Use TLS for internal messaging between components

[hardillb]

Epic

No response

Description

As a: System administator

I want to: all traffic between internal components to be encrypted

So that: I can meet industry best in class practices

Which customers would this be availble to

Other (See comments)

Acceptance Criteria

• flowforge app has https listener
• flowforge broker has mqtts listener
• flowforge launcher has https listener

[sammachin]

@hardillb Can you provide some more design detail around whats involved here,

Would this apply to all 3 deployment models (localfs, Docker, k8s)

Would the installer generate selfsigned certs or would there be additional work for the person doing the install to obtain and deploy certs?

Would this be something optional that we do on FF Cloud (and managed enterprise installs) but isn't on all installs?

[hardillb]

This is something that will require some design time, I was not thinking before 1.0, but quickly

• This should work everywhere, but first targeted at k8s with docker a secondary
• Yes, this would be optional
• Which certs used TBD, would probably include script to generate long lived self signed certs for localfs and something like smallstep ca with acme mode enabled for docker/k8s

[hardillb]

This should get pushed back to 1.1.0 it's unlikely I'll get the time to think about it properly in this sprint and it's going to be a large complex bit of design.

Need to look at things like Service Mesh for K8s

[knolleary]

With the focus on upgrading the k8s cluster in 1.4, I'm going to put this to the Product backlog rather than keep rolling it from release to release.