New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tunnel: Expose tunnel service via TLS #101
Conversation
865b371
to
943c3ef
Compare
In order to support the new CLI and balenaCloud deployment schemes for the tunnel service, the service is now exposed via the TLS port 443 on the `tunnel.{domain}` server name. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
943c3ef
to
b3d184c
Compare
Just for my knowledge, what's the impact of this? I'm asking this because I'm running it in Kubernetes, where I've to add these kind of changes manually. Thanks in advance! |
@bartversluijs, good question - thanks for asking. I had added some more details in some comments in a
Before this PR and the respective changes to balena CLI v12.38.5 and later, the balena CLI's
After this PR and starting with CLI v12.38.5, a new hostname and port number are used:
Port 3129 is not used/exposed externally. I gather it is only used by haproxy (backend server) locally (127.0.0.1) for internal server routing / balancing after TLS decryption. Port 3128 also no longer needs to be exposed externally (it's still used internally). By the way, to be clear, none of this affects how the VPN link to balenaOS devices used encryption. The VPN link to balenaOS devices has always used encryption and this has not changed. Communication between the backend and the devices has always been encrypted. The old To avoid disruption when using the CLI's
|
Thanks for your detailed explanation! |
Connects-to: balena-io/open-balena-vpn/issues/149
Connects-to: balena-io/balena-cli/issues/2042
In order to support the new CLI and balenaCloud deployment
schemes for the tunnel service, the service is now exposed via
the TLS port 443 on the
tunnel.{domain}
server name.Change-type: minor
Signed-off-by: Rich Bayliss rich@balena.io