Document TLS caveats

mangelajo · NickCao · commit b6a0960c6225 · 2025-05-09T12:58:14.000-04:00
(cherry picked from commit 5e6c2f0)
diff --git a/docs/source/getting-started/configuration/authentication.md b/docs/source/getting-started/configuration/authentication.md
@@ -46,13 +46,14 @@ Note, the HTTPS URL is mandatory, and you only need to include certificateAuthor
    prefix usernames with `keycloak:` as configured in the claim mappings:
 
 ```shell
-$ jmp admin create client test-client --oidc-username keycloak:developer-1
+$ jmp admin create client test-client --insecure-tls-config --oidc-username keycloak:developer-1
 ```
 
 4. Instruct users to log in with:
 
 ```shell
 $ jmp login --client <client alias> \
+    --insecure-tls-config \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <client name> \
     --issuer https://<keycloak domain>/realms/<realm name>
@@ -62,6 +63,7 @@ For non-interactive login, add username and password:
 
 ```shell
 $ jmp login --client <client alias> [other parameters] \
+    --insecure-tls-config \
     --username <username> \
     --password <password>
 ```
@@ -76,6 +78,7 @@ For exporters, use similar login command but with the `--exporter` flag:
 
 ```shell
 $ jmp login --exporter <exporter alias> \
+    --insecure-tls-config \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <exporter name> \
     --issuer https://<keycloak domain>/realms/<realm name>
@@ -188,6 +191,7 @@ jwt:
 
 ```shell
 $ jmp admin create exporter test-exporter \
+    --insecure-tls-config \
     --oidc-username dex:system:serviceaccount:default:test-service-account
 ```
 
@@ -197,6 +201,7 @@ For clients:
 
 ```shell
 $ jmp login --client <client alias> \
+    --insecure-tls-config \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <client name> \
     --issuer https://dex.dex.svc.cluster.local:5556 \
@@ -208,6 +213,7 @@ For exporters:
 
 ```shell
 $ jmp login --exporter <exporter alias> \
+    --insecure-tls-config \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <exporter name> \
     --issuer https://dex.dex.svc.cluster.local:5556 \
diff --git a/docs/source/getting-started/usage/setup-distributed-mode.md b/docs/source/getting-started/usage/setup-distributed-mode.md
@@ -3,6 +3,16 @@
 This guide walks you through the process of creating an exporter using the
 controller service, configuring drivers, and running the exporter.
 
+```{warning}
+The jumpstarter-controller endpoints are secured by TLS. However, in release 0.6.x,
+the certificates are self-signed and rotated on every restart. This means the client
+will not be able to verify the server certificate. To bypass this, you should use the
+`--insecure-tls-config` flag when creating clients and exporters. This issue will be
+resolved in the next release. See [issue #455](https://github.com/jumpstarter-dev/jumpstarter/issues/455)
+for more details.
+Alternatively, you can configure the ingress/route in reencrypt mode with your own key and certificate.
+```
+
 ## Prerequisites
 
 Install [the following packages](../installation/packages.md) in your Python
@@ -30,7 +40,7 @@ Run this command to create an exporter named `example-distributed` and save the
 configuration locally:
 
 ```shell
-$ jmp admin create exporter example-distributed --save
+$ jmp admin create exporter example-distributed --save --insecure-tls-config
 ```
 
 After creating the exporter, find the new configuration file at
@@ -78,7 +88,7 @@ development purposes, and saves the configuration locally in
 `${HOME}/.config/jumpstarter/clients/`:
 
 ```shell
-$ jmp admin create client hello --save --unsafe
+$ jmp admin create client hello --save --unsafe --insecure-tls-config
 ```
 
 ### Spawn an Exporter Shell
