Versions Compared

Old Version 2

changes.mady.by.user Ievgeniia Lymar

Saved on

compared with

New Version 3

changes.mady.by.user Artem Akimov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview (Eureka)

Installation process

DNS Configuration

Required DNS records

Examples

TLS/SSL Certificates

Obtaining certificates

Configuring certificates

Common Issues (Kitfox/FSE)

Troubleshooting hostname resolution

...

DNS configuration can be divided for two parts, public and private

Public DNS names are used for public communication, as private DNS is mostly used for service intercommunication.

Info

Public DNS should contain the following::

  • Kong url.

  • Keycloak url.

  • Tenant url (for each tenant).

Info

Private zones contain the following information:

  • Manager components

  • DB endpoint.

  • Opensearch endpoint.

  • Kafka endpoint.

  • Kong endpoint (private endpoint for service communication).

  • Keycloak endpoint (private endpoint for service communication).

  • Each module should contain a DNS entry.

TLS/SSL Certificates

Eureka components can work with encryption in transit. Encryption in transit defends your data after a connection is established and authenticated against potential attackers by:

  • Removing the need to trust the lower layers of the network, which are commonly provided by third parties.

  • Reducing the potential attack surface.

  • Preventing attackers from accessing data if communications are intercepted

Connection to components like kong, keycloak, manager components, and sidecars required additional configuration. To configure applications in TLS mode, please update the configuration of the modules and update environment values.
Ex: mgr-tenants require configuration of the module itself. As well, it’s communicating with keycloak service, so we need to provide keycloak TRUSTSTORE information.

SSL Configuration environment variables

Name

Default value

Required

Description

SERVER_PORT

8081

false

Server HTTP port. Should be specified manually in case of SSL enabled.

SERVER_SSL_ENABLED

false

false

Manage server's mode. If true, then SSL will be enabled.

SERVER_SSL_KEY_STORE

false

Path to the keystore. Mandatory if SERVER_SSL_ENABLED is true.

SERVER_SSL_KEY_STORE_TYPE

BCFKS

false

Type of the keystore. By default, the BCFKS value is used.

SERVER_SSL_KEY_STORE_PROVIDER

BCFIPS

false

Provider of the keystore.

SERVER_SSL_KEY_STORE_PASSWORD

false

Password for keystore.

SERVER_SSL_KEY_PASSWORD

false

Password for key in keystore.

Keycloak specific environment variables

KC_CLIENT_TLS_ENABLED

-

false

Enables TLS for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_PATH

-

false

Truststore file path for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_PASSWORD

-

false

Truststore password for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_TYPE

-

false

Truststore file type for keycloak clients.

More detailed information can be found on a github page for all components (mgr-tenants).

Common Issues:

  • Token expiration

fix - update token lifespan

  • Graphql