Added tls termination at a pod level for qtodo

[sabre1041]

hardened the posture by ensuring TLS to the qtodo app

[mlorenzofr]

I like a lot, but I have some doubts about the implementation.

If we're using conditionals for .Values.app.route.termination, then we're considering the possibility of configuring SSL offloading. In that case, we need to avoid hardcoded ports.

If we want to force end-to-end encryption, then we should also remove the references to the previous configuration and add a fail control if the user sets edge as the value for .Values.app.route.termination.

Perhaps it would be good to add a short paragraph in the documentation presenting end-to-end encryption feature. If you'd like, we can merge this implementation you've prepared, and I'll add the documentation in a separate commit.

[sabre1041]

@mlorenzofr Addressed your concerns (code wise)

[sabre1041]

For documentation, the following is the type of content that could be added:

The qtodo application uses reencrypt TLS termination on the OpenShift Route, by default, ensuring that traffic is encrypted end-to-end from the client to the pod. Ingress TLS communication is terminated at the OpenShift Router and reencrypted with a certificate generated using the Service Serving Certificate feature.

Options are available within the qtodo Helm chart to dictate how and where TLS communication will be terminated. The app.route.termination specifies how TLS is terminated within the OpenShift Route. A value of reencrypt or passthrough will enable secure communication based upon the value in the app.securePort (8443 by default) property. Otherwise non HTTPS commuication will be enabled as defined by the value in the app.port property (8080 by default).

TLS certificates can alternatively be provided within a secret defined in the app.tls.secret property to terminate TLS traffic at the application level without decrypting communication at the Router (termination type passthrough). When this mode is enabled, it is suggested that app.tls.serviceServing: false should be defined to avoid certificate generation using the Service Service certificate feature.

[mlorenzofr]

@sabre1041 there's a typo

In the helper qtodo.app.port we use .Values.app.insecurePort.However, we have a couple of references to .Values.app.port. We need to align the names correctly.

Otherwise it works correctly. With these changes I think everything is ready.

[sabre1041]

@sabre1041 there's a typo

In the helper qtodo.app.port we use .Values.app.insecurePort.However, we have a couple of references to .Values.app.port. We need to align the names correctly.

Otherwise it works correctly. With these changes I think everything is ready.

fixed. thanks for the callout

[mlorenzofr]

LGTM