helm chart to mount the Certificate resource {{ include "ziti-controller.fullname" . }}-admin-client-cert's tls.crt and tls.key on the controller container. This client certificate from Ziti Edge CA is managed by cert-manager and is created when the controller chart is installed.
2. Change the zitiLogin script to use the client cert auth feature of ziti CLI

[kevinlmadison]

This looks like it may be completed.

[qrkourier]

I did add the admin client cert via cert manager, but didn't change the login command to use it.

It may be necessary to create an authenticator, which will be simpler to achieve when this feature is completed: https://github.com/openziti/ziti/issues/1730

https://github.com/search?q=repo%3Aopenziti%2Fhelm-charts%20admin-client-cert&type=code

[qrkourier]

An alternative to issuing the admin client cert with cert manager would be to add an init step for the controller. It would use the CLI to create a second admin w/ cert authenticator, enroll, unwrap the JSON to the crypto components the CLI currently requires, and then stuff them into a K8s TLS Secret resource to be mounted later by Job containers that need to do admin stuff. This would give the cluster/ziti admin the option to subsequently delete the username/password Secret from the cluster, thereby reducing exposure and safekeeping elsewhere as a backup auth method.

[qrkourier]

Now that I think about that idea above, however, it's probably simpler to keep the client cert issued by cert manager and just use the new init or life-cycle Job to create an authenticator for the first/default admin for that cert's fingerprint. Same security posture in the end, but fewer steps.