TLS support

[samirkut]

I am exploring the framework and it looks pretty nice. I had a question about the network stack. I want to use mutual TLS for all communication between different nodes. I cant seem to figure out how that would be injected in this case. Any pointers?

[Tochemey]

Hello @samirkut, I have not added any implementation or extension for TLS. I have been thinking about it, but I have not received any feature requests. Now, I think I have a valid use case for it.

[Tochemey]

I have created an issue #500 to tackle it. Hopefully to be done before the week ends :)

[Tochemey]

@samirkut I have started some work here. I hope to wrap it up before the week ends and QA it properly before releasing a new release.

[Tochemey]

@samirkut Even though I have started some work on the TLS support. I will need some time to read a bit around its performance. There are only two places where TLS may be needed:

• Remote calls: here it is easy to add TLS because we just need to know the CA of the remote node and we are done.
• Redistribution: where when a node dies its actors are recreated on the remaining nodes of the cluster as long as there is valid quorum to get going. In this scenario all nodes will need to know each other CA.

[samirkut]

So typically what I do is, I assume that all nodes share a CA. That is probably very likely and helps simplify the config quite a bit.

[Tochemey]

Sure we can go with that hypothesis. The other thing is to look into the handshake part for performance because we don't want to in any way hinder the current throughput (which need already some enhancement) when sending messages over the wire.

[Tochemey]

@samirkut I think I have a better to add the TLS. My only concern is the handshake part which will double the TCP connection time. That can be a performance hinderance. In any way I will document it once I wrap up the implementation.

[Tochemey]

@samirkut I have the PR ready #504. I will run some QA before merging it. However if you like to have it a go that will also be great. Thanks

[samirkut]

Awesome. Thanks so much. I plan to give it a go sometime today.

[Tochemey]

just use this commit hash a505db1

[Tochemey]

@samirkut I have closed the branch because the tests did not produce the expected results and need more work to be done. I will revisit this feature in the Christmas break or another time. Thanks for bringing up though. Valid feature.

[Tochemey]

One a second thought I think you can establish secure connection with the following:

• Use a service mesh like istio or linkerd to establish secure communication in the cluster or amongst the various services or
• Put the cluster behind a VPC

Making using of TLS is great but I don't think it is necessary for the framework to support it looking at the various alternatives out there. However if there is anything that can help in the framework to support the alternatives, I am open to a suggestion.

[Tochemey]

@samirkut The elephant in the room with this implementation is that the underlying cluster engine library I am using does not support TLS from the first reading I did in the code base. So I will have to cater of that before we can really have a fully fledged mTLS in the whole system. This is the cluster engine I am using https://github.com/buraksezer/olric.

I can fork it and refactor it to the need of GoAkt to support mTLS. However this will take me some time and probably some sponsorship :)

[Tochemey]

At the moment this feature is not available and can be supported in the future.

[Tochemey]

@samirkut I have fully implemented the TLS support now. The same CA root is required for all nodes in the cluster for the TLS feature to work well. You can use the latest commit hash of https://github.com/Tochemey/goakt

[samirkut]

Awesome. I will give it a go hopefully this weekend