Split TLS options for gRPC and HTTP #1709
Labels
enhancement
New feature or request
Comments
|
I see no issues if we split the configuration, as long it is a non breaking change. |
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Why
Currently for a remote CLI you have no choice but to setup TLS. As a result, the public HTTP endpoints also end up encrypted, and in some configurations this sacrifices significant observability (currently my linkerd2 sidecar containers are unable to inspect traffic, monitor endpoint performance, and enforce per-route ACLs). While workarounds are possible (for example running headscale without TLS, and a proxy terminating TLS for gRPC), they would be far from ideal.
Description
One solution is adding split TLS options - to allow a user to enable TLS for gRPC, while not enabling it for other endpoints.
I'm happy to work on this if it's an acceptable change.
The text was updated successfully, but these errors were encountered: