Closed mfateev closed 1 year ago
What's the ETA on this?
@sagikazarmark we started working on it this sprint. We are able to prototype spinning up Cadence server with TLS listener but unfortunately this requires more support from underlying rpc stack (TChannel) so clients can pass through TLS Dialer to connect to Cadence.
At this point we are building TLS support in TChannel and YARPC stack first before we can bootstrap it to Cadence. At this point it is hard to provide an eta on this, but once TChannel and YARPC support is landed we can provide better eta from Cadence side.
Although our team is doing both the changes but we need to go through review process of rpc teams for these dependencies for them to be landed.
@samarabbas Cool, thanks for the update. Are there any PRs in yarpc repos that we can follow? (Maybe reference them from here)
Currently most of the prototype implementation is in my fork but I will link it from here as soon as I start creating PR.
Created PR for tchannel-go changes needed for this.
We heavily under estimated the work needed to enable TLS support. Although the work needed for down stream dependency (tchannel-go) is complete but it still requires significant work to de-couple Cadence dependency on ring-pop (which also uses tchannel-go) to enable TLS for incoming traffic. Unfortunately same host/port is used for ring-pop communication and enabling TLS starts causing issues with membership ring.
At this point, migration to grpc seems like the right path forward as we get TLS for free and is probably less work.
We moved to gRPC which supports TLS. Closing this as it's probably not needed any more.
According to @prashantv tChannel can be extended to support custom net.Dialer. It already supports custom net.Listener.
Cadence then could use tls.Dial and tls.Listen to implement those. See this article for Go TLS overview.