Add ability to configure Encryption in Transit
We are working towards FedRAMP: https://internal-handbook.gitlab.io/engineering/fedramp-compliance/. As part of this effort, we will need to support encryption in transit for both internal and external connections. The environment to be used is the Hybrid RA, deployed on AWS, as done by Horse.
There are a few areas to think about.
Inbound communication
Generally TLS today, but also need to ensure encryption all the way back to final service inside k8s.
Communication between VM / EKS
Gitaly and other resources are outside of the cluster. We will need a way to ensure encryption between VM and EKS-based resources.
Inter-pod communication
Assuming we have inter-pod communications, then we need to explore a way to secure that. Here is a good resource: https://aws.github.io/aws-eks-best-practices/security/docs/network/#encryption-in-transit_1, which details from AWS a few ways to do this. These vary from using a service mesh, to changing out the CNI interface.
Communication between services on the same Pod
We are still confirming, but seems like we will need to ensure anything routing over a network connection (versus say a socket) needs to be encrypted. Stay tuned to: https://internal-handbook.gitlab.io/engineering/fedramp-compliance/
Mutual authentication (Unnecessary)
We do NOT need mutual authentication. We confirmed this on the call with our partner.