-
Notifications
You must be signed in to change notification settings - Fork 280
KEYCLOAK-12307 TLS Termination configuration #186
KEYCLOAK-12307 TLS Termination configuration #186
Conversation
@andymunro @pb82 @davidffrench You might be interested in this PR. |
Thanks @slaskawi . @pb82 this means we should be able to remove our additional route for keycloak in the integreatly-operator 🥳 cc @philbrookes |
@davidffrench Yes, it took @stianst and myself a loooong time to decide on this. |
@slaskawi @davidffrench looks like it only can be We currently create a custom edge route. |
@pb82 Why do you use an edge-terminated route? If that's the Let's Encrypt case, the re-encrypt should do the job and it's much safer (as the traffic between HAProxy and the Pod is encrypted). |
@slaskawi I was wrong, we actually use re-encrypt. So this should be fine. |
@pb82 Ok, that's great! Thanks Peter! |
2068558
to
f62297e
Compare
@stianst Comments addressed and re-pushed. |
9c9d6a0
to
3e0d2e4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After fixing the issue @stianst mentioned, this looks good to me. I was able to test it with both passthrough and re-encrypt and both worked as expected.
3e0d2e4
to
a35212a
Compare
a35212a
to
fbcea8c
Compare
@mhajas Should be fine now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks, @slaskawi.
JIRA ID
KEYCLOAK-14095
KEYCLOAK-12307
Additional Information
This Pull Request changes the TLS configuration from Passthrough to Re-encrypt. In addition to that, it introduces a new
tlsTermination
parameter (in theKeycloak
CR) that can be set topassthrough
and fall back to previous behavior.This change improves user experience and sacrifices a bit of security. As we agreed with @stianst, the safest way of running Keycloak is a Passthrough Route that sends all encrypted traffic to Keycloak. However, this option is quite hard to configure as the Signing Operator would need to create a valid, publicly accepted certificate to Keycloak. Much easier option is to configure this on an Ingress or Route. Moreover, OpenShift Installer has an option to install OpenShift with Let's Encrypt support out of the box. However, it's worth to mention, that OpenShift Router (HAProxy) will be performing re-encryption and if some malicious code gets there, all secret codes might be dumped somewhere. This is a security concern every administrator needs to consider.
Finally, this Pull Request doesn't touch Ingress. Ingress Controller uses, so called backside re-encryption (basically, it is configured to use HTTPS Backend) (see link1 link2). The Frontend TLS configuration is up to the user. The Operator doesn't reconcile it.
Verification Steps
Checklist:
Additional Notes