I have 2 services deployed in Kubernetes
Application A (asp.net core 5 gRPC service)
Application B (asp.net core 5 api)
Application B is accessible via ingress-nginx-controller over https from out side of my cluster.
Application A is expose via Service and only accessible inside my cluster.
My question is how can I connect from Application B to Application A over SSL/TLS?
For HTTPS communication, you can setup certificate with "dotnet dev-certs https". Each pod will need setup self-signed certificate on port 443, for development purpose, but not recommended.
However, GRPC actually can be use with HTTP based, with service mesh support for http2/grpc for service-to-service communication. These steps can be
Call GRPC use HTTP
https://learn.microsoft.com/en-us/aspnet/core/grpc/troubleshoot?view=aspnetcore-3.0#call-insecure-grpc-services-with-net-core-client-2
Setup Linkerd
https://techcommunity.microsoft.com/t5/azure-developer-community-blog/meshing-with-linkerd2-using-grpc-enabled-net-core-services/ba-p/1377867
Hope this helps
Related
We have a cluster that runs a number of dotnet apps, one of which runs the identity server. All the other apps need to authenticate with the identity server. If the identity server was external this wouldn't be an issue as it would have an HTTPS endpoint, but internally they are all running HTTP.
With istio adding MTLS security to all the comms, do all the apps just get set with RequireHttpsMetadata = false?
Is this the correct way to setup the network with internal requests being sent as http://auth-server.default.svc.cluster.local/...?
or should they be sent as https://auth-server.default.svc.cluster.local/..., if so how?
I am using ISTIO for service mesh in Azure kubernetes. I have configured private DNS to setup the FQDN. Currently the application is accessible over http protocol(eg: http://myapp.contoso.com) and I would like to be secured with https protocol(eg: https://myapp.contoso.com).
I know I have to change the service port to 443 to support https protocol however how/where do I install the SSL certificate for the application (eg: https://myapp.contoso.com)? Is there anything else to be done as well?
That will depend on where do you want the SSL termination to happen, if you want that to happen inside the Azure kubernetes network, then you can do SSL termination at ingress layer.
Or otherwise you can also do the termination at application gateway layer of Azure ( if you want to avail this service from azure, the redirection from http to https, basic firewall features and adding the pfx certificates at the listeners can be done), ingress can also take care of these things although.
You can install the let's encrypt certificates by using this helm chart and for further steps you can follow this stack overflow link, it shall help you in creating configurations for Istio, ppl have used this solution for Istio as well before
I found the answer here Securing Your Istio Ingress Gateway with HTTPS
There is istio documentation about that.
I have multiple Service Fabric APIs. Both services are hosted in the same cluster using Kestrel. Currently each service is assigned to a specific port so they show up as
http://service1:123 and
http://service2:456
I would like to access the services using default port 80 for both. Is there a way to do this without having to use Azure API Management?
Sure, Kestrel doesn't support port sharing, but you can:
run on IIS, inside containers.
use the built in reverse proxy
use a (containerized) reverse proxy like Traefik
I want to deploy Identity Server 4 on Kubernetes 1.8, and use this as a Federation Gateway between my web application and Azure Active Directory (to begin with).
If I call Identity Server from my web application using the local k8s service name, my users are redirected to the wrong Identity Server URL (containing the local k8s service name) during Sign in which clearly won't work. We are using an implicit flow.
I therefore setup a Azure Load balancer with dns name and configured Identity Server to be externally accessible with the domain name as the PublicOrigin URL.
However, my web application which runs in the same cluster cannot access Identity Server using the external URL of the Identity Server (discovery fails).
If I run Identity Server on another Kubernetes cluster then everything works fine.
My question is:
How do you properly deploy Identity Server in Kubernetes? Do I really need another Kubernetes cluster?
Note: I am using Kubernetes on Azure created with ACS engine (because we have mixed windows and linux containers).
I'm using AKS (Azure managed kubernetes) and have a single client asp.net core 2 web app in the same cluster as my IS4 service with no issues. Both webapps are fronted by Nginx with kube-lego for LetsEncrpyt TLS support, and DNS is provided by Azure DNS.
I'm not using the PublicOrigin but instead the client app's Authority (in the openidconnect setup) uses the full (external Azure) DNS name of the IS4 service. You can use PublicOrigin if you want to use the cluster service naming from your clients
I created a secure service fabric and have full control. Only services developed by me will be deployed and all public facing apis are using https. The question is for communication between service to service in cluster, is it safe to use http instead of https?
Thanks,
This is related to how do you set up your cluster with your network. Public facing services and internal services should be in a different NSG networks. You should control very strict communication between public and internal. If you can do that then http or any protocol between services is not a problem
Personally, i prefer http over remoting because there will be less dependency between services. Communication between services can be defined using Open API and therefore become vendor neutral.
There is a very good course on MVA for how to set up Service fabric class and best practice
https://mva.microsoft.com/en-US/training-courses/16925?l=E5B3nJSGD_805167344
I recommend using service fabric remoting (instead of http). This can be secured using certificates, with little effort.
More info here: https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reliable-services-secure-communication