[backend] Successfully enable TLS in multiuser mode with multiple namespaces #12327
Description
Feature Area
What feature would you like to see?
When pod-to-pod TLS (added in #12082 ) is enabled on a KFP instance deployed in multiuser mode with multiple namespaces, server connection fails because secrets are namespace-scoped resources. The TLS certs are created and stored as Kubernetes secrets. secrets.
Possible solutions include mounting the necessary CA on pipeline components via the SDK, or adding the entire CA bundle (custom CA and system CAs) as an environment variable on the driver and launcher pod specs.
What is the use case or pain point?
Deploying KFP in multiuser mode with multiple namespaces, with TLS enabled.
Is there a workaround currently?
It’s important to note that the cert-manager solution for syncing secrets across namespaces in the following article is not applicable to this issue because the goal is to not depend on cert-manager.
https://cert-manager.io/docs/devops-tips/syncing-secrets-across-namespaces/
Love this idea? Give it a 👍.