Configure TLS for infinispan in bitnami keycloak

Question

CONFIGURE TLS FOR INIFISPAN

When deploying bitnami/keycloak in Kubernetes, it utilizes the default cache type of Infinispan within the pods. Although deploying multiple pods of bitnami keycloak ensures secure communication between them via SSL certificates internally, the communication between Infinispan instances within keycloak pods remains unsecured.

Is there a method to establish secure SSL communication among these Infinispan instances as they inevitably need to communicate with each other?

Answer 1

Disclaimer: I didn't check bitnami/keycloak so my answer would be generic.

The latest version of Keycloak supports TLS encryption for Infinispan communication. Check the GitHub Issue #25702 and Keycloak Documentation.

If the feature is not available, you can manually configure JGroups to encrypt the data. For that, you need to change the Infinispan configuration XML file to add a custom stack. See the Infinispan documentation page about it.

In JGroups, this documentation page describes the way to encrypt the data. Please check section 6.17.1 for TLS, where JGroups use SSLSocket with TCP, or section 6.17.2, in which JGroups encrypt the payload before sending.