Evaluate migration of self-signed certificate process to a sidecar
psanders opened this issue · comments
Is your feature request related to a problem? Please describe.
The current process for handling self-signed certificates in Routr operates from within the Docker images. This leads to a situation where services create their own self-signed certificates rather than reusing the same one. For example, if we create two instances of the StatefulSet EdgePort, each would create it's own certificate.
Describe the solution you'd like
To facilitate the sharing of a self-signed certificate, we should leverage Kubernetes Secrets. Additionally, we should consider introducing a sidecar that checks if the secret exists and creates a new one if it doesn't.
Describe alternatives you've considered
Keep the existing process since it is not causing any issues at the moment.
Additional context
We should explore making this mechanism reusable for the Let's Encrypt implementation. Also, we might consider removing the self-signed certificate generation from individual services, given that we are shifting operations to a sidecar. This would result in a cleaner Docker image.
An exception would be the
fonoster/routr:all-in-one
image, which should continue to include certificate generation.
Funding
- You can sponsor this specific effort via a Polar.sh pledge below
- We receive the pledge once the issue is completed & verified