Hello everyone! I have question about Flyte security. I'm trying to create mTLS certificate setup to protect the grpc port from flyte admin. Is there doc where I can point grpc on both client and server to correct certificate pair and encrypt that part on protocol level?
12/12/2023, 5:43 PM
Hey @Michal Jastrzebski, within a cluster (or between clusters), we typically run Linkerd/Envoy and enable mTLS there. This ensures traffic from/to flyteadmin is Encrypted.
However, from a "public" client (i.e. a client running on an end user's machine), we rely on SSL on the cluster ingress to encrypt traffic to the cluster. And on Auth (SSO comes out of the box) to authenticate the caller.
There isn't a doc on enabling mTLS, support will need to be added to the gRPC server to load/roll/fetch/refresh client certificates... etc. I think from separation of concerns perspective, I would do delegate this responsibility to a proxy & a rev proxy on the client side.
12/12/2023, 5:44 PM
ok, that makes sense, thanks for confirming this. Just wanted to make sure that there isn't a config option I could use