Open cmoulliard opened 2 years ago
@cmoulliard Yep, this sounds good. At the moment, I use Istio Gateway with Cert Manager and Let's Encrypt, so we don't really use the Ingress resource in the Chart. However I can see the benefit to this for other who may use it, I imagine using cert-manager
is a good way to go also because of it's popularity. I would say we should tread carefully with self signed certs as normally they bring a whole level of complexity a lot of times - that being said, technically in an air-gapped network they may be preferred as otherwise the cert challenge won't be able to complete.
Proposition
Add a TLS certificate to the ingress resource using a generated or provided Secret containing the ca.crt, tls.crt and tls.key files
Why
When we install backstage on a k8s cluster and that we expose it as a HTTP endpoint, some exchanges are still taking place using the HTTPS protocol. If the ingress nginx is deployed, then a
Fake Kubernetes Ingress Certificate
is generated and will be displayed as invalid by Google Chrome.Ideally we should generate a 'Backstage` self signed certificate (or signed by a CA authority as letsencrypt) and trust it on the platform of the browser.
What to do
Such a scenario could be achieved easily if we:
cert-manager.enabled: true
ca.crt
,tls.crt
andtls.key
filesNote: Optionally if the user has created its own TLS secret, then it could be passed as parameter to the
ingress
values section.WDYT ? @vinzscam @ChrisJBurns