Open
Description
Feature Description
Front-proxy servers are the central entrypoint for users of a kcp instance. While #20 adds a server certificate issued by the central server-ca, we should probably make this more configurable. One of the use cases for that would be to use a Lets Encrypt issuer for the front-proxy server certificate.
Proposed Solution
The FrontProxy object should probably gain fields like:
[...]
spec:
certificate:
issuerRef: { ... } # a cert-manager (Cluster)Issuer reference
secretRef: { ... } # a secret ref for a TLS secret. Should be mutually exclusive with the issuerRef
Note that the external-logical-cluster-admin flag for shards will require a CA that works with this certificate (either issued or static). This means that we will likely need another field on the RootShard object that configures a custom CA reference into generation of this kubeconfig.
Alternative Solutions
No response
Want to contribute?
- I would like to work on this issue.
Additional Context
No response