One image worth 1000 words!
Read full article by Daniel Weibel on how authentication and authorization works on amazon EKS.
Amazon EKS IAM based authentication explained
Tag: Kubernetes
One image worth 1000 words!
Kubernetes sidecar pattern: nginx ssl proxy for nodejs
I learn about sidecar pattern from Kubernetes documentation and later from blog post by Brendan Burns The distributed system toolkit. Sidecar is very useful pattern and work nice with Kubernetes.
In the tutorial I want to demonstrate how “legacy” application can be extend with https support by using sidecar pattern based on Kubernetes.
Problem
We have legacy application which doesn’t have HTTPS support. We also don’t want to send plain text traffic over network. We don’t want to make any changes to legacy application, but good thing that it is containerised.
Solution
We will use sidecar pattern to add HTTPS support to “legacy” application.
Overview
Main application
For our example main application I will use Nodejs Hello World service (beh01der/web-service-dockerized-example)
Sidecar container
To add https support I will use Nginx ssl proxy (ployst/nginx-ssl-proxy) container
Deployment
TLS/SSL keys
First we need to generate TLS certificate keys and add them to Kubernetes secrets. For that I am using script from nginx ssl proxy repository which combine all steps in one:
git clone https://github.com/ployst/docker-nginx-ssl-proxy.git cd docker-nginx-ssl-proxy ./setup-certs.sh /path/to/certs/folder
Adding TLS files to Kubernetes secrets
cd /path/to/certs/folder kubectl create secret generic ssl-key-secret --from-file=proxykey=proxykey --from-file=proxycert=proxycert --from-file=dhparam=dhparam
Kubernetes sidecar deployment
In following configuration I have defined main application container “nodejs-hello” and nginx container “nginx”. Both containers run in the same pod and share pod resources, so in that way implementing sidecar pattern. One thing you want to modify is hostname, I am using not existing hostname appname.example.com for this example.
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: nodejs-hello
labels:
app: nodejs
proxy: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-hello
template:
metadata:
labels:
app: nodejs-hello
spec:
containers:
- name: nodejs-hello
image: beh01der/web-service-dockerized-example
ports:
- containerPort: 3000
- name: nginx
image: ployst/nginx-ssl-proxy
env:
- name: SERVER_NAME
value: "appname.example.com"
- name: ENABLE_SSL
value: "true"
- name: TARGET_SERVICE
value: "localhost:3000"
volumeMounts:
- name: ssl-keys
readOnly: true
mountPath: "/etc/secrets"
ports:
- containerPort: 80
containerPort: 443
volumes:
- name: ssl-keys
secret:
secretName: ssl-key-secret
Save this file to deployment.yaml and create deployment Kubernetes object:
kubectl create -f deployment.yaml
Wait for pods to be Read:
kubectl get pods NAME READY STATUS RESTARTS AGE nodejs-hello-686bbff8d7-42mcn 2/2 Running 0 1m
Testing
For testing I setup two port forwarding rules. First is for application port and second for nginx HTTPS port:
kubectl -n test port-forward <pod> 8043:443 #and in new terminal window run kubectl -n test port-forward <pod> 8030:3000
First lets validate that application respond on http and doesn’t respond on https requests
#using http curl -k -H "Host: appname.example.com" http://127.0.0.1:8030/ Hello World! I am undefined! #now using https curl -k -H "Host: appname.example.com" https://127.0.0.1:8030/ curl: (35) Server aborted the SSL handshake
Note: SSL handshake issue is expected as our “legacy” application doesn’t support https and even if it would it must serve https connection on different port than http. The test goal was to demonstrate the response.
Time to test connection through sidecar nginx ssl proxy
curl -k -H "Host: appname.example.com" https://127.0.0.1:8043/ Hello World! I am undefined!
Great! We have got expected output through https connection.
Conclusions
- Nginx extended nodejs app with https support with zero changes to any of containers
- Sidecar pattern modular structure provide great re-use of containers, so teams can be focused on application development
- Ownership of containers can be split between teams as there is no dependency between containers
- Scaling might not be very efficient, because sidecar container have to scale with main container