TLS Support? #605
Labels
No Label
AdminAPI
Bug
Check AWS
CI
Correctness
Critical
Documentation
Ideas
Improvement
Low priority
Newcomer
Performance
S3 Compatibility
Testing
Usability
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Deuxfleurs/garage#605
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I understand that the cookbook explains that there aren't any plans to support TLS in garage, but I have a use-case that I think needs TLS support baked into garage to function securely.
I am running a k8s cluster where certain services are backed by MinIO (currently) by referencing the internal DNS address of the service (e.g. minio.minio.svc.cluster.local). MinIO here is using a self-signed TLS cert trusted by the cluster (generated using cert-manager) so that this internal traffic is encrypted. I don't see a simple way (without having to install a full-blown service mesh with mutual TLS) to secure this traffic if garage does not support TLS encryption itself, as my reverse proxy (which does mutual TLS between itself and upstream services) sits as an ingress provider and is skipped internally.
Do you think that this use-case is common enough to warrant at least adding TLS support to garage?
You could bundle a simple nginx/haproxy/apache/(insert your reverse proxy here) sidecar with each garage pod, and have that sidecar perform the TLS termination. Said sidecar would then be exposed at the K8s service level. This would however require a custom helm chart.
There was a discussion on the Matrix channel a while ago, we try to keep Garage as lightweight as possible so ideally we would avoid implementing TLS directly in Garage, but if someone does it in a way such that it can be disabled at compile-time (using a feature flag), we would merge that code.