Skip to main content

priv/dist/inet_tls.config

%% SSL options for TLS distribution (-proto_dist inet_tls).
%%
%% Mutual TLS between BEAM nodes: each node presents a cert and verifies the
%% peer's cert against our distribution CA. With this in place, a stolen Erlang
%% cookie is NOT enough to join the cluster — a peer must also hold a key/cert
%% signed by dist-ca.pem.
%%
%% Cert paths point at a Secret mounted read-only at /app/dist-certs (see the
%% k8s manifest). Same cert/key is fine for all pods (they're peers of one
%% service); verify_peer + the shared CA is what provides authentication.
%%
%% Docs: https://www.erlang.org/doc/apps/ssl/ssl_distribution.html
[
  {server, [
    {certfile, "/app/dist-certs/dist-cert.pem"},
    {keyfile,  "/app/dist-certs/dist-key.pem"},
    {cacertfile, "/app/dist-certs/dist-ca.pem"},
    {verify, verify_peer},
    {fail_if_no_peer_cert, true},
    {secure_renegotiate, true},
    {versions, ['tlsv1.3', 'tlsv1.2']}
  ]},
  {client, [
    {certfile, "/app/dist-certs/dist-cert.pem"},
    {keyfile,  "/app/dist-certs/dist-key.pem"},
    {cacertfile, "/app/dist-certs/dist-ca.pem"},
    {verify, verify_peer},
    {secure_renegotiate, true},
    {versions, ['tlsv1.3', 'tlsv1.2']}
  ]}
].