External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-10 15:32:05 -03:30
Code Issues Packages Projects Releases Wiki Activity

Document how to configure Istio to allow for JGroups mTLS (#39421)

Browse Source 
Closes #39065

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
This commit is contained in:
Alexander Schwartz 2025-05-05 08:45:24 +02:00 committed by GitHub
parent 1c1a814035
commit 3dd1389927
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/documentation/upgrading/topics/changes/changes-26_2_0.adoc
View File

@ -69,6 +69,8 @@ If you provided your own keystore and truststore to secure the TCP transport sta
If you are using a custom transport stack, this default behavior can be disabled by setting the option `cache-embedded-mtls-enabled` to `false`.
If you are using a service mesh, configure it to allow direct mTLS communication between the {project_name} Pods.
For more information, check the link:https://www.keycloak.org/server/caching#_securing_transport_stacks[Securing Transport Stacks] in the distributed caches guide.
=== Operator creates NetworkPolicies to restrict traffic

33
docs/guides/server/caching.adoc
View File

@ -280,6 +280,39 @@ The keys and the certificate are stored in the database so they are available to
By default, the certificate is valid for 60 days and is rotated at runtime every 30 days.
Use the option `cache-embedded-mtls-rotation-interval-days` to change this.
=== Running inside a service mesh
When using a service mesh like Istio, you might need to allow a direct mTLS communication between the {project_name} Pods to allow for the mutual authentication to work.
Otherwise, you might see error messages like `JGRP000006: failed accepting connection from peer SSLSocket` that indicate that a wrong certificate was presented, and the cluster will not form correctly.
You then have the option to allow direct mTLS communication between the {project_name} Pods, or rely on the service mesh transport security to encrypt the communication and to authenticate peers.
To allow direct mTLS communication for {project_name} when using Istio:
* Apply the following configuration to allow direct communication.
+
[source,yaml]
----
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: infinispan-allow-nomtls
spec:
selector:
matchLabels:
app: keycloak # <1>
portLevelMtls:
"7800": # <2>
mode: PERMISSIVE
----
<.> Update the labels to match your {project_name} deployment.
<.> Port 7800 is the default. Adjust it if you change the data transmission port.
As an alternative, to disable the mTLS communication, and rely on the service mesh to encrypt the traffic:
* Set the option `cache-embedded-mtls-enabled` to `false`.
* Configure your service mesh to authorize only traffic from other {project_name} Pods for the data transmission port (default: 7800).
=== Proving your own keys and certificates
Although not recommended for standard setups, if it is essential in a specific setup, you can configure the keystore with the certificate for the transport stack manually. `cache-embedded-mtls-key-store-file` sets the path to the keystore, and `cache-embedded-mtls-key-store-password` sets the password to decrypt it.