I am trying to enable https for keycloak in a Jhipster-generated project. In Jhipster doc (https://www.jhipster.tech/security/), it says "In production, it is required by Keycloak that you use HTTPS. There are several ways to achieve this, including using a reverse proxy or load balancer that will manage HTTPS. We recommend that you read the Keycloak HTTPS documentation to learn more about this topic." And in the Keycloak doc, there are step that is "First, you must edit the standalone.xml, standalone-ha.xml, or host.xml file".
Sounds reasonable, right? But, if installing and running Keycloak server on mac, the configuration file is in /opt/jboss/keycloark..., but when running this keycloak within the jhipster-generated project (using the nice and easy command 'docker-compose -f src/main/docker/keycloak.yml up'), I find that there is no such folder /opt/jboss/... Either I did something wrong, or it was in some other space like Docker container, or Jhipter container, or somewhere else. So the question is, how should we enable https on this Keycloak shipped with the Jhipster generated project?
Would appreciate it very much for any help from the community. Thanks!
Expose https port 8443 of your Keycloak container and you will have selfsigned https, e.g.:
ports:
- 443:8443
+ use volumes if you have own TLS certificate, e.g.:
volumes:
- /path/my-cert.crt:/etc/x509/https/tls.crt
- /path/my-cert.key:/etc/x509/https/tls.key
Related
I am using Bridge To Kubernets to develop a Asp.Net Core API application locally.
The service uses Swagger that has a Login button to get OAuth2 token. The OAuth flow requires HTTPS protocl.
When running the service locally with Bridge to Kubernetes, I noticed that the service only listens on HTTP not HTTPS.
Searched documentation on Microsoft but no mentions of HTTPS.
Searched source code in GitHub and seems Bridge To Kubernetes only supports HTTP.
Just want to see if there is a workaround or it does not support HTTPS at all.
Finally, I figured out a way to do it by overwriting an environment variable URLS.
In the KubernetesLocalProcessConfig.yaml file,
- name: URLS
value: https://localhost:5001
This will make local service listening on HTTPS and port 5001.
The code helps me to see all the environment variables,
foreach (var c in builder.Configuration.AsEnumerable())
{
Console.WriteLine(c.Key + " = " + c.Value);
}
I have a docker image running instance of Apache Superset and some other services on the same VM. The other services are setup and deployed independently from the Superset app. What I would like to do is to be able to redirect via url from the Superset app into the other apps. Obviously simply passing url will redirect me inside the container.
The optimal solution would not require me to include the other services into docker container and also allow for some cross service authentication.
I'm not sure how to approach this.
Please help.
I am using ISTIO for service mesh in Azure kubernetes. I have configured private DNS to setup the FQDN. Currently the application is accessible over http protocol(eg: http://myapp.contoso.com) and I would like to be secured with https protocol(eg: https://myapp.contoso.com).
I know I have to change the service port to 443 to support https protocol however how/where do I install the SSL certificate for the application (eg: https://myapp.contoso.com)? Is there anything else to be done as well?
That will depend on where do you want the SSL termination to happen, if you want that to happen inside the Azure kubernetes network, then you can do SSL termination at ingress layer.
Or otherwise you can also do the termination at application gateway layer of Azure ( if you want to avail this service from azure, the redirection from http to https, basic firewall features and adding the pfx certificates at the listeners can be done), ingress can also take care of these things although.
You can install the let's encrypt certificates by using this helm chart and for further steps you can follow this stack overflow link, it shall help you in creating configurations for Istio, ppl have used this solution for Istio as well before
I found the answer here Securing Your Istio Ingress Gateway with HTTPS
There is istio documentation about that.
I am connecting to Keycloak remotely. And when I try to open the Admin Console, I get an error saying HTTPS required.
In one of the websites, it says that I should do this: "update REALM set ssl_required='NONE' where id = 'master';"
But I do not know the consequences of doing this. Will this make it unsecure? Or can I reverse this?
Thank you
(And If I would run Keycloak within a docker image would this problem be solved?)
Admim console uses open id connect protocol, which needs HTTPS to be secure. So it isn't good idea to disable ssl in the prod environment.
Keycloak in the container doesn't solve your problem. But it provides user friendly approach to generate selfsigned cert - Keycloak Docker HTTPS required
Secure option is to generate valid TLS certificate and use it in your Keycloak instance, so you have valid secure TLS/HTTPS connection.
I'm pretty new to kubernetes, I hope to explain myself in a good way, and if anyone has any resources/suggestions to read for my problem it would be really much appreciated.
Let's get straight to the point.
The web app I'm trying to expose accepts only https connection on the service. So basically I would like to ask the ingress to communicate with my service through https
Following some tutorial I tried to expose a simple web app(that accept http connection) through https, craeting a certificate and a secret and adding the following line to the ingress.yml:
tls:
- secretName: testexample.com
hosts:
- testexample.com
and executing a curl -k https://testexample.com or through browser I can see my webpage.
The troubles pops out when my webapp accept only https connection, and the webapp we are moving to kubernetes does.
I always receive "404 default backend" message.
I tried to look for some resources/tutorial/previous questions,
Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes
Securing connections from ingress to services in Kubernetes with TLS
but I didnt figure out how to get out of the problem.
Any suggestions as mentioned before would be much appreciated.
Error source can are probably your Ingress rule. It's their not pointing to the correct service & port or it is not in the same namespace as the service.