weave-gitops icon indicating copy to clipboard operation
weave-gitops copied to clipboard
verified publisher icon weaveworks

Question: Do we need to have TLS on Core?

Open Callisto13 opened this issue 3 years ago • 3 comments

While doing https://github.com/weaveworks/weave-gitops/issues/1959, it was pointed out to me that:

we expect --insecure to pretty much always be set for security reasons: you'll have a separate ingress to encrypt the data, so you don't need to worry about how to configure allowed ciphers, special-case certificate renewal, and so on. That doesn't mean anything will be transmitted without encryption.

And I asked:

In that case, why do we offer TLS at all?

To which I got a 🤷 .

So... why?

Acceptance Criteria

@JamWils will update with inverting the behavior so "certificates" are not required by default. A modern platform would secure this via load balancers and ingress policies.

Callisto13 avatar Apr 26 '22 15:04 Callisto13

If the answer is "Yes", what should it (flags) look like?

Callisto13 avatar Apr 27 '22 09:04 Callisto13

it feels like the k8s dashboard arguments is probably not a terrible place to look for inspiration.

Looks like they have --insecure-port (default 9090) and --insecure-binding (default 127.0.0.1) and then additionally TLS arguments that can be set (e.g. --tls-cert-file etc.).

Their recommended deployment creates some empty secrets for TLS certs and mounts them but (as far as I can see) doesn't actually configure the deployment to use them (by default it's accessed via http) but it seems they do some cert generation themselves @ boot time?

tl;dr I don't think it's unreasonable to do tls on core but I think we should default to http as the dashboard does because, certainly for demo/getting started that's how people will use it.

SamLR avatar Apr 27 '22 10:04 SamLR

I think most of the cases we don't need TLS (most likely, it will be used behind an nginx/traefik/caddy ingress controler with tls), but enterprise should be able to handle that as some of the security compliances have full end-to-end encryption requirement and it included in-cluster communication too (FIPS, HIPA), so it's not enough to terminate the TLS connection on a load balancer and call backend without TLS.

Question:

  • Do we want to provide that functionality in core?
  • Is it something enterprise can implement and maintain or it's easier to manage them in core?

yitsushi avatar May 02 '22 13:05 yitsushi

Using internal TLS is there, but not documented; and it is not "on" by default which is correct. Closing for now.

JamWils avatar Aug 26 '22 13:08 JamWils