Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support to UI docker container #377

Closed
d2lam opened this Issue Dec 1, 2016 · 2 comments

Comments

Projects
None yet
4 participants
@d2lam
Copy link
Member

d2lam commented Dec 1, 2016

SUMMARY

What we tried

First attempt

  • Edit nginx.conf to include:
server {
    listen 443;
    ssl on;
    ssl_certificate     /etc/ssl/cacert.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;
}
  • Build another UI image: testtls
  • Edit deployment to use this new image. This doesn't work since the cert files were not available. Makes sense.

Second attempt

  • Change nginx.conf to read certs from ENV. For example: ssl_certificate os.getenv("UICERT"); (UICERT is reading from a secret)
  • Build another UI image: testtls2
  • Edit deployment to use this new image. This doesn't work either. Looks like the os.getenv doesn't work.

What worked - sorta

Third attempt

  • Pull an older UI image: v1.0.90
  • Go inside the pod
kubectl exec sdui-pod -it /bin/sh --namespace=screwdriver
  • Put the cert and key files inside the pod
  • Modify nginx.conf(/etc/nginx/nginx.conf) directly like attempt 1
  • Outside the pod: kubectl port-forward to listen to localhost:4443 and forward to sd-ui pod port 443
kubectl port-forward sdui-pod 4443:443
  • Try on browser: https://127.0.0.1:4443 --> works!

screen shot 2016-12-01 at 6 13 53 pm

TODO

  • Figured out how to make it read from ENV, since right now we manually go inside the pod & put the files there.
  • Figured out why routing doesn't work? Why only work on localhost, not the cname?

Resources:
http://nginx.org/en/docs/http/configuring_https_servers.html

Where we are (12/5/16)

We tried to make nginx.conf read from environment variables:

  • In Dockerfile, add:
ARG MYENV
RUN echo $MYENV > testenv
  • Build a new UI image. When building, use docker build --build-arg=MYENV=somevalue . (Similar to https://github.com/screwdriver-cd/screwdriver/blob/master/hooks/build)
  • In the UI deployment, use this image
  • Go inside the pods, we see that testenv is there. So that means it worked.
  • We need to make it like the screwdriver repo: put the build command inside /hooks/build, and then put the secrets in the screwdriver.yaml. This seems a bit weird, but that's what we got so far.
@bdangit

This comment has been minimized.

Copy link
Contributor

bdangit commented Dec 12, 2016

If you terminate SSL at the Pod level, you should take advantage of K8s Secrets API. You get to volume mount those files to where you will need them. It will be a whole lot better instead of feeding in a very "return line" (aka \n) sensitive string via environment vars.

@stjohnjohnson

This comment has been minimized.

Copy link
Contributor

stjohnjohnson commented Mar 12, 2018

Closing in favor of using SSL terminated ingress like NGinx.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.