Hello! We are rolling our Hydra on Kubernetes using the Ory Hydra Helm Chart. On our cluster we are using Istio. Istio is handling the TLS. How should Hydra be set up in this case? The problem we have is there are 2 domains for each service, the external one and internal, for example:

<https://hydra-admin.k8s.eu-west-1.non-prod.example.net> <- available in our VPN, used for setting up clients
<http://hydra-admin.ory.svc.cluster.local:4445> <- available only within k8s, called by login and consent frontend

The full domain works, because it is https, but the internal one doesn’t, because it is http. When talking to my platform team they said we should just enable

dangerousForceHttp=true

since Istio is handling the TLS. We tried this an everything works as expected. However there are warnings all over the docs saying this is a bad idea like:

Please note that SSL is disabled using --set hydra.dangerousForceHttp=true which should never be done when working outside of localhost and only for testing and demonstration purposes. Install the ORY Hydra Helm Chart

How have other people using Istio have this set up? (Sorry if this is a noob question, I am not a k8s expert and especially not an Istio one! 😅 )

Hello. You can use

dangerousForceHttp

only if your internal network is secured. I mean you have configured firewalls and your security policy allows that. However I would recommend to setup Split-horizon DNS for your case https://jensd.be/160/linux/split-horizon-dns-masterslave-with-bind