TLS support for RPC server and upstream connections #23
Description
Summary
Add TLS support for both apex's outbound connections (to celestia-node) and its inbound RPC server.
Motivation
- Production deployments often require encrypted transport
- celestia-node is also tracking TLS support (celestiaorg/celestia-node#4346)
- Without TLS, auth tokens transit in plaintext
Requirements
Upstream fetcher (outbound)
- Support
wss://endpoints for celestia-node WebSocket connections - Support TLS for gRPC connections to upstream nodes
- Configurable CA certificate for self-signed certs
- Skip-verify option for development (with warning log)
RPC server (inbound)
- Optional TLS termination on the JSON-RPC server
- Optional TLS on the gRPC server
- Certificate and key file paths in config
Configuration
data_source:
endpoint: wss://celestia-node.example.com:26658
tls:
ca_cert: "" # custom CA for self-signed
skip_verify: false # dev only
rpc:
address: 0.0.0.0:26659
tls:
cert_file: ""
key_file: ""
grpc:
address: 0.0.0.0:26660
tls:
cert_file: ""
key_file: ""Non-goals
- mTLS (mutual TLS) — add later if needed
- Automatic cert provisioning (Let's Encrypt) — use a reverse proxy for that
Related
- Implement Celestia node JSON-RPC compatibility layer #2 — JSON-RPC server
- Add gRPC API alongside JSON-RPC #3 — gRPC server
- CelestiaNodeFetcher: upstream RPC client #12 — CelestiaNodeFetcher (upstream client)
- Configuration system: YAML loading and validation #13 — Configuration system