green-diamond-7699803/07/2022, 6:40 PM
The full domain works, because it is https, but the internal one doesn’t, because it is http.
When talking to my platform team they said we should just enable
<https://hydra-admin.k8s.eu-west-1.non-prod.example.net> <- available in our VPN, used for setting up clients
<http://hydra-admin.ory.svc.cluster.local:4445> <- available only within k8s, called by login and consent frontend
since Istio is handling the TLS. We tried this an everything works as expected.
However there are warnings all over the docs saying this is a bad idea like:
How have other people using Istio have this set up?
(Sorry if this is a noob question, I am not a k8s expert and especially not an Istio one! 😅 )
Please note that SSL is disabled using --set hydra.dangerousForceHttp=true which should never be done when working outside of localhost and only for testing and demonstration purposes. Install the ORY Hydra Helm Chart
damp-sunset-6923603/08/2022, 6:06 AM
only if your internal network is secured. I mean you have configured firewalls and your security policy allows that.
However I would recommend to setup Split-horizon DNS for your case https://jensd.be/160/linux/split-horizon-dns-masterslave-with-bind