mirror of
https://github.com/dolthub/dolt.git
synced 2026-03-07 00:58:26 -06:00
b22fbf11f2
A remotesapi server running on a cluster replica publishes a JWKS. Every outbound GRPC call the cluster replica makes includes a JWT signed with a private key. remotesapi servers running on cluster replicas require and validate incoming JWTs for cluster traffic. The set of valid signing keys is taken from the JWKSes which are published at /.well-known/jwks.json on the standby replica hosts. It is possible to configure tls_ca on cluster remotesapi to configure the set of trusted roots for outbound TLS connections. Because the JWKSes are served over the same connection, and becuase signed JWTs are not replay resistent, TLS is recommended for all deployment topologies.