I have configured KeyCloak in EKS and the application is exposed using CloudFront when i browse the application and enter the credentials the credentials are sent using HTTP instead of HTTPS and here is my configuration on cloudfront
Configuration in nginx ingress controller
After the credentials are entered in the keycloak login page it is trying to send as http
Require SSL is kept as none in the realm and keycloak is running with PROXY_ADDRESS_FORWARDING as true and in the nginx ingress i have other services running on http so the keycloak can't be kept on https
Can some one please suggest how this can be solved
Related
Here's the context about resources in my EKS cluster:
Backend microservice exposed via service running on port 80
Frontend microservice exposed via service running on port 80
Frontend service calls backend service using the fqdn http://backend-service.backend.svc.cluster.local for REST API calls.
Additionally, I have also an ingress object that created an application load balancer for frontend microservice.
The load balancer has ACM SSL certificate attached.
https://my-website.com sends the traffic to the frontend service which in turn calls the HTTP backend microservice for REST API calls.
But I'm getting the following error:
The page at https://my-website.com was loaded over HTTPS but requested an insecure XMLHttpRequest endpoint http://backend-service.backend.svc.cluster.local
How do I fix this error? I don't want to expose my backend service to the outside world with a load balancer or anything.
Edit:
My frontend is written in React.js
My backend is a node.js express app
I am login kubernetes dashboard in my local machine(http://kubernetes.dolphin.com:8443/#/login), and I define a virutal domain name in /etc/hosts:
192.168.31.30 kubernetes.dolphin.com
and now I am login kubernetes dashboard uing this domain, but it give me tips:
Insecure access detected. Sign in will not be available. Access Dashboard securely over HTTPS or using localhost.
is it possbile to close kubernetes dashboard(kubernetesui/dashboard:v2.0.3) tls security check in kubernetes dashboard yaml? Because my kubernetes in localhost machine and do not need TLS security.Now my login dashboard look like this.
enable kubernetes dahboard http access:
containers:
- name: kubernetes-dashboard
image: 'kubernetesui/dashboard:v2.0.3'
args:
- '--namespace=default'
- '--insecure-port=5443'
so you could using 5443 port to forward kubernetes dashboard access data, and do not need to login. But you should not do like this in production environment.
I want to expose an HTTPS K8s service that uses a certificate derived from a custom root CA, outside the cluster using nginx ingress controller. Are the following configurations supported and if yes, how?
client -- (HTTP) -- ingress -- (HTTPS) -- k8s service
client -- (HTTPS) -- ingress -- (HTTPS) -- k8s service
Is it possible to configure nginx ingress controller such that it can do TLS and mutual-TLS with the HTTPS backend service?
How do I provision a root certificate for backend server certificate validation to nginx ingress?
Is it possible to do SSL termination on the ingress and do mutual-TLS with the backend?
I was able to provision the backend server certificates using the nginx.ingress.kubernetes.io/proxy-ssl-secret annotation.
I have a kubernetes pod configured as a webserver supporting https. This pod is giving the TLS handshake error logs. When we try to access the loadbalancer service IP on the browser, it gives error - the connection is not secure proceed to unsafe. For secure connection we have a self signed certificate mounted as a secret to the pod volume. If we remove support of https everything works fine. Can somebody suggest what could be the possible reason for such behaviour.
By default a https connection exist only between the browser and the loadbalancer. The loadbalancer communicates with pods using plain http.
browser -------------->|loadbalancer|-----------> POD
https http
In that case, the certificate needs to be present on the loadbalancer, not on the POD, and you should disable HTTPS on the pod.
The loadbalancer can be configured to communicate with PODs using https, but it will be a different https connection:
browser -------------->|loadbalancer|-----------> POD
https https
Here two certificates are needed, one on the loadbalancer and one on the pod itself.
The last option is pass-through SSL, but it's not enabled by default:
loadbalancer
browser --------------|--------------|-----------> POD
https
Here the certificate should be placed on the pod.
The way of configuring HTTPS depends on the used loadbalancer, cloud provider etc. If you are using Ingress, this page might help: Kubernetes: Using Ingress with SSL/TLS termination and HTTP/2
Sidenote: browsers always complain about insecure connection when using a self-signed certificate (unless you configure them not to do it).
Moving from VMs to Kubernetes.
We are running our services on multiple VMs. Services are running on multiple VMs and have VIP in front of them. Clients will be accessing VIP and VIP will be routing traffic to services. Here, we use SSL cert for VIP and VIP to VM also using HTTPS.
Here the service will be deployed into VM with a JKS file. This JKS file will have a cert for exposing HTTPS and also to communicate with SSL enabled database.
How to achieve the same thing in Kubernetes cluster? Need HTTPS for VIP and services and also for communication to SSL enabled database from service.
Depends on the platform where you running Kubernetes (on-premises, AWS, GKE, GCE etc.) you have several ways to do it, but I will describe a solution which will work on all platforms - Ingress with HTTPS termination on it.
So, in Kubernetes you can provide access to your application inside a cluster using Ingress object. It can provide load balancing, HTTPS termination, routing by path etc. In most of the cases, you can use Ingress controller based on Nginx. Also, it providing TCP load balancing and SSL Passthrough if you need it.
For providing routing from users to your services, you need:
Deploy your application as a combination of Pods and Service for them.
Deploy Ingress controller, which will manage your Ingress objects.
Create a secret for your certificate.
Create an Ingress object with will point to your service with TLS settings for ask Ingress to use your secret with your certificate, like that:
spec:
tls:
hosts:
- foo.bar.com
secretName: foo-secret
Now, when you call the foo.bar.com address, Ingress with using FQDN-based routing and provide HTTPS connection between your client and pods in a cluster using a service object, which knows where exactly your pod is. You can read how it works here and here.
What about encrypted communication between your services inside a cluster - you can use the same scheme with secrets for providing SSL keys to all your services and setup Service to use HTTPS endpoint of an application instead of HTTP. Technically it is same as using https upstream in installations without Kubernetes, but all configuration for Nginx will be provided automatically based on your Service and Ingress objects configuration.