Enable TLS termination for Livepatch

Hi, thanks for the suggestion we'll add it to our backlog. Just to clarify are you looking to completely eliminate haproxy from your deployment or simply turn haproxy into a more transparent proxy that doesn't handle the TLS termination?

Also, is there any specific timeline you'd like to see this done?

hi Kian, thank you for your response. We are deploying multiple offline related services in a single bundle, and already has a passthrough haproxy in our architecture. Deploying a 2nd haproxy for the canonical-livepatch-server (what is the current case), causing a lot of confusion amongst users / deployers and adds an extra complexity during the design.

We should skip this 2nd haproxy, and terminate TLS in the common ingress haproxy (to have a single haproxy deployed in our environment) however, if we are doing that, we are creating a non-secure http traffic flow between this external haproxy and the livepatch-canonical-service process.

How it looks now:

->[ingress haproxy]->[haproxy for livepatch]->[canonical-livepatch-server]
                +--->[snap store proxy]
                +--->[simple streams]
                +--->...other services...

And it would like this ideally:

->[ingress haproxy]->[canonical-livepatch-server]
                +--->[snap store proxy]
                +--->[simple streams]
                +--->...other services...

Timeline-wise, I don't know ow much work that means from your side, however it would be good to do as soon as possible, as we have some major customer in the queue waiting for this offline solution we are building.