Skip to content

tls

Jump to bottom
Jesús Daniel Colmenares Oviedo edited this page Mar 26, 2025 · 1 revision

Configuring TLS

Securing connections is critical in environments where security is a must, especially on geographically distributed servers, and TLS is the most widespread technology for securing our connections, which is why Overlord supports it.

TLS and so on are outside the scope of this article, and sadly, this is a bit complex, so consider using something like Tailscale if you want an easier way to secure your connections. The scope of this article is to configure TLS in Overlord and nothing else, so we'll use trustme for demonstration purposes.

# pkg install -y py311-trustme
# python -m trustme
Generated a certificate for 'localhost', '127.0.0.1', '::1'
Configure your server to use the following files:
  cert=/tmp/test/server.pem
  key=/tmp/test/server.key
Configure your client to use the following files:
  cert=/tmp/test/client.pem

server.pem is the certificate and server.key is the private key to be used by the server, and client.pem is used by the client to verify the server.

/usr/local/etc/overlord.yml:

tls:
  certfile: '/tmp/test/server.pem'
  keyfile: '/tmp/test/server.key'

After configuring TLS in the configuration file, we need to restart the API server for the changes to take effect.

supervisorctl restart overlord:*

Overlord listens for encrypted connections on an alternate port which defaults to 9331. Plain text connections arrive on the default port, which is 8888.

If our API server is part of a chain, we can update the configuration of that server to use TLS. We must change two things, the scheme (HTTP to HTTPS) and the port (8888 to 9331), and we must add the certificate to verify the server.

before:

chains:
  charlie:
    entrypoint: 'http://192.168.2.152:8888'
    access_token: '<access token>'
    cacert: '/tmp/test/client.pem'

after:

chains:
  charlie:
    entrypoint: 'https://192.168.2.152:9331'
    access_token: '<access token>'
    cacert: '/tmp/test/client.pem'

From the client's point of view it is very simple: just add the cacert parameter to the data center and make the same changes as specified above:

kind: readOnly
datacenters:
  main:
    entrypoint: 'https://127.0.0.1:9331'
    access_token: '<access token>'
    cacert: '/tmp/test/client.pem'
deployIn:
  labels:
    - all

Clone this wiki locally