search

zitadel / terraform-provider-zitadel

Official Terraform provider for ZITADEL
https://zitadel.com
Apache License 2.0
21 stars 13 forks source link

Add ability to override issuer #143

Closed vavsab closed 6 months ago

vavsab commented 7 months ago

Hi. Please read the idea. If you agree with it I will make a PR.

I need an ability to override the issuer to be not same as client domain that we are sending requests to.

My use case

I'm using Cloudflare tunnel to publish Zitadel to public Internet. It does not support GRPC today. I'm using kubectl port-forwarding to access Zitadel directly to configure it. So now I have the need to send queries to http://locahost:<some_port>. I replace Host header in kubernetes network pipeline (I'm using Istio for this) so Zitadel thinks that I'm sending requests to correct domain. But I have the problem that in this provider I cannot set issuer to be different from the address.

Solution

Add one more issuer option to provider. If it's set - it will override the default logic here

Workaround

Today I'm using local proxy server, hosts file override & self-signed TLS certificate to fake public domain. It's working but it eats 1 minute of time on every terraform run to configure it which is pretty long when we run it 50 times per day.

hifabienne commented 6 months ago

@livio-a @muhlemmer What do you think about this?

muhlemmer commented 6 months ago

The deployment sounds hackish and so does the proposed fix. If using cloudflare, why not use the regular http proxy instead?

vavsab commented 6 months ago

Do you suggest to switch from cloudflare at all?

muhlemmer commented 6 months ago

no, I'm suggesting using a regular reverse proxy product instead of a tunnel.

vavsab commented 6 months ago

For me it exactly means to switch from cloudflare to smth else (ex, nginx). Ok, I will stay with my workaround until cloudflare adds support for grpc.

kervel commented 3 months ago

I think there are actually valid usecases for this feature. I want to use the zitadel helm chart, and then provision zitadel with terraform.

I would like to route the traffic going between the zitadel terraform container and the zitadel server internally, using the kubernetes service, and not over the public ingress, for several reasons: in some environments its simply not possible, or the ingress is not in working state yet for some reason (or doesn't exist at all, because we use some loadbalancer service)