Problem
The health server (POST /config, GET /health) runs over plain HTTP. For SaaS deployments where the control plane communicates over the internet, TLS is required.
Requirements
- Add optional TLS support to the hyper health server
- Configured via env vars:
TLS_CERT_PATH, TLS_KEY_PATH
- When cert/key are provided, server binds with TLS
- When not provided, falls back to plain HTTP (backwards compatible)
Notes
- In Nomad/K8s internal deployments, TLS termination is often handled by the service mesh (Consul Connect, Istio). This is lower priority than auth.
- Consider using
rustls instead of OpenSSL for easier cross-compilation
Acceptance Criteria
Problem
The health server (POST /config, GET /health) runs over plain HTTP. For SaaS deployments where the control plane communicates over the internet, TLS is required.
Requirements
TLS_CERT_PATH,TLS_KEY_PATHNotes
rustlsinstead of OpenSSL for easier cross-compilationAcceptance Criteria