All internal Vespa communication protocols should run over TLS only

[vekterli]

High level goal summary: all communication between internal Vespa processes shall be done exclusively over TLS, with mutual peer certificate verification being mandatory.

This is a tracker issue for the work that is planned, in progress and already completed.

Current completed features:

• TLS may be enabled for all backend RPC protocols except for indexed search (coming as part of ongoing query dispatch rewrite). This currently in practice requires a distinct CA for the application (and any trusted peers it may communicate with), as no CN/SAN matching is done on the client/server certificates, only that they are signed by the shared CA.
• It's possible to do a rolling upgrade from an insecure setup to a secure setup by explicitly configuring servers to accept both plaintext and TLS clients in a transition period.

In progress:

• Certificate verification based on per-node configurable CN/SAN matching.

Once the feature is considered complete we'll update the documentation and tutorials etc to help ensure that Vespa is set up with TLS by default when doing things the Recommended Way(tm).

[vekterli]

Open source Vespa now officially supports mTLS across all internal services and endpoints. If you use Vespa Cloud this is—and always has been—enabled without any setup required.

See our mTLS blogpost for an introduction and our mTLS reference documentation for setup instructions.