We were discussing sidecar model for logging. We also discussed service broker model for logging. Keycloak deployments are also facilitated with service brokers. The vanilla deployment of Keycloak model uses http. Usually a Keycloak pod is hosted within the cluster. Since the traffic is internal to the cluster, there is no security issue.
However, traffic may need to be secured with tls when the keycloak is hosted outside the server or when the service broker implementations uses some services outside the cluster.
Let us take a quick look at how to do this
1) First we create a PKCS12 keystore
2) Then we import it as a jks keystore
3) Then we set the security realms in the standalone.xml config
<security-realm name="ProductRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="password" />
</ssl>
</server-identities>
</security-realm>
4) Then we replace the authentication-realm in the https-listener below:
<https-listener name="https" socket-binding="https" security-realm="ProductRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ProductRealm"/>
</host>
However, traffic may need to be secured with tls when the keycloak is hosted outside the server or when the service broker implementations uses some services outside the cluster.
Let us take a quick look at how to do this
1) First we create a PKCS12 keystore
2) Then we import it as a jks keystore
3) Then we set the security realms in the standalone.xml config
<security-realm name="ProductRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="password" />
</ssl>
</server-identities>
</security-realm>
4) Then we replace the authentication-realm in the https-listener below:
<https-listener name="https" socket-binding="https" security-realm="ProductRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ProductRealm"/>
</host>
If the deployments were all within the cluster, another option to secure the services, would be to use a service-mesh.
No comments:
Post a Comment