72 lines
2.0 KiB
ReStructuredText
72 lines
2.0 KiB
ReStructuredText
![]() |
=============
|
||
|
Nginx Sidecar
|
||
|
=============
|
||
|
|
||
|
Blueprint: https://blueprints.launchpad.net/openstack-helm/+spec/nginx-sidecar
|
||
|
|
||
|
Problem Description
|
||
|
===================
|
||
|
|
||
|
In a secured deployment, TLS certificates are used to protect the transports
|
||
|
amongst the various components. In some cases, this requires additional
|
||
|
mechanism to handle TLS offloading and to terminate the connection gracefully:
|
||
|
|
||
|
* services do not handle TLS offloading and termination,
|
||
|
* services whose native handling of TLS offloading and termination cause major
|
||
|
performance impact, for example, eventlet.
|
||
|
|
||
|
Proposed Change
|
||
|
===============
|
||
|
|
||
|
This specification proposes to add a nginx sidecar container to the
|
||
|
pod for service that requires the tls offloading. The nginx can be used
|
||
|
to handle the TLS offoading and terminate the TLS connection, and routes
|
||
|
the traffic to the service via localhost (127.0.0.1).
|
||
|
|
||
|
Security Impact
|
||
|
---------------
|
||
|
|
||
|
This enhances the system's security design by allowing pods with services that
|
||
|
cannot natively manage TLS to secure the traffic to the service pod.
|
||
|
|
||
|
Performance Impact
|
||
|
------------------
|
||
|
|
||
|
There is no significant performance impact as the traffic will be locally
|
||
|
routed (via 127.0.0.1) and may potentially improve performance for services
|
||
|
whose native TLS handling is inefficient.
|
||
|
|
||
|
Alternatives
|
||
|
------------
|
||
|
|
||
|
* Instead of using nginx, haproxy can be used instead.
|
||
|
|
||
|
Implementation
|
||
|
==============
|
||
|
|
||
|
Assignee(s)
|
||
|
-----------
|
||
|
|
||
|
Primary assignee:
|
||
|
Pete Birley <pete@port.direct>
|
||
|
|
||
|
Work Items
|
||
|
----------
|
||
|
|
||
|
* Update ``helm toolkit`` to provide snippet to create the nginx sidecar
|
||
|
container for the services that require it.
|
||
|
* Update service charts to use the updated ``helm toolkit``.
|
||
|
* Update relevant Documentation.
|
||
|
|
||
|
Testing
|
||
|
=======
|
||
|
|
||
|
The testing will be performed by the OpenStack-Helm gate to demonstrate
|
||
|
the sidecar container correctly routes traffic to the correct services.
|
||
|
|
||
|
Documentation Impact
|
||
|
====================
|
||
|
|
||
|
OpenStack-Helm documentation will be updated to indicate the usage of the
|
||
|
nginx sidecar.
|