name: JAVA_OPTS value: "=keycloak-headless.keycloak " name: KC_HOSTNAME_STRICT value: "true " # Required if the -cache-stack=kubernetes "/opt/bitnami/scripts/keycloak/setup.sh & /opt/bitnami/keycloak/bin/kc.sh build -cache=ispn -cache-stack=kubernetes & /opt/bitnami/keycloak/bin/kc.sh -cf /opt/bitnami/keycloak/conf/nf start " extraEnvVars: If using the TLS inside keycloak, I'd be looking at the proxy: reencrypt at the very least I can see this piece here: but it feels optional, rather than enforced. I'll keep digging into the upstream keycloak documentation to see if I can find the hard requirement to use tls but so far it feels like it has been imposed by bitnami themselves rather than keycloak as the underlying app. Adding additional certs to keycloak to ensure traffic is wrapped before being wrapped again doesn't add much in terms of security, only complexity as all original traffic is encrypted with my edge certificate in the first instance regardless. I have edge certificates to encrypt traffic from outside to my LB which then strips the cert and onboard traffic into the mesh which wraps things with TLS.
#Bitnami mean stack getting started upgrade
One of the main reasons I use a service-mesh is to avoid having to manage certificates in multiple places, but this upgrade to 17 using the KEYCLOAK_PRODUCTION env-var embossed by the scripts forces me to create tls certificates for keycloak specifically. I've been able to get keycloak running in production mode without passing the tls flags to point to any known PEM files or Java keystores. The TLS requirement feels like something imposed by bitnami rather than keycloak itself. I'm having to read keycloak docs and marry them up with the chart, no docs around upgrades from the current chart version I am on, and the one I desire to be on exist so it is a bit of guess work, but I don't believe my override values cause this issue DO NOT use this configuration in production. 10:42:47,041 WARN (main) Running the server in development mode. To not see a warning of "DO NOT use in production", this is pretty concerning. name: KEYCLOAK_EXTRA_ARGS value: "ontendUrl= " What is the expected behavior? # Without needing to force backend request through the frontend # Need to look into /auth being removed in keycloak 17 # required as KUBE_PING is used as the discovery mechanism automountServiceAccountToken: true rbac: OwnersCount: 2 authOwnersCount: 2 # TLS is terminated by NGINX, NGINX -> keycloak HTTP (wrapped in TLS by service-mesh) # ref: proxy: edge # no longer a thing (was in older versions) proxyAddressForwarding: true replicaCount: 2 # ServiceDiscovery, serviceAccount and rbac required when more than 1 replica exists serviceDiscovery:
0 kommentar(er)
