Major Description
With 7.1 we can begin to use intermediate certificates and CA's which apply to a single node:
https://docs.couchbase.com/server/current/learn/security/using-multiple-cas.html
While we currently support multiple CA's, server does not get the full benefit of this because the same node certificate which is signed by a single CA is installed cluster-wide. We also cannot allow intermediates with FQDN as a subject alternative names since the certificate would not be valid on other hosts with different hostnames.
What I propose is that we include the TLS structure in the server config as a means to provide granular TLS for a specific set of nodes:
servers:
|
- size: 2 |
name: data_services
|
services:
|
- data
|
tls:
|
secretSource:
|
serverSecretName: "data-service-tls" |
- size: 2 |
name: index_services
|
services:
|
- index
|
tls:
|
secretSource:
|
serverSecretName: "index-service-tls" |