Autocert + sidecar proxy

[etiennejournet]

Hey all ! I wonder if you would consider adding a sidecar proxy to the feature list of Autocert.

I was thinking that :

• on an annotation (autocert.step.sm/inject: true), the operator could add the sidecar (e.g envoy) and provide certificates.
• The sidecar pod mount certificates, takes on network and does TLS proxy passthrough
• Optionnaly, the proxy is able to refresh itself when certs are renewed

This is very close to service-mesh I know, but LOT more simple and could resolve use cases in which the application cannot present certificates or auto-refresh when certificates are renewed.
Both ways (with sidecar/without sidecar) could still work together.

I might be interested to contribute on that If you consider it worth/doable.

Regards,

[dopey]

Hey @etiennejournet, thanks for opening the issue! Discussed this morning with the team so I'll try to do a brain dump of our discussion.

tl;dr We think it's best to implement a sidecar proxy as a separate project. We'd be very willing to add hooks / make modifications to autocert to support such a project.

Autocert is intended to do one thing well - generate cert and place said cert in a pod. If we add even the most simple proxy we'll have to ...

• decide on a proxy (nginx, traefik, envoy, etc.), we don't want to get political
• (if it becomes popular) increase surface area of proxy configuration as new feature requests come in.
  Rather than manage a proxy from within Autocert, we'd much prefer said side-car proxy be a separate project. We'd be happy to expose hooks and configuration in Autocert configuration to make it easy to combine with a sidecar. If you're interested in such a project, we'd be happy to help with spec-ing and any integration questions.

cheers!

[etiennejournet]

Thanks for your honest response ;) I will get back to you if I decide to do something ;)