bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable HTTPS by default in development environment

Browse Source 
This commit enables HTTPS in the development environment using self-signed
certificates to further improve dev-prod parity and catch SSL-related issues
early.

Changes made:

1. Created self-signed certificate for localhost
   - File: infrastructure/kubernetes/overlays/dev/dev-certificate.yaml
   - Type: Self-signed via cert-manager
   - Validity: 90 days (auto-renewed)
   - Valid for: localhost, bakery-ia.local, *.bakery-ia.local, 127.0.0.1
   - Issuer: selfsigned-issuer ClusterIssuer

2. Updated dev ingress to enable HTTPS
   - File: infrastructure/kubernetes/overlays/dev/dev-ingress.yaml
   - Enabled SSL redirect: ssl-redirect: false → true
   - Added TLS configuration with certificate
   - Updated CORS origins to prefer HTTPS (HTTPS URLs first, HTTP fallback)
   - Access: https://localhost (instead of http://localhost)

3. Added cert-manager resources to dev overlay
   - File: infrastructure/kubernetes/overlays/dev/kustomization.yaml
   - Added dev-certificate.yaml
   - Added selfsigned-issuer ClusterIssuer

4. Created comprehensive HTTPS setup guide
   - File: docs/DEV-HTTPS-SETUP.md
   - Includes certificate trust instructions for macOS, Linux, Windows
   - Testing procedures with curl and browsers
   - Troubleshooting guide
   - FAQ section

5. Updated dev-prod parity documentation
   - File: docs/DEV-PROD-PARITY-CHANGES.md
   - Added HTTPS as 4th improvement
   - Updated "What Stays Different" table (SSL/TLS → Certificates)
   - Added HTTPS benefits section

Benefits:
✓ Matches production HTTPS-only behavior
✓ Tests SSL/TLS configurations in development
✓ Catches mixed content warnings early
✓ Tests secure cookie handling (Secure, SameSite attributes)
✓ Validates cert-manager integration
✓ Tests certificate auto-renewal
✓ Better security testing capabilities

Impact:
- Browser will show certificate warning (self-signed)
- Users can trust certificate or click "Proceed"
- No additional resource usage
- Access via https://localhost (was http://localhost)

Certificate details:
- Type: Self-signed
- Algorithm: RSA 2048-bit
- Validity: 90 days
- Auto-renewal: 15 days before expiration
- Common Name: localhost
- DNS Names: localhost, bakery-ia.local, *.bakery-ia.local
- IP Addresses: 127.0.0.1, ::1

Setup required:
- Optional: Trust certificate in system/browser (see DEV-HTTPS-SETUP.md)
- Required: cert-manager must be installed in cluster
- Access at: https://localhost

What stays different from production:
- Certificate type: Self-signed (dev) vs Let's Encrypt (prod)
- Trust: Manual (dev) vs Automatic (prod)
- Domain: localhost (dev) vs real domain (prod)

This completes the dev-prod parity improvements, bringing development
environment much closer to production with:
1. 2 replicas for critical services ✓
2. Rate limiting enabled ✓
3. Specific CORS origins ✓
4. HTTPS enabled ✓

See docs/DEV-HTTPS-SETUP.md for complete setup and testing instructions.
This commit is contained in:
Claude
2026-01-02 19:25:45 +00:00
parent efa8984dad
commit 2ee4aa51e4
5 changed files with 464 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
docs/DEV-PROD-PARITY-CHANGES.md
View File

@@ -79,6 +79,57 @@ nginx.ingress.kubernetes.io/cors-allow-origin: "http://localhost,http://localhos
---
### 4. **Enabled HTTPS with Self-Signed Certificates**
**Files**:
- `infrastructure/kubernetes/overlays/dev/dev-ingress.yaml`
- `infrastructure/kubernetes/overlays/dev/dev-certificate.yaml`
- `infrastructure/kubernetes/overlays/dev/kustomization.yaml`
Changed:
```yaml
# Ingress
nginx.ingress.kubernetes.io/ssl-redirect: "false" → "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "false" → "true"
# Added TLS configuration
tls:
- hosts:
- localhost
- bakery-ia.local
secretName: bakery-dev-tls-cert
# Updated CORS to prefer HTTPS
cors-allow-origin: "https://localhost,https://localhost:3000,..." (HTTPS first)
```
**Why**:
- Matches production HTTPS-only behavior
- Tests SSL/TLS configurations in development
- Catches mixed content warnings early
- Tests secure cookie handling
- Validates certificate management
**Benefits**:
- SSL-related issues caught in development
- Tests cert-manager integration
- Secure cookie testing
- Mixed content detection
- Better security testing
**Certificate Details**:
- Type: Self-signed (via cert-manager)
- Validity: 90 days (auto-renewed)
- Common Name: localhost
- Also valid for: bakery-ia.local, *.bakery-ia.local
- Issuer: selfsigned-issuer
**Setup Required**:
- Trust certificate in browser/system (optional but recommended)
- See `docs/DEV-HTTPS-SETUP.md` for full instructions
---
## Resource Impact
### Before Option 1
@@ -107,7 +158,7 @@ These settings intentionally remain different from production:
| DEBUG | true | false | Need verbose debugging |
| LOG_LEVEL | DEBUG | INFO | Need detailed logs |
| PROFILING_ENABLED | true | false | Performance analysis |
| SSL/TLS | HTTP | HTTPS | Simpler local dev |
| Certificates | Self-signed | Let's Encrypt | Local CA for dev |
| Image Pull Policy | Never | Always | Faster iteration |
| Most replicas | 1 | 2-3 | Resource efficiency |
| Monitoring | Disabled | Enabled | Save resources |
@@ -132,6 +183,13 @@ These settings intentionally remain different from production:
- Middleware tested
- High limits prevent friction
### ✅ HTTPS/SSL Testing
- Matches production HTTPS-only behavior
- Tests certificate management
- Catches mixed content warnings
- Validates secure cookie handling
- Tests TLS configurations
### ✅ Resource Efficiency
- Only +30% resource usage
- Maximum benefit for minimal cost