Offer TLS support by adding a Hitch sidecar

[ThijsFeryn]

Please provide TLS support by adding an extra sidecar in the pod for Hitch.

• Hitch has an official Docker image and easily be pulled in
• The container can expose itself over port 8443 and the service can expose that over 443
• The --backend parameter can be used to connect to Varnish, possibly over UDS instead of TCP
• The --frontend parameter can be used to listen on port 8443 and to set the location of the TLS certificate
• The --write-proxy-v2 flag can be enabled to communicate with Varnish using the PROXY protocol. This only works if there's an interface on Varnish that listens to PROXY traffic
• The --alpn-protos option can be used to offer HTTP/2 support

Please also make sure the way to enable TLS matches the syntax of the Varnish Enterprise Helm Chart. This means providing the following Helm config overrides:

• server.tls.enabled
• server.tls.port
• server.tls.config
• server.service.https.enabled
• server.service.https.port
• server.service.https.nodePort

Thanks for considering.

[sirn]

This is sorta supported right now with extraContainers, but we're definitely looking into adding a native support for it. The bit about certificate needs some thinking, though.

PROXY protocol is already supported via extraListens (also mentioned in the docs: https://github.com/varnish/helm-varnish-cache/tree/main/varnish-cache#extra-listens-and-extra-services).

Due to hitch being quite different from the in-core TLS offering, I'm still not sure if we should match the settings one-to-one, and opt for our standard configuration style for sidecar (server.<component>.*) instead. This way we can backport Hitch support to Enterprise as well.

No ETA on this, but it's planned.

[sirn]

Planned for 1.2.0