HPCC-34819 Document SSL/TLS setup for Containerized ESPs

[g-pan]

Please review content carefully - Copilot was used extensively in writing this material
Examples are prone to hallucinations
@asselitx I believe that you maybe most familiar with this content to review,
please add any another reviewer as necessary.
Thank you.

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

see: https://github.com/g-pan/github-action-dev-build/actions/runs/17959821424

[Copilot]

Pull Request Overview

This PR adds comprehensive documentation for SSL/TLS setup in containerized ESP deployments, addressing the gap between bare-metal and Kubernetes-based HPCC Platform installations. The documentation covers multiple SSL/TLS implementation approaches and provides practical configuration examples.

Key changes:

• Consolidates SSL/TLS certificate ownership and permissions documentation in the bare-metal installation guide
• Adds extensive SSL/TLS configuration section for containerized ESP deployments
• Documents ingress controller SSL termination, pod-level SSL, and cert-manager integration approaches

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
ssl-esp.xml	Consolidates certificate ownership documentation and adds section on converting HTTP to HTTPS service bindings
ConfigureValues.xml	Adds comprehensive SSL/TLS configuration documentation for containerized ESP deployments with examples and troubleshooting

[Copilot]

The ingress class annotation kubernetes.io/ingress.class is deprecated. Use spec.ingressClassName field instead or the newer annotation kubernetes.io/ingress.class should be replaced with ingressClassName: nginx in the spec section.

[Copilot]

The configuration references the same secret esp-tls-secret in both certificateSecretName and the volume definition, which creates redundancy. Consider documenting whether both are needed or if one approach is preferred over the other to avoid confusion.

[Copilot]

The command uses HTML entity encoding for angle brackets (< and >) which may not render correctly in all documentation formats. Consider using backticks or code formatting instead: kubectl describe secret <secret-name>.

Suggested change

	<para>Verify the certificate secret exists in the correct namespace and contains both 'tls.crt' and 'tls.key' keys. Use <command>kubectl describe secret &lt;secret-name&gt;</command> to inspect.</para>
	<para>Verify the certificate secret exists in the correct namespace and contains both 'tls.crt' and 'tls.key' keys. Use <command>kubectl describe secret <replaceable>secret-name</replaceable></command> to inspect.</para>

[github-actions]

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-34819

Jirabot Action Result:
Workflow Transition To: Merge Pending
Updated PR

[kenrowland]

I cannot confirm the correctness, However, is there a scenario where the certificates are store in a vault? I ask because the platform supports retrieving secrets both from Kubernetes and from a vault. If certs can be store in a vault, that should be covered here. If not, it should be stated that only certs retrieved as a Kubernetes secret is supported.

[JamesDeFabia]

Looks ok from my POV, but needs approval by a SME

[asselitx]

I cannot confirm the correctness, However, is there a scenario where the certificates are store in a vault? I ask because the platform supports retrieving secrets both from Kubernetes and from a vault. If certs can be store in a vault, that should be covered here. If not, it should be stated that only certs retrieved as a Kubernetes secret is supported.

Yes I think that's true. I'll confirm and add information if so.

[ghalliday]

@g-pan this will need rebasing.