5. Deploy with TLS
5.1. Configure a Reverse Proxy or Kubernetes Ingress Controller
To support HTTPS connections, C-PAT components should be situated behind a reverse proxy or in a Kubernetes cluster. Configure the reverse proxy (such as nginx) or the Kubernetes Ingress Controller in accordance with publisher documentation, local security requirements, and Keycloak documentation. In either case, you will have to set Keycloak environment variable PROXY_ADDRESS_FORWARDING=true and make sure appropriate headers are forwarded.
5.2. Nginx for TLS
C-PAT provides two branches on GitHub with sample RMF Tools nginx deployments with a configuration file that may be useful to those setting up a Production deployment of C-PAT and STIG Manager:
5.2.1. With CAC Authentication
https://github.com/NSWC-Crane/C-PAT-RMF-ORCHESTRATION/tree/rmftools-orchestration-cac
5.2.2. Without CAC Authentication
https://github.com/NSWC-Crane/C-PAT-RMF-ORCHESTRATION/tree/demo-auth-no-cac
