Skip to content

feat(router): TLS support #810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kamilkisiela merged 11 commits into from
Apr 17, 2026
Merged

feat(router): TLS support #810

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
2ece2bc
feat(router): TLS support
ardatan Mar 2, 2026
8bd8d2a
chore: merge main into tls-support and resolve conflicts
Copilot Apr 15, 2026
13ef6e4
docs: update documentation
theguild-bot Apr 17, 2026
e3d8030
fORMAT
ardatan Apr 17, 2026
fb06f8d
Changeset
ardatan Apr 17, 2026
3995de7
Better
ardatan Apr 17, 2026
77c1ce7
Subscriptions support
ardatan Apr 17, 2026
47a24b6
Merge branch 'main' into tls-support
ardatan Apr 17, 2026
0945bf2
docs: update documentation
theguild-bot Apr 17, 2026
a1c554b
Split tls to another file
ardatan Apr 17, 2026
d046985
Cargo lock
ardatan Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions .changeset/tls_support.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
hive-router-config: minor
hive-router-plan-executor: minor
hive-router: minor
---

# TLS Support

Adds TLS support to Hive Router for both client and subgraph connections, including mutual TLS (mTLS) authentication. This allows secure communication between clients, the router, and subgraphs by encrypting data in transit and optionally verifying identities.

## TLS Directions

TLS Support has implementations for the following 4 directions:

### Router -> Client - Regular TLS
Router has an `identity` (`cert`, `key`), and client has `cert`, then Client validates the router's `identity`

### Client -> Router - mTLS
Router has the `cert`, client has the `identity`, mTLS/Client Auth then the router validates the client's `identity`

### Subgraph -> Router - Regular TLS
Subgraph has the `identity` (`cert`, `key`), and router has `cert`, then Router validates the subgraph's `identity`.

### Router -> Subgraph - mTLS
Subgraph has the `cert`, router(which is the client this time) has the `identity`, then subgraph validates the router's `identity`.

## TLS Directions Diagram

```mermaid
flowchart LR
Client["Client"]
Router["Router"]
Subgraph["Subgraph"]

%% Router -> Client: Regular TLS
Router -- "TLS\n(cert_file + key_file)" --> Client
Client -. "validates router identity\n(cert_file)" .-> Router

%% Client -> Router: mTLS / Client Auth
Client -- "mTLS\n(client identity)" --> Router
Router -. "validates client identity\n(client_auth.cert_file)" .-> Client

%% Subgraph -> Router: Regular TLS
Subgraph -- "TLS\n(cert_file)" --> Router
Router -. "validates subgraph identity\n(all/subgraphs.cert_file)" .-> Subgraph

%% Router -> Subgraph: mTLS
Router -- "mTLS\n(client_auth.cert_file + key_file)" --> Subgraph
Subgraph -. "validates router identity\n(cert_file)" .-> Router
```

## Configuration Structure
```yaml
traffic_shaping:
router:
key_file: # Router server private key
cert_file: # Router server certificate(s)
client_auth: # mTLS: Client -> Router
cert_file: # Trusted client CA certificate(s)
all: # Default TLS for all subgraph connections
cert_file: # Trusted subgraph CA certificate(s)
client_auth: # mTLS: Router -> Subgraph
cert_file: # Router client certificate(s)
key_file: # Router client private key
subgraphs:
SUBGRAPH_NAME: # Per-subgraph TLS override
cert_file: # Trusted subgraph CA certificate(s)
client_auth: # mTLS: Router -> Subgraph
cert_file: # Router client certificate(s)
key_file: # Router client private key
```
Loading
Loading