Recipe for an HTTPS Sidecar

Create K8s deploymentThe full deployment file is listed as below,—apiVersion: v1kind: Servicemetadata: name: hello labels: app: hellospec: type: NodePort ports: – port: 443 targetPort: 443 protocol: TCP name: https selector: app: hello—apiVersion: apps/v1kind: Deploymentmetadata: name: hello labels: app: hellospec: replicas: 1 selector: matchLabels: app: hello template: metadata: labels: app: hello spec: containers: – name: hello image: zhiminwen/hello:v1 imagePullPolicy: IfNotPresent env: – name: LISTENING_PORT value: "8080" – name: tls-sidecar image: nginx imagePullPolicy: IfNotPresent volumeMounts: – name: secret-volume mountPath: /app/cert – name: config-volume mountPath: /etc/nginx/nginx.conf subPath: nginx.conf volumes: – name: secret-volume secret: secretName: hello-sidecar-nginx-certs items: – key: hello-server-cert path: hello-server.pem – key: hello-server-key path: hello-server-key.pem – name: config-volume configMap: name: hello-sidecar-nginx-confThe main app is nothing special..It behaves as its normal.Define the configMap volume and the secret volume.For the key of “hello-server-cert”, we specify the path with the file name, so the pod will mount using the file name of “hello-server.pem”..The same goes for the other key.Name the nginx container as “tls-sidecar”..Mount the config-volume with both mountPath and subPath so that only the file “nignx.conf” will be presented in the target directory, and avoid overwriting the whole default directory of Nginx.Mount the secret to the directory of “/app/cert” to match the exact file name defined in the nginx.conf.Lastly, create a service that exposes the Nginx https server port 443 as nodePort.Apply the yaml file to deploy it.TestingOnce the pods are running, find out the NodePort..Do a HTTPS connection to the nodePort, the https is working.Check the certificate,See the second paper of the sidecar series, where I explored the client certificate authentication and the Prometheus in IBM Cloud Private.. More details

Leave a Reply