Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable TLS between Render Queue and clients by default #490

Closed
2 tasks done
horsmand opened this issue Jun 29, 2021 · 0 comments · Fixed by #491
Closed
2 tasks done

Enable TLS between Render Queue and clients by default #490

horsmand opened this issue Jun 29, 2021 · 0 comments · Fixed by #491
Labels
feature-request A feature should be added or improved.

Comments

@horsmand
Copy link
Contributor

Switch the default behaviour in the Render Queue so that TLS between the ALB and clients is enabled by default.

Use Case

This will make using TLS require minimal effort and cost for anyone creating an RFDK render farm, while giving them increased security.

Proposed Solution

To prevent breaking changes to anyone already using TLS in the Render Queue, we will leave the interface as-is, and only add one new enabled field in the RenderQueueExternalTLSProps interface. You can see the interface and where it fits in to the Render Queue's construct props here:

export interface RenderQueueProps {
  readonly trafficEncryption?: RenderQueueTrafficEncryptionProps;
  ...
}
export interface RenderQueueTrafficEncryptionProps {
  readonly externalTLS?: RenderQueueExternalTLSProps;
  ...
}
export interface RenderQueueExternalTLSProps {
  readonly enabled?: boolean;
  readonly acmCertificate?: ICertificate;
  readonly acmCertificateChain?: ISecret;
  readonly rfdkCertificate?: IX509CertificatePem;
}

If no certificate or hostname are provided, they will be created by default as follows:

const hostname = 'renderqueue';
const zoneName = 'rfdk.internal';

const domainZone = new PrivateHostedZone(this, 'DnsZone', {
  vpc,
  zoneName,
});
const fullyQualifiedDomainName = `${hostname}.${domainZone.zoneName}`

const rootCa = new X509CertificatePem(this, 'RootCA', {
  subject: {
    cn: 'RenderQueueRootCA',
  },
});
const rfdkCert = new X509CertificatePem(this, 'RenderQueueCA', {
  subject: {
    cn: fullyQualifiedDomainName,
  },
  signingCertificate: rootCa,
});

Other

This is a breaking change that will enable TLS on farms without it, unless they are modified to set the enabled flag to false.

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@horsmand horsmand added needs-triage This issue or PR still needs to be triaged. feature-request A feature should be added or improved. labels Jun 29, 2021
horsmand referenced this issue in horsmand/aws-rfdk Jun 29, 2021
@horsmand
feat(deadline): tls between render queue and clients enabled by default
42d1056 
fixes #490

BREAKING CHANGE: Farms currently not configured to use external TLS on
the Render Queue will be modified to have it enabled and using the
default certificate and hosted zone. To continue to keep external TLS
disabled, the `enabled` flag on the `RenderQueueExternalTLSProps` can be
set to false; however, we strongly encourage you to enable TLS.
@horsmand horsmand removed the needs-triage This issue or PR still needs to be triaged. label Jun 29, 2021
@horsmand horsmand mentioned this issue Jun 29, 2021
Merged
jusiskin pushed a commit that referenced this issue Jul 23, 2021
@horsmand
feat(deadline): use TLS between RenderQueue and clients by default (#491
1e3eb63 
)

fixes #490

BREAKING CHANGE: Farms currently not configured to use external TLS on
the Render Queue will be modified to have it enabled and using the
default certificate and hosted zone. To continue to keep external TLS
disabled, the `enabled` flag on the `RenderQueueExternalTLSProps` can be
set to false; however, we strongly encourage you to enable TLS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(deadline): use TLS between RenderQueue and clients by default horsmand/aws-rfdk
1 participant
@horsmand