Server configuration and encryption pages #977
Conversation
maintenance_operation/modules/ROOT/pages/typedb-configuration.adoc
Outdated
Show resolved
Hide resolved
| certificate-key: /path/to/private-key | ||
| # Optional: | ||
| ca-certificate: /path/to/ca-certificate |
There was a problem hiding this comment.
This is unused at the moment, isn't it?
There was a problem hiding this comment.
Why do you think so? It is.
Server:
./typedb server ... --server.encryption.ca-certificate=/Users/georgii/work/typedb-driver/tool/test/resources/encryption/ext-grpc-root-ca.pem ...
Console:
./typedb console --address https://127.0.0.1:1729 --username admin --password password --tls-root-ca /Users/georgii/work/typedb-driver/tool/test/resources/encryption/ext-grpc-root-ca.pem
Welcome to TypeDB Console!
>> exit
λ ~/Downloads/typedb-all-mac-arm64-3.4.4/ ./typedb console --address https://127.0.0.1:1729 --username admin --password password
Failed to create driver connection to server. invalid peer certificate: UnknownIssuer
Verify that the server is also configured with TLS encryption.
There was a problem hiding this comment.
What does it do? Conceptually, it can't do anything until we've got multiple nodes.
There was a problem hiding this comment.
Huh? It gives you a custom CA authority
There was a problem hiding this comment.
Yes, but the CA is unused on the server side in TLS.
| You can configure a TypeDB server via two means: a YAML config file, or command line options. |
There was a problem hiding this comment.
| You can configure a TypeDB server via two means: a YAML config file, or command line options. | |
| You can configure a TypeDB server via two means: a YAML config file or command line options. |
|
|
||
| See xref:{page-version}@typedb-in-flight-encryption.adoc[] for more information on encryption, | ||
| and the encryption section of <<_command_line_arguments>> below for the fields. |
There was a problem hiding this comment.
| and the encryption section of <<_command_line_arguments>> below for the fields. | |
| and the encryption section of <<_command_line_arguments>> below for the configuration fields. |
or available or configurable
| === Logging | ||
|
|
||
| You can configure the directory that TypeDB uses for server logs - see the Logging section of <<_command_line_arguments>> below. |
There was a problem hiding this comment.
These empty fragments "Logging... uhhh logging just go see the section below" look weird, but I also understand that we kinda want to cover all the upper-level categories of the configuration. Just a comment, idk what to do with it
There was a problem hiding this comment.
I agree. I just copy pasted it. I think I might split / flatten the table at the end into each section.
There was a problem hiding this comment.
Updated to copy over the subtable into the relevant section. Please check again
|
|
||
| [#_machine_requirements] | ||
| == Host machine configuration |
There was a problem hiding this comment.
Let's comment this header out if it's not ready and we don't really plan to fill it up in the coming days
There was a problem hiding this comment.
The ulimit should still be relevant
| | HTTP endpoint host and port. Cannot be the same as `server.address`. Default value: `0.0.0.0:8000`. + | ||
|
|
||
| | `server.authentication.token_ttl_seconds` |
There was a problem hiding this comment.
This should really use the same naming convention as encryption fields. Both in the docs and in the actual config. Can we reverify that everything is in sync?
I thought I had fixed it the last time, but I might've missed this one.
There was a problem hiding this comment.
lol, it's called token-expiration-seconds
There was a problem hiding this comment.
Is it called the same way in cli args? I just see it uses _ in my outdated branch, but I thought I pulled my latest config changes/ Just ensure it's actually this everywhere
| certificate-key: /path/to/private-key | ||
| # Optional: | ||
| ca-certificate: /path/to/ca-certificate |
There was a problem hiding this comment.
Why do you think so? It is.
Server:
./typedb server ... --server.encryption.ca-certificate=/Users/georgii/work/typedb-driver/tool/test/resources/encryption/ext-grpc-root-ca.pem ...
Console:
./typedb console --address https://127.0.0.1:1729 --username admin --password password --tls-root-ca /Users/georgii/work/typedb-driver/tool/test/resources/encryption/ext-grpc-root-ca.pem
Welcome to TypeDB Console!
>> exit
λ ~/Downloads/typedb-all-mac-arm64-3.4.4/ ./typedb console --address https://127.0.0.1:1729 --username admin --password password
Failed to create driver connection to server. invalid peer certificate: UnknownIssuer
Verify that the server is also configured with TLS encryption.
krishnangovindraj
force-pushed
the
server-configuration-krishnan
branch
from
7e3593a to
89dd7f0
Compare
| certificate-key: /path/to/private-key | ||
| # Optional: | ||
| ca-certificate: /path/to/ca-certificate |
There was a problem hiding this comment.
Yes, but the CA is unused on the server side in TLS.
| === Logging | ||
|
|
||
| You can configure the directory that TypeDB uses for server logs - see the Logging section of <<_command_line_arguments>> below. |
There was a problem hiding this comment.
Updated to copy over the subtable into the relevant section. Please check again
|
|
||
| [#_machine_requirements] | ||
| == Host machine configuration |
There was a problem hiding this comment.
The ulimit should still be relevant
Goal
Document in-flight encryption and server configuration.