Hi, *Update:* I have implemented ssl connections for nginx <---> users[1]. I've added a new container named openwisp-orchestration, this container does the job of creating new certs, asking letsencrypt if DEBUG mode is off otherwise making self-signed certificates. This container will also update the certs as per the certbot renew policy. The renew process runs from cronjob at 3 AM on sundays. The nginx-server reload on 3:30 AM on sundays.
However, I have not implemented the ssl connections within the cluster. I think it wouldn't help. If a person has access to the cluster API they can already access the keys and containers, ssl will not help anyway. If they don't have access to the API, they can't even reach the cluster connections. The only reason to encrypt the connection would be if some tries to implement a connection to outside the cluster. Like a seperate postgres instance on a different system outside the cluster. For the postgres connection, I have added option: DB_SSLMODE=disable DB_SSLROOTCERT='' If someone decides to have the instance outside the cluster they can set these options. What are your views on this? Is there any case where making secure connections within the cluster help? Ajay --- Ref: [1]: https://github.com/atb00ker/dockerize-openwisp/tree/sslmode -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
