I learn about sidecar pattern from Kubernetes documentation and later from blog post by Brendan Burns The distributed system toolkit. Sidecar is very useful pattern and work nice with Kubernetes.
In the tutorial I want to demonstrate how “legacy” application can be extend with https support by using sidecar pattern based on Kubernetes.
Problem
We have legacy application which doesn’t have HTTPS support. We also don’t want to send plain text traffic over network. We don’t want to make any changes to legacy application, but good thing that it is containerised.
Solution
We will use sidecar pattern to add HTTPS support to “legacy” application.
Overview
Main application
For our example main application I will use Nodejs Hello World service (beh01der/web-service-dockerized-example)
Sidecar container
To add https support I will use Nginx ssl proxy (ployst/nginx-ssl-proxy) container
Deployment
TLS/SSL keys
First we need to generate TLS certificate keys and add them to Kubernetes secrets. For that I am using script from nginx ssl proxy repository which combine all steps in one:
git clone https://github.com/ployst/docker-nginx-ssl-proxy.git cd docker-nginx-ssl-proxy ./setup-certs.sh /path/to/certs/folder
Adding TLS files to Kubernetes secrets
cd /path/to/certs/folder kubectl create secret generic ssl-key-secret --from-file=proxykey=proxykey --from-file=proxycert=proxycert --from-file=dhparam=dhparam
Kubernetes sidecar deployment
In following configuration I have defined main application container “nodejs-hello” and nginx container “nginx”. Both containers run in the same pod and share pod resources, so in that way implementing sidecar pattern. One thing you want to modify is hostname, I am using not existing hostname appname.example.com for this example.
apiVersion: apps/v1beta2 kind: Deployment metadata: name: nodejs-hello labels: app: nodejs proxy: nginx spec: replicas: 1 selector: matchLabels: app: nodejs-hello template: metadata: labels: app: nodejs-hello spec: containers: - name: nodejs-hello image: beh01der/web-service-dockerized-example ports: - containerPort: 3000 - name: nginx image: ployst/nginx-ssl-proxy env: - name: SERVER_NAME value: "appname.example.com" - name: ENABLE_SSL value: "true" - name: TARGET_SERVICE value: "localhost:3000" volumeMounts: - name: ssl-keys readOnly: true mountPath: "/etc/secrets" ports: - containerPort: 80 containerPort: 443 volumes: - name: ssl-keys secret: secretName: ssl-key-secret
Save this file to deployment.yaml and create deployment Kubernetes object:
kubectl create -f deployment.yaml
Wait for pods to be Read:
kubectl get pods NAME READY STATUS RESTARTS AGE nodejs-hello-686bbff8d7-42mcn 2/2 Running 0 1m
Testing
For testing I setup two port forwarding rules. First is for application port and second for nginx HTTPS port:
kubectl -n test port-forward <pod> 8043:443 #and in new terminal window run kubectl -n test port-forward <pod> 8030:3000
First lets validate that application respond on http and doesn’t respond on https requests
#using http curl -k -H "Host: appname.example.com" http://127.0.0.1:8030/ Hello World! I am undefined! #now using https curl -k -H "Host: appname.example.com" https://127.0.0.1:8030/ curl: (35) Server aborted the SSL handshake
Note: SSL handshake issue is expected as our “legacy” application doesn’t support https and even if it would it must serve https connection on different port than http. The test goal was to demonstrate the response.
Time to test connection through sidecar nginx ssl proxy
curl -k -H "Host: appname.example.com" https://127.0.0.1:8043/ Hello World! I am undefined!
Great! We have got expected output through https connection.
Conclusions
- Nginx extended nodejs app with https support with zero changes to any of containers
- Sidecar pattern modular structure provide great re-use of containers, so teams can be focused on application development
- Ownership of containers can be split between teams as there is no dependency between containers
- Scaling might not be very efficient, because sidecar container have to scale with main container