[Feature] Router Allow to configure the TLS certificate and the TLS truststore
Closed this issue · 2 comments
Willingness to contribute
Yes. I can contribute a fix for this bug independently.
Feature Request Proposal
Add TLS configuration on the Router
Motivation
What is the use case for this feature?
In order to configure properly TLS we need a way in the Router Service to fully configure TLS.
This is required in order to configure properly authentication that is based on TLS client mutual auth
Details
No response
What component(s) does this bug affect?
-
Controller: This is the control-plane for Venice. Used to create/update/query stores and their metadata. -
Router: This is the stateless query-routing layer for serving read requests. -
Server: This is the component that persists all the store data. -
VenicePushJob: This is the component that pushes derived data from Hadoop to Venice backend. -
Thin Client: This is a stateless client users use to query Venice Router for reading store data. -
Fast Client: This is a stateful client users use to query Venice Server for reading store data. -
Da Vinci Client: This is an embedded, stateful client that materializes store data locally. -
Samza: This is the library users use to make nearline updates to store data. -
Admin Tool: This is the stand-alone client used for ad-hoc operations on Venice.
Looks like this is "almost" supported today but there was a bit of an oversight. When we deploy the services internally in LinkedIn all the server java objects are wrapped in logic which interfaces with our config system. This then invokes the RouterServers constuctor which has utility for passing in an SSLFactory which would configure everything you need.
Unfortunately main doesn't seem to be doing that, it's building a generic SSLFactory.
I think the trick to make this work would be to make getVeniceLocalSsLProperties in SslUtils take a props argument and then change getVeniceLocalSslProperties do getOrDefault calls.
Should be a pretty straightforward patch. Let me know if you have any questions (or if you are in a pinch you can reach out on slack and can get a patch through quickly).