In a secured deployment, TLS certificates are used to protect the transports amongst the various components. In some cases, this requires additional mechanism to handle TLS offloading and to terminate the connection gracefully:
services do not handle TLS offloading and termination,
services whose native handling of TLS offloading and termination cause major performance impact, for example, eventlet.
This specification proposes to add a nginx sidecar container to the pod for service that requires the tls offloading. The nginx can be used to handle the TLS offoading and terminate the TLS connection, and routes the traffic to the service via localhost (127.0.0.1).
This enhances the system’s security design by allowing pods with services that cannot natively manage TLS to secure the traffic to the service pod.
There is no significant performance impact as the traffic will be locally routed (via 127.0.0.1) and may potentially improve performance for services whose native TLS handling is inefficient.
Instead of using nginx, haproxy can be used instead.
- Primary assignee:
Pete Birley <email@example.com>
helm toolkitto provide snippet to create the nginx sidecar container for the services that require it.
Update service charts to use the updated
Update relevant Documentation.
The testing will be performed by the OpenStack-Helm gate to demonstrate the sidecar container correctly routes traffic to the correct services.
OpenStack-Helm documentation will be updated to indicate the usage of the nginx sidecar.