Open akshay196 opened 1 year ago
I have it working with ingress-nginx running the console ingress, and a service type: LoadBalancer for the rest of it. I understand that this might be less advisable than having a proxy in front of the relay though.
I failed to get ssl-passthrough on ingress-nginx working (it requires you to put an enablement flag on the controller, which I did, but despite my attempts it was still proxying).
Would it be possible to get paralus to use the cert-manager generated certificate for .user and .core-connector?
I have it working with ingress-nginx running the console ingress, and a service type: LoadBalancer for the rest of it. I understand that this might be less advisable than having a proxy in front of the relay though.
True. However in some cases it would be feasible to use without any third-party proxy for example, local testing.
I failed to get ssl-passthrough on ingress-nginx working (it requires you to put an enablement flag on the controller, which I did, but despite my attempts it was still proxying).
Setting ssl passthrough annotation to ingress resource and enabling ssl passthrough at ingress-nginx controller should have worked..
I have seen many folks go for ingress-nginx so above configuration works let us know so we could document it.
Would it be possible to get paralus to use the cert-manager generated certificate for .user and .core-connector?
Possibly. Need to check though.
I would say ingress-nginx is way more popular than contour, and most of the users would prefer it. Installing contour for just one service can not be justified for security teams.
I decided to try Paralus with ingress-nginx and failed. SSL Passthrough may work, but it requires enabling a flag in the controller, which is a no-go for production environments. And with cert-manager certificate issued by Let's Encrypt it is not possible to bootstrap a cluster into Paralus - the relay doesn't accept such ceritifcate: {"level":"info","ts":"2024-03-28T08:47:54.636Z","caller":"tunnel/client.go:416","msg":"Relay Agent.Client.paralus-core-relay-agent::dial failed network: tcp addr: 0289c6d7-4v33-4b26-672e-b02192e7894b.core-connector.paralus.some.domain:443 err: tls: failed to verify certificate: x509: certificate signed by unknown authority "}
Currently Paralus by default installs Contour controller and manages routes using HTTPProxy resources. It would be good to document the followings: