Skip to content

Enable TLS for transport encryption #581

New issue
New issue
Open
Open
Enable TLS for transport encryption#581
Assignees
dervoeti
@lfrancke

Description

@lfrancke
lfrancke
opened on May 30, 2024

Description

As a user of SDP I want the traffic between OpenPolicyAgent (OPA) and its clients to be encrypted.

Value

We want the SDP platform to be as secure as possible by default and design and in addition this will be a requirement of the Cyber Resilience Act.
Therefore as many transport connections should be encrypted as possible.
This will also lead to fewer explanations and exceptions with customers where we have to explain any unencrypted connection.

Dependencies

This requires the Secret Operator to provide the necessary certificates for OPA itself.

Known issue: CA distribution to clients (Trino, NiFi, etc.) is unsolved. We're not tackling this yet - Step 1 is just OPA itself.

Tasks

  • OPA operator supports TLS (disabled by default to be compatible with the current state, explicit opt-in needed to enable TLS)
  • Document TLS settings and configuration
  • Update/create a test that uses OPA TLS
  • Verification (timebox: 3 days): Create/update integration test demonstrating OPA TLS works with at least one client (Trino or NiFi) - this does not have to be production ready, just something we can base a later decision on.

Acceptance Criteria:

  • OPA serves traffic over TLS
  • TLS can be configured/enabled via CRD
  • Docs explain how it works

Important

Decision point:
After this is done, we'll decide how to continue.
Options I can see right now (there might be others)

  • If CA distribution is straightforward: implement it propertly
  • If CA distribution requires hacks/podOverrides: document, works-for-now is fine
  • If it's fundamentally broken (cough Discovery 2.0) decide how to continue and if this is the time to tackle Discovery 2.0 or not.

(Information Security) Risk Assessment

This will strictly make our product more secure and helps us with regulations such as the Cyber Resilience Act.

Release Notes

TODO: This needs updating
Traffic between OpenPolicyAgent (OPA) and clients is now encrypted using TLS with the support of our secret-operator.
Clients (our authorizers) verify the authenticity of the server certificates.

Remarks

See the OPA docs on this and read them prior to implementing anything.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

Stackable End-to-End Coordination

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions