TLS between the components

[ppaslan]

Hi, first of all, thanks for all your hard work with this Ansible playbook as it makes deployment much easier for a lot of reasons but there is something that i am very curious about.

Are the components communicating through TLS or plaintext? I cannot see any settings for TLS/Certification setup.

[vitabaks]

At the moment, TLS is not configured automatically. I think it's worth adding such an option.

Feel free to create a PR.

[ppaslan]

At the moment, TLS is not configured automatically. I think it's worth adding such an option.

Feel free to create a PR.

Thank you for the fast response.

Assuming using the Type B configuration, and ETCD and Postgresql resides on the same host, which components communicate with each other? Basically to achieve full TLS between every components that talk to each other outside of localhost, which components do we have to activate TLS for?

We are planning to initially adjust the playbook to work with TLS with the configuration above but are also planning to make it work for all the types and setups and provide a PR later on in order to contribute to the project.

[vitabaks]

Assuming using the Type B configuration, and ETCD and Postgresql resides on the same host, which components communicate with each other? Basically to achieve full TLS between every components that talk to each other outside of localhost, which components do we have to activate TLS for?

This is a good recommendation, but it is not a strict requirement, even for a production environment, if your cluster is located in your own data center with a secure network. In addition, sensitive information is not stored in DCS.

To begin with, TLS between the client and the database will be enough. Then it is already possible to implement TLS for the rest of the components (e.q. Patroni, etcd, consul).