Security Hardening

This guide outlines best practices for securing a Citadel deployment in production.

Network Security

TLS Termination

Citadel services communicate over HTTP by default. TLS termination must be handled at the Ingress layer or API Gateway.

Recommendation: Use cert-manager with LetsEncrypt to automatically provision certificates for your Ingress resources.
Traefik: If using the bundled Traefik gateway, configure the websecure entrypoint.

Service Mesh (mTLS)

For zero-trust environments, we recommend deploying Citadel within a Service Mesh (like Istio or Linkerd) to enforce mTLS between microservices without modifying application code.

Secret Management

Never commit .env files or raw secrets to version control.

Recommended Approaches

Kubernetes Secrets: Basic protection.
SealedSecrets: Encrypt secrets into git-safe format that can only be decrypted by the controller in the cluster.
External Secrets Operator: Sync secrets from external vaults (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) directly into Kubernetes Secrets.

Container Security

Non-Root Users: All Citadel images are built to run as non-root users (USER 1000 or similar). Do not override this in your deployment manifests.
Read-Only Root Filesystem: Services are designed to be stateless. You can strictly enforce readOnlyRootFilesystem: true in your security context, provided you mount a temporary volume for /tmp.

Database Connections

SSL Mode: In production, always set DATABASE_URL params to sslmode=verify-full (or at least require) to encrypt traffic between services and PostgreSQL.

Network Security​

TLS Termination​

Service Mesh (mTLS)​

Secret Management​

Recommended Approaches​

Container Security​

Database Connections​