- Is there an assumption that all clusters that you could connect at the same time use certs emitted by the same CA ?
I’m not an expert in the internals of the bindings but theoretically with the multi-threaded client having a dedicated certificate configuration should be possible, but I believe this feature is not exposed via the bindings.
- Apart from the TLS configuration, would FDB library support simultaneous active connections to multiple clusters and interacting with them? We are trying to make sure we would be using a supported feature and not something that just happens to work / unintentional.
This is supported and works fine with the FDB client library, we use this setup e.g. in the fdb-kubernetes-operator. If you use a recent FDB version (6.3+) you might want to look at the multi-threaded client (Using FoundationDB Clients — FoundationDB 7.1) for FDB, depending on your workload this might help to improve performance.
- For those of you that work with multiple FDB clusters, do you usually assign/create one client-certificate per client node? Do you have the same root CA generate certificates for all clusters?
For the operator the current assumption is that only one client certificate is provided, so all clusters that are managed by the same FDB Kubernetes operator instance must have the same root CA. The idea is to separate the access for the different clusters by using the peer verification (Transport Layer Security — FoundationDB 7.1), assuming that your certs for the different clusters have a field that can be used to distinguish those clusters.
- For certain applications, we like to limit FDB access to matching application nodes (different tenants, for example). I understand there is an upcoming feature described in this “Authorization in FDB”. thread . Are there any techniques to achieve that before 7.2? Is this usually done at the network/firewall level?
If you only want to control who can connect to the FDB cluster you can use the peer verification, but this only allows or denies access to the whole cluster (not specific key spaces).