[Feature]: Add Internal TLS Support for Milvus Components under cluster mode #36864
Comments
|
assign @nish112022 |
|
/assign @nish112022 |
issue : #36864 I have a few questions regarding my approach.I will consolidate them here for feedback and review.Thanks --------- Signed-off-by: Nischay Yadav <[email protected]> Signed-off-by: Nischay <[email protected]>
|
/assign |
|
TODO:
|
|
@haorenfsa Can we have a meeting tomorrow?Let me know how and when.We can meet on Discord as well. |
|
@nish112022 Yes. I'm available around 2-4 a.m. UTC. But I'm not sure what you want to discuss about in particular |
|
Thank you for letting me know your availability @haorenfsa . Since it’s quite early for me, I’d prefer to discuss the approach asynchronously before making any changes. I’ll raise a PR or share a draft plan for your feedback afterward. Thanks! |
|
I think we just need to add fields to enable user adding volumes & volumeMounts in Milvus components, so that one could mount custom certificates & keys for Milvus to use. |
issue : milvus-io#36864 I have a few questions regarding my approach.I will consolidate them here for feedback and review.Thanks --------- Signed-off-by: Nischay Yadav <[email protected]> Signed-off-by: Nischay <[email protected]>
|
One more thing, Seems only server-side TLS is supported for internal. Can we also support it mutual like we did for external TLS ? @nish112022 |
|
Yes, @haorenfsa, I can take this up when I have some bandwidth. |
|
@haorenfsa, I have created the documentation for the official Milvus docs here: #2895. I am planning to wait until your PR above gets merged so that I can update the link in the docs accordingly. Please let me know if any changes are required in my PR. For the rest, I see that you have already made the changes—Thank you! |
|
@nish112022 I checked your patch, it works only when all components run on the same host. So I just realized one more things we've missed. Internally, milvus components uses IP to connect to each other, while TLS needs an server name indicator ( SNI ) for certificate verification. So we need another patch to make all internal gRPC clients to use a specific SNI when establishing tls connection. |
|
@haorenfsa Yes, for standalone milvus it will work but for other deployments let's say Kubernetes, each pod has it's own hostname in some pattern(***.cluster.local.pod).So, I thought it will be done from the operator side to provide the hostname in the IP field under each component. |
/cc @xiaofan-luan @jaime0815 @nish112022 part of #36864 Signed-off-by: haorenfsa <[email protected]>
Is there an existing issue for this?
Is your feature request related to a problem? Please describe.
Currently, internal communication between Milvus components (such as DataCoord, QueryCoord, etc.) is not secured. In environments where enhanced security is required, having communication encrypted with TLS is crucial to protect data and credentials in transit.
Describe the solution you'd like.
I would like to see internal TLS support added to Milvus, allowing all internal gRPC calls between Milvus components to be encrypted.This would involve:
Describe an alternate solution.
No response
Anything else? (Additional Context)
No response
The text was updated successfully, but these errors were encountered: