Skip to content

Add support for opt-in TLS #397

Description

@CGodiksen

Currently client-facing and inter-node communication in unencrypted which is a security risk. Many deployments skip it entirely and rely on the assumption that the network is private (on-premise or a cloud VPC) but many also support opt-in TLS or mTLS for public networks.

Systems like InfluxDB and Apache IoTDB both support opt-in TLS for client-facing communication and mTLS is common for inter-node communication since there are no usability concerns.

ModelarDB should have a similar system where a certificate and key can be provided through environment variables. If they are provided, we use TLS for all communication. It should also be possible to use TLS in the command line client and for the client in the Python Library. A self-signed certificate should be sufficient.

When doing this we should also consider if opt-in mTLS is necessary for inter-node communication. It is not viable for client-facing communication due to usability concerns but this is not a problem for communication between ModelarDB nodes in a cluster. It might be necessary to have client-facing and inter-node communication on different ports in this setup.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions