Unless I miss something ktra only support http, thus one could for now just put a proxy that handle https for ktra it would be nice to have a https features. (I will probably try to add it since it's in my skillset).

I've been exploring recently exposing websites outside of a VPN, and it seems that it would be simpler to use a reverse proxy indeed to deal with TLS termination. This workaround would also allow to keep down the volume of code to maintain.

Maybe we could just include a docker-compose file that sets up a ktra image and nginx-certbot to give users a quick way to set up https if they do not already have a RP setup (assuming that users who have a RP already will know how to add https to ktra in their setup). What do you think ?

I think the end goal should be to have a https feature in ktra, but I agree that not a priority. I believe that would be nice cause a proxy have a cost and I think we go for an all in one registry with sparse-registry meaning a registry could need to handle A LOT of request. This make a user depend on third tool.

Handle TLS look trivial in warp exemple doc.

BTW certbot + docker pose a lot of problem and that not trivial at all to understand. (use docker stack and certbot is not easy at all, that work for simple docker use but any docker swarm use and you run into difficulty)

Makes sense. I was thinking about the pains of making a valid certificate, but I suppose this is an orthogonal problem to having tls handled in the server app.

I have a docker-compose that uses caddy as a reverse proxy. Certs are issued automatically and it works fantastic with ktra. I can make a pr if you're all interested