vinzscam / backstage-chart

Backstage Helm Chart
27 stars 10 forks source link

[requirement] Add a TLS certificate to the ingress resource #12

Open cmoulliard opened 2 years ago

cmoulliard commented 2 years ago

Proposition

Add a TLS certificate to the ingress resource using a generated or provided Secret containing the ca.crt, tls.crt and tls.key files

Why

When we install backstage on a k8s cluster and that we expose it as a HTTP endpoint, some exchanges are still taking place using the HTTPS protocol. If the ingress nginx is deployed, then a Fake Kubernetes Ingress Certificate is generated and will be displayed as invalid by Google Chrome.

Ideally we should generate a 'Backstage` self signed certificate (or signed by a CA authority as letsencrypt) and trust it on the platform of the browser.

What to do

Such a scenario could be achieved easily if we:

Note: Optionally if the user has created its own TLS secret, then it could be passed as parameter to the ingress values section.

WDYT ? @vinzscam @ChrisJBurns

ChrisJBurns commented 2 years ago

@cmoulliard Yep, this sounds good. At the moment, I use Istio Gateway with Cert Manager and Let's Encrypt, so we don't really use the Ingress resource in the Chart. However I can see the benefit to this for other who may use it, I imagine using cert-manager is a good way to go also because of it's popularity. I would say we should tread carefully with self signed certs as normally they bring a whole level of complexity a lot of times - that being said, technically in an air-gapped network they may be preferred as otherwise the cert challenge won't be able to complete.