Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to override issuer #143

Closed
vavsab opened this issue Dec 7, 2023 · 6 comments
Closed

Add ability to override issuer #143

vavsab opened this issue Dec 7, 2023 · 6 comments

Comments

@vavsab
Copy link
Contributor

vavsab commented Dec 7, 2023
edited
Loading

Hi.
Please read the idea. If you agree with it I will make a PR.

I need an ability to override the issuer to be not same as client domain that we are sending requests to.

My use case

I'm using Cloudflare tunnel to publish Zitadel to public Internet. It does not support GRPC today. I'm using kubectl port-forwarding to access Zitadel directly to configure it. So now I have the need to send queries to http://locahost:<some_port>. I replace Host header in kubernetes network pipeline (I'm using Istio for this) so Zitadel thinks that I'm sending requests to correct domain. But I have the problem that in this provider I cannot set issuer to be different from the address.

Solution

Add one more issuer option to provider. If it's set - it will override the default logic here

Workaround

Today I'm using local proxy server, hosts file override & self-signed TLS certificate to fake public domain. It's working but it eats 1 minute of time on every terraform run to configure it which is pretty long when we run it 50 times per day.
@hifabienne
Copy link
Member

@livio-a @muhlemmer What do you think about this?

@hifabienne hifabienne moved this to 🧐 Investigating in Product Management Dec 11, 2023
@muhlemmer
Copy link

The deployment sounds hackish and so does the proposed fix. If using cloudflare, why not use the regular http proxy instead?

@vavsab
Copy link
Contributor Author

vavsab commented Jan 5, 2024

Do you suggest to switch from cloudflare at all?

@muhlemmer
Copy link

no, I'm suggesting using a regular reverse proxy product instead of a tunnel.

@vavsab
Copy link
Contributor Author

vavsab commented Jan 5, 2024

For me it exactly means to switch from cloudflare to smth else (ex, nginx).
Ok, I will stay with my workaround until cloudflare adds support for grpc.

@vavsab vavsab closed this as completed Jan 5, 2024
@github-project-automation github-project-automation bot moved this from 🧐 Investigating to ✅ Done in Product Management Jan 5, 2024
@kervel
Copy link

kervel commented Mar 27, 2024

I think there are actually valid usecases for this feature. I want to use the zitadel helm chart, and then provision zitadel with terraform.

I would like to route the traffic going between the zitadel terraform container and the zitadel server internally, using the kubernetes service, and not over the public ingress, for several reasons: in some environments its simply not possible, or the ingress is not in working state yet for some reason (or doesn't exist at all, because we use some loadbalancer service)

@kervel kervel mentioned this issue Mar 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kervel @muhlemmer @vavsab @hifabienne