Currently, there are 2 important unencrypted vectors in a Connections / Component Pack deployment.
a) Customizer traffic from NGINX to the Kubernetes nodes (30301/tcp) / Loadbalancer
b) All Component Pack traffic which is routed via IHS to the Kubernetes Loadbalancer
The connections for b is sent through Ingress which could be extended for encryption, but for the customizer (mw-proxy), I only see a running node web server which seems configured for unencrypted traffic.
The used ingress definition is already prepared for SSL (Service for 32443 is in place), just the ingress rules need adjustments.
The main issue is the ProxyPass from IHS because as far as I know, there is no way to use self-signed certificates (which are used in Ingress at the moment) for ProxyPass rules. Hostname validation seems hard-coded active in IHS.
Currently, clients connect to mw-proxy (customizer) using NodePort and is set to listen on 'http' only. The customizer service code would need to be updated to accept HTTPS requests. The other issue is appregistry-service - that is only HTTP as well.
The other services in Component Pack that the request/response are sent through Ingress are mix of HTTP and HTTPS.
The other configuration such as exchange of SSL certificates between IHS, NGINX/HAProxy and Kubernetes process need to be documented. This will allow us to enable HTTPS for NodePort service (mw-proxy) using self signed certificate (for example).
