Integrating IdentityServer4 with CertManager on Kubernetes
I'm developing an app using microservices' approach. We have a bunch of microservices running behind an Ocelot Gateway, one of those microservices being IdentityServer4. Initially the application was running using HTTP as i didn't know how to handle HTTPS at that point.
When using Docker for windows, everything was running as expected. At this point inside my startup class of identity server microservice i have something like this:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
})
.AddAspNetIdentity<User>();
Now we want to handle HTTPS and certificates and i don't really know how to do it. I figure i need to get rid of AddDeveloperSigningCredential() first.
I've found this post online to use certificates on IdentityServer's part. Apparently the easiest way to handle secure connections on Kubernets is to create a reverse proxy controller (ingress) with Cert-Manager & Let's Encrypt to handle certificates - an example here.
On one side i have certificates handled by Cert-Manager. On the other hand i have certificates generated manually for IdentityServer4 purposes. I don't know what's the most optimal approach to handle IdentityServer certificates on kubernetes.
authentication ssl kubernetes identityserver4 cert-manager
add a comment |
I'm developing an app using microservices' approach. We have a bunch of microservices running behind an Ocelot Gateway, one of those microservices being IdentityServer4. Initially the application was running using HTTP as i didn't know how to handle HTTPS at that point.
When using Docker for windows, everything was running as expected. At this point inside my startup class of identity server microservice i have something like this:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
})
.AddAspNetIdentity<User>();
Now we want to handle HTTPS and certificates and i don't really know how to do it. I figure i need to get rid of AddDeveloperSigningCredential() first.
I've found this post online to use certificates on IdentityServer's part. Apparently the easiest way to handle secure connections on Kubernets is to create a reverse proxy controller (ingress) with Cert-Manager & Let's Encrypt to handle certificates - an example here.
On one side i have certificates handled by Cert-Manager. On the other hand i have certificates generated manually for IdentityServer4 purposes. I don't know what's the most optimal approach to handle IdentityServer certificates on kubernetes.
authentication ssl kubernetes identityserver4 cert-manager
Handling HTTPS and token signing and verification are two separate concerns and the only one you'd need to worry about from an application development PoV is how to load your token signing certificate/key pair. Does Kubernetes offer some kind of secret store that you can use to store a certificate file and load into IDS4 during startup?
– mackie
Nov 22 at 11:11
add a comment |
I'm developing an app using microservices' approach. We have a bunch of microservices running behind an Ocelot Gateway, one of those microservices being IdentityServer4. Initially the application was running using HTTP as i didn't know how to handle HTTPS at that point.
When using Docker for windows, everything was running as expected. At this point inside my startup class of identity server microservice i have something like this:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
})
.AddAspNetIdentity<User>();
Now we want to handle HTTPS and certificates and i don't really know how to do it. I figure i need to get rid of AddDeveloperSigningCredential() first.
I've found this post online to use certificates on IdentityServer's part. Apparently the easiest way to handle secure connections on Kubernets is to create a reverse proxy controller (ingress) with Cert-Manager & Let's Encrypt to handle certificates - an example here.
On one side i have certificates handled by Cert-Manager. On the other hand i have certificates generated manually for IdentityServer4 purposes. I don't know what's the most optimal approach to handle IdentityServer certificates on kubernetes.
authentication ssl kubernetes identityserver4 cert-manager
I'm developing an app using microservices' approach. We have a bunch of microservices running behind an Ocelot Gateway, one of those microservices being IdentityServer4. Initially the application was running using HTTP as i didn't know how to handle HTTPS at that point.
When using Docker for windows, everything was running as expected. At this point inside my startup class of identity server microservice i have something like this:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration[IDENTITYSERVERDB_CONNECTIONSTRING],
sql => sql.MigrationsAssembly(migrationsAssembly));
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
})
.AddAspNetIdentity<User>();
Now we want to handle HTTPS and certificates and i don't really know how to do it. I figure i need to get rid of AddDeveloperSigningCredential() first.
I've found this post online to use certificates on IdentityServer's part. Apparently the easiest way to handle secure connections on Kubernets is to create a reverse proxy controller (ingress) with Cert-Manager & Let's Encrypt to handle certificates - an example here.
On one side i have certificates handled by Cert-Manager. On the other hand i have certificates generated manually for IdentityServer4 purposes. I don't know what's the most optimal approach to handle IdentityServer certificates on kubernetes.
authentication ssl kubernetes identityserver4 cert-manager
authentication ssl kubernetes identityserver4 cert-manager
asked Nov 22 at 9:42
skyrunner
145
145
Handling HTTPS and token signing and verification are two separate concerns and the only one you'd need to worry about from an application development PoV is how to load your token signing certificate/key pair. Does Kubernetes offer some kind of secret store that you can use to store a certificate file and load into IDS4 during startup?
– mackie
Nov 22 at 11:11
add a comment |
Handling HTTPS and token signing and verification are two separate concerns and the only one you'd need to worry about from an application development PoV is how to load your token signing certificate/key pair. Does Kubernetes offer some kind of secret store that you can use to store a certificate file and load into IDS4 during startup?
– mackie
Nov 22 at 11:11
Handling HTTPS and token signing and verification are two separate concerns and the only one you'd need to worry about from an application development PoV is how to load your token signing certificate/key pair. Does Kubernetes offer some kind of secret store that you can use to store a certificate file and load into IDS4 during startup?
– mackie
Nov 22 at 11:11
Handling HTTPS and token signing and verification are two separate concerns and the only one you'd need to worry about from an application development PoV is how to load your token signing certificate/key pair. Does Kubernetes offer some kind of secret store that you can use to store a certificate file and load into IDS4 during startup?
– mackie
Nov 22 at 11:11
add a comment |
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427940%2fintegrating-identityserver4-with-certmanager-on-kubernetes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427940%2fintegrating-identityserver4-with-certmanager-on-kubernetes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Handling HTTPS and token signing and verification are two separate concerns and the only one you'd need to worry about from an application development PoV is how to load your token signing certificate/key pair. Does Kubernetes offer some kind of secret store that you can use to store a certificate file and load into IDS4 during startup?
– mackie
Nov 22 at 11:11