SSL/TLS encryption for master <-> minion traffic: Is 'transport: tcp' necessary?

[magz]

I am hoping for some clarification here, since the official SaltStack docs are a bit unclear.

In order to set the ssl configuration options in the master and minion config files, is it mandatory to also set 'transport: tcp' in the configs to force TLS encryption? Or will setting only the 'ssl' options in the master and minion configs enable TLS encryption in the default ZeroMQ transport facility?

The reason I ask is that I enabled 'transport: tcp' as well as the 'ssl' options yesterday on our deployment of ~1K minions, and the performance impact is substantial. The master went from using ~2-4GB of RAM to using up to 30GB of RAM with no other change. I also had to double the CPU count from 4 to 8 to handle working through the backlog when restarting the master.

Some clarification here would be much appreciated. If I can simply set the 'ssl' options and remove the 'transport: tcp' option (to use ZeroMQ) to enforce encrypted traffic, that would be fantastic.

Thanks.

[Phipps, Thomas]

Yes `transport:tcp` is mandatory for ssl support in transport. ZeroMQ does not support SSL. Also, https://docs.saltstack.com/en/master/topics/transports/tcp.html#tls-support has more about that setting.  

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/ef2337af-c4cb-4bc9-981d-f2d876ff6f74%40googlegroups.com.