search

pomerium / ingress-controller

Pomerium Kubernetes Ingress Controller
https://pomerium.com
Apache License 2.0
23 stars 11 forks source link

databroker client TLS configuration options #45

Closed travisgroth closed 3 years ago

travisgroth commented 3 years ago

Is your feature request related to a problem? Please describe.

We don't currently have flags to support customization of TLS client parameters when connecting to the databroker.. This means we can't support databroker certs which are not signed with a public root CA challenging. Though not universally true, most of our users are utilizing an internal CA of some sort for databroker.

Describe the solution you'd like

Flags for the standard pair of client options:

Users should be able to specify a CA certificate as a string or as a file path reference.

Describe alternatives you've considered

n/a

Explain any additional use-cases

n/a

Additional context

n/a

wasaga commented 3 years ago

https://github.com/pomerium/ingress-controller/blob/main/README.md#https-endpoints

  1. tls-skip-verify is supported
  2. TLS options are supported as references to a k8s secret.
  3. we do not support file path references as they have no sense in case of Ingress resource, it would only create a confusion wrt which pod this secret is mounted to.
  4. we do not support plaintext secrets in annotations, as this is against k8s best practices.
travisgroth commented 3 years ago

Sorry; wasn't clear in the initial description. This is for the ingress controller to communicate with databroker's API.