[requirement] Add a TLS certificate to the ingress resource

[cmoulliard]

Proposition

Add a TLS certificate to the ingress resource using a generated or provided Secret containing the ca.crt, tls.crt and tls.key files

Why

When we install backstage on a k8s cluster and that we expose it as a HTTP endpoint, some exchanges are still taking place using the HTTPS protocol. If the ingress nginx is deployed, then a Fake Kubernetes Ingress Certificate is generated and will be displayed as invalid by Google Chrome.

Ideally we should generate a 'Backstage` self signed certificate (or signed by a CA authority as letsencrypt) and trust it on the platform of the browser.

What to do

Such a scenario could be achieved easily if we:

• Install the Cert Manager (prereq) as helm dependency when property cert-manager.enabled: true
• Create an issuer/certificate resources when certmanager is enabled to populate a secret containing the ca.crt, tls.crt and tls.key files
• Configure the TLS section of the ingress resource to mount it

Note: Optionally if the user has created its own TLS secret, then it could be passed as parameter to the ingress values section.

WDYT ? @vinzscam @ChrisJBurns

[ChrisJBurns]

@cmoulliard Yep, this sounds good. At the moment, I use Istio Gateway with Cert Manager and Let's Encrypt, so we don't really use the Ingress resource in the Chart. However I can see the benefit to this for other who may use it, I imagine using cert-manager is a good way to go also because of it's popularity. I would say we should tread carefully with self signed certs as normally they bring a whole level of complexity a lot of times - that being said, technically in an air-gapped network they may be preferred as otherwise the cert challenge won't be able to complete.