Closed shannon closed 3 years ago
toxuin
commented
3 years ago Could you describe your setup in a bit more detail? Do you use it by passing it through some proxy-server that does https termination?
In current form, this would definitely work, but feels like a very specific use case that relies on an external component.
Ideally, to implement https we'd pass the certificate and key through the config to the server, and just the root cert to the client as well.
shannon
commented
3 years ago Sure. I am currently running Home Assistant in a local Kubernetes cluster. Because of some unrelated complicated TLS passthrough needed I am running Istio as the ingress controller. It handles the TLS termination. So I added the mdns-tunneller docker container as a secondary container to the Home Assistant deployment spec. This allows it to add the appropriate packets to the internal pod network and Home Assistant picks it up fine. I don't have to do hostNetwork: true, which is nice.
However in order to allow the client (a raspberry pi on a separate subnet) to reach it, I needed to allow it to use https to talk through istio and eventually the mdns-tunneller service. I could have probably gotten more complicated and allowed it to use port 80 but I have a universal https redirect to force all services on the kubernetes cluster to use SSL. I would have had to break this rule here.
In my case, I didn't actually want the mdns-tunneller server to handle certificates. I find it's easier to allow istio to do this as I can use cert-manager to generate the certs automatically.
toxuin
commented
3 years ago This is a legit use case. I'm going to merge this and work some more on https on the server side of things so the implementation becomes more complete. Thanks for bringing it up! 👍
I wanted to add support for HTTPS here because I don't have any other ports open on my internal subnet as I have a reverse proxy setup to accept connections for 80/443 only (80 automatically redirects to 443).
I also added a comment about the Chromecast service because I didn't know what the service name was and it took me a bit to find it. Hopefully it saves someone some time later.