Investigate usage of TLS for object storage connection(s)

[blancharda]

The gitlab (and other app) configuration(s) currently specify insecure mode, or explicit http connections. Look into adding the domain cert to nutanix Objects and configuring the apps appropriately

[jacobbmay]

2 possible approaches for this.

• Generate and upload certs for Nutanix Objects to use that are signed by a CA that is already trusted or being provided to applications to trust
• Keep using Nutanix Objects generated certs and provide Objects CA to apps so they can trust Objects generated certs

First option requires Objects certs to be managed by something/someone and periodically replaced before they expire. Has potential for the certs to already be trusted if an environment can use certs that are signed by a public CA. Otherwise they could be signed by a private CA that is already being provided to applications.

Second option should enable Objects cert management to be automatic at the expense of the Objects CA needing to be provided to apps that use buckets.

[JoeHCQ1]

Question - could we extend Istio's service mesh to include this? I believe you can include say a random EC2 instance in your service mesh, but I'm not sure that'd be extendable to however Nutanix exposes it's object storage.

[blancharda]

however Nutanix exposes it's object storage

It's not a bad thought, but think you hit the issue on the head.
It miiiight be possible, but I think we would have to figure out how to add the nutanix hosts (and probably some other VMs) in order to accomplish it, which would probably introduce a fair bit of complexity.

[jacobbmay]

Will be resolved as part of #133 currently in progress

[blancharda]

Resolved with the introduction of trust-manager.
Velero is still outsanding, but is tracked in #144