https://www.ory.sh/ logo
#talk-hydra
Title
# talk-hydra
g

green-diamond-76998

03/07/2022, 6:40 PM
Hello! We are rolling our Hydra on Kubernetes using the Ory Hydra Helm Chart. On our cluster we are using Istio. Istio is handling the TLS. How should Hydra be set up in this case? The problem we have is there are 2 domains for each service, the external one and internal, for example:
Copy code
<https://hydra-admin.k8s.eu-west-1.non-prod.example.net> <- available in our VPN, used for setting up clients
<http://hydra-admin.ory.svc.cluster.local:4445> <- available only within k8s, called by login and consent frontend
The full domain works, because it is https, but the internal one doesn’t, because it is http. When talking to my platform team they said we should just enable
dangerousForceHttp=true
since Istio is handling the TLS. We tried this an everything works as expected. However there are warnings all over the docs saying this is a bad idea like:
Copy code
Please note that SSL is disabled using --set hydra.dangerousForceHttp=true which should never be done when working outside of localhost and only for testing and demonstration purposes. Install the ORY Hydra Helm Chart
How have other people using Istio have this set up? (Sorry if this is a noob question, I am not a k8s expert and especially not an Istio one! 😅 )
d

damp-sunset-69236

03/08/2022, 6:06 AM
Hello. You can use
dangerousForceHttp
only if your internal network is secured. I mean you have configured firewalls and your security policy allows that. However I would recommend to setup Split-horizon DNS for your case https://jensd.be/160/linux/split-horizon-dns-masterslave-with-bind
3 Views