I looked around IdentityServer4 official GitHub for configuring signing credential (certificate) for production, but i can't find any example. Specific thing for my environment is that it runs on Docker, so i need a cert to be generated in runtime for Linux machine, and then used for validating tokens.
In development mode i use AddDeveloperSigninCertificate helper in Startup.cs and it does the job, but i need a cert for production.
Did anyone have same issue?
Thanks!
I have an application that is internal and exposed only to other application on the cluster by a service with cluster IP. Other services are accessing this application via it's DNS (serviceName-namespace.svc.cluster.local). This application handles sensitive data, so although all the communication is inside the cluster I would like to use TLS to secure the communications to this application.
My question is - how can I enable TLS on a service? Is there something already exist or should I handle it on the application code? Also, is there already a CA I can use on the cluster that can sign certificates for .svc.cluster.local?
To clarify, I know I can use ingress for this purpose. The only problem is keeping this service internal only - so only services inside the cluster will be able to access it.
Thanks,
Omer
I just found that Kubernetes API can be used to generate a certificate that will be trusted by all the pods running on the cluster. This option might be simpler than the alternatives. You can find the documentation here, including full flow of generating a certificate and using it.
Following #vonc comments from bellow, I think I have a solution:
Purchase a public valid domain for this service (e.g. something.mycompany.com).
Use CoreDNS to add override rule so all requests to something.mycompany.com will go to something-namesapce.svc.cluster.local, as the service is not exposed externally (this can be done also with normal A record for my use case).
Use Nginx or something else to handle TLS with the certificate for something.mycompany.com.
This sounds pretty complicated but might work. What do you think?
Check if the tutorial "Secure Kubernetes Services with Ingress, TLS and LetsEncrypt" could apply to you:
Ingress can be backed by different implementations through the use of different Ingress Controllers. The most popular of these is the Nginx Ingress Controller, however there are other options available such as Traefik, Rancher, HAProxy, etc. Each controller should support a basic configuration, but can even expose other features (e.g. rewrite rules, auth modes) via annotations.
Give it a domain name and enable TLS. LetsEncrypt is a free TLS certificate authority, and using the kube-lego controller we can automatically request and renew LetsEncrypt certificates for public domain names, simply by adding a few lines to our Ingress definition!
In order for this to work correctly, a public domain name is required and should have an A record pointing to the external IP of the Nginx service.
For limiting to inside the cluster domain though (svc.cluster.local), you might need CoreDNS.
On Google Cloud you can make load balancer service internal, like this:
annotations = {
"cloud.google.com/load-balancer-type" = "Internal"
}
In my organization we are used jira for project management, we want to secure it from http to https, we were tried a lot. please give me the proper solution
Do you have tried with Certbot from let's encrypt?
My site on openshift works with http and https prefix. Does it mean that https is allready set up properly so I do not need any additional steps to configure it there? Do I need any ssl sertificate for https?
As you mentioned in comments, you are using openshift v2.
Here you can use either custom rhcloud.com subdomain or use your own domain name.
All applications URL under rhcloud.com (say, example-username.rhcloud.com) use a shared SSL certificate. So, If you use rhcloud.com subdomain, you don't need to configure anything. They automatically provide *.rhcloud.com wildcard certificate.
To use HTTPS for your custom domain name (say, www.example.com) or alias, you need to upload your own certificate. To upload custom SSL certificate, You need to subscribe to a Premium plan. Free plan does not allow custom SSL certificate.
You can read more about how to set up custom domain, alias or SSL certificate, here. The previous documentation link is valid only for openshift v2.
I'm trying to set a telegram bot up. My favourite language is Java. In the past, I had experience with Grizzly lightweight webserver so I'd like to use it. The problem is that I don't know how to configure the whole environment in order to make it works with SSL.
I configured Apache2 on my Debian machine and it works with an autosigned SSL certificate. So if I browse https://10.0.0.1/ I can see the Apache welcome page.
The plan is to receive HTTPS POST requests containing a JSON and forward them to a Grizzly.
How could I achieve it?
Easy! With ProxyPass in Apache2!
Guide followed here