git clone https://github.com/ployst/docker-nginx-ssl-proxy.git cd docker-nginx-ssl-proxy ./setup-certs.sh /path/to/certs/folder
Adding TLS files to Kubernetes secrets
cd /path/to/certs/folder kubectl create secret generic ssl-key-secret --from-file=proxykey=proxykey --from-file=proxycert=proxycert --from-file=dhparam=dhparam
Kubernetes sidecar deployment
apiVersion: apps/v1beta2 kind: Deployment metadata: name: nodejs-hello labels: app: nodejs proxy: nginx spec: replicas: 1 selector: matchLabels: app: nodejs-hello template: metadata: labels: app: nodejs-hello spec: containers: - name: nodejs-hello image: beh01der/web-service-dockerized-example ports: - containerPort: 3000 - name: nginx image: ployst/nginx-ssl-proxy env: - name: SERVER_NAME value: "appname.example.com" - name: ENABLE_SSL value: "true" - name: TARGET_SERVICE value: "localhost:3000" volumeMounts: - name: ssl-keys readOnly: true mountPath: "/etc/secrets" ports: - containerPort: 80 containerPort: 443 volumes: - name: ssl-keys secret: secretName: ssl-key-secret
Save this file to deployment.yaml and create deployment Kubernetes object:
kubectl create -f deployment.yaml
Wait for pods to be Read:
kubectl get pods NAME READY STATUS RESTARTS AGE nodejs-hello-686bbff8d7-42mcn 2/2 Running 0 1m
For testing I setup two port forwarding rules. First is for application port and second for nginx HTTPS port:
kubectl -n test port-forward <pod> 8043:443 #and in new terminal window run kubectl -n test port-forward <pod> 8030:3000
First lets validate that application respond on http and doesn’t respond on https requests
#using http curl -k -H "Host: appname.example.com" http://127.0.0.1:8030/ Hello World! I am undefined! #now using https curl -k -H "Host: appname.example.com" https://127.0.0.1:8030/ curl: (35) Server aborted the SSL handshake
Note: SSL handshake issue is expected as our “legacy” application doesn’t support https and even if it would it must serve https connection on different port than http. The test goal was to demonstrate the response.
Time to test connection through sidecar nginx ssl proxy
curl -k -H "Host: appname.example.com" https://127.0.0.1:8043/ Hello World! I am undefined!
Great! We have got expected output through https connection.
- Nginx extended nodejs app with https support with zero changes to any of containers
- Sidecar pattern modular structure provide great re-use of containers, so teams can be focused on application development
- Ownership of containers can be split between teams as there is no dependency between containers
- Scaling might not be very efficient, because sidecar container have to scale with main container