potiuk commented on issue #16010: URL: https://github.com/apache/airflow/issues/16010#issuecomment-846542829
I believe all the deployments in K8S should be done using http (or if istio is enabled they can be additionally protected via mTLS. I think the usual pattern of providing SSL deployment is via external proxy/gateways, especially that they can then provide additional authentication mechanism (Oauth/client certificates etc.) which can be configured outside of Airflow and even provide single authentication/SSL endpoints for multiple services. I think this is common best practice to decouple SSL termination and the service itself. Here is a example of simple nginx-based SSL proxy that you can follow: https://kubernetes.io/blog/2015/07/strong-simple-ssl-for-kubernetes/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
