Controller router charts

[qrkourier]

Adopt and adapt Helm charts for controller, router, console from controller-router-charts by @marvkis

[marvkis]

Hi @qrkourier, thanks for the comprehensive review & rework - You made the nomenclature / wording more clear for me!

[qrkourier]

@marvkis Ziti is so flexible with how its PKI can be configured. I'm leaning toward a default configuration with one root of trust like this:

• selfsigned issuer
  • default root CA
    • default intermediate CA: edge signer
      • default server cert: default identity

Even then, we can leave the additional CA resources in place in case they want discrete PKI (separate root of trust) for the edge signer or XWeb identity or both. I still plan to add template conditional for .identity.alt_server_certs in case they want to supply a Let's Encrypt server cert, but that gets a little complicated because its DNS SAN must be distinct from the edge's advertised address so the controller can present the right server cert selected by SNI.

I removed the StatefulSet resource because it appears superfluous until we implement controller HA. Did you see a particular need for it in the meantime?

[marvkis]

@qrkourier I reproducted the CA structure from the quickstart guide. I also had the idea to strip it down for a minimal deployment. I just was happy it was working ;)

AFAIK I had one point: I tried to use ECDSA key types quite everywhere. But at one point I had to change it to RSA as the tunneler on OSX refused to enroll with ECDSA... Didn't dig into it - but ther might be a comment at the certificat request.

The idea for alt_server_certs is really cool. Currently when we deploy a controller and a router in a cluster, the router enrolls communicating via the external name. When there is a way to specify an alternate server name (i.e. during creation of the JWT) we could make the entire communication 'internal'. Same story for an edge-tunneler deployed within the cluster.
Regarding the SNI: would it be easier to allow to open multiple 'port bindings' offering API's using different certs? Like having a client API exposed on port 443 using the lets-encrypt cert, and an internal client api on 1280 using a private cert?

The StatefulSet was just for future HA usage, drop it!