Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support to UI docker container #377

d2lam opened this Issue Dec 1, 2016 · 2 comments


None yet
4 participants
Copy link

d2lam commented Dec 1, 2016


What we tried

First attempt

  • Edit nginx.conf to include:
server {
    listen 443;
    ssl on;
    ssl_certificate     /etc/ssl/cacert.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;
  • Build another UI image: testtls
  • Edit deployment to use this new image. This doesn't work since the cert files were not available. Makes sense.

Second attempt

  • Change nginx.conf to read certs from ENV. For example: ssl_certificate os.getenv("UICERT"); (UICERT is reading from a secret)
  • Build another UI image: testtls2
  • Edit deployment to use this new image. This doesn't work either. Looks like the os.getenv doesn't work.

What worked - sorta

Third attempt

  • Pull an older UI image: v1.0.90
  • Go inside the pod
kubectl exec sdui-pod -it /bin/sh --namespace=screwdriver
  • Put the cert and key files inside the pod
  • Modify nginx.conf(/etc/nginx/nginx.conf) directly like attempt 1
  • Outside the pod: kubectl port-forward to listen to localhost:4443 and forward to sd-ui pod port 443
kubectl port-forward sdui-pod 4443:443
  • Try on browser: --> works!

screen shot 2016-12-01 at 6 13 53 pm


  • Figured out how to make it read from ENV, since right now we manually go inside the pod & put the files there.
  • Figured out why routing doesn't work? Why only work on localhost, not the cname?


Where we are (12/5/16)

We tried to make nginx.conf read from environment variables:

  • In Dockerfile, add:
RUN echo $MYENV > testenv
  • Build a new UI image. When building, use docker build --build-arg=MYENV=somevalue . (Similar to
  • In the UI deployment, use this image
  • Go inside the pods, we see that testenv is there. So that means it worked.
  • We need to make it like the screwdriver repo: put the build command inside /hooks/build, and then put the secrets in the screwdriver.yaml. This seems a bit weird, but that's what we got so far.

This comment has been minimized.

Copy link

bdangit commented Dec 12, 2016

If you terminate SSL at the Pod level, you should take advantage of K8s Secrets API. You get to volume mount those files to where you will need them. It will be a whole lot better instead of feeding in a very "return line" (aka \n) sensitive string via environment vars.


This comment has been minimized.

Copy link

stjohnjohnson commented Mar 12, 2018

Closing in favor of using SSL terminated ingress like NGinx.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.