0685f75d97
This specification proposes to add an nginx sidecar container to support TLS offloading and termination. Change-Id: I6d7e19539b5411d8ab15dc2d39e2051da1cce126 External-tracking: F#47
72 lines
2.0 KiB
ReStructuredText
72 lines
2.0 KiB
ReStructuredText
=============
|
|
Nginx Sidecar
|
|
=============
|
|
|
|
Blueprint: https://blueprints.launchpad.net/openstack-helm/+spec/nginx-sidecar
|
|
|
|
Problem Description
|
|
===================
|
|
|
|
In a secured deployment, TLS certificates are used to protect the transports
|
|
amongst the various components. In some cases, this requires additional
|
|
mechanism to handle TLS offloading and to terminate the connection gracefully:
|
|
|
|
* services do not handle TLS offloading and termination,
|
|
* services whose native handling of TLS offloading and termination cause major
|
|
performance impact, for example, eventlet.
|
|
|
|
Proposed Change
|
|
===============
|
|
|
|
This specification proposes to add a nginx sidecar container to the
|
|
pod for service that requires the tls offloading. The nginx can be used
|
|
to handle the TLS offoading and terminate the TLS connection, and routes
|
|
the traffic to the service via localhost (127.0.0.1).
|
|
|
|
Security Impact
|
|
---------------
|
|
|
|
This enhances the system's security design by allowing pods with services that
|
|
cannot natively manage TLS to secure the traffic to the service pod.
|
|
|
|
Performance Impact
|
|
------------------
|
|
|
|
There is no significant performance impact as the traffic will be locally
|
|
routed (via 127.0.0.1) and may potentially improve performance for services
|
|
whose native TLS handling is inefficient.
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
* Instead of using nginx, haproxy can be used instead.
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
Pete Birley <pete@port.direct>
|
|
|
|
Work Items
|
|
----------
|
|
|
|
* Update ``helm toolkit`` to provide snippet to create the nginx sidecar
|
|
container for the services that require it.
|
|
* Update service charts to use the updated ``helm toolkit``.
|
|
* Update relevant Documentation.
|
|
|
|
Testing
|
|
=======
|
|
|
|
The testing will be performed by the OpenStack-Helm gate to demonstrate
|
|
the sidecar container correctly routes traffic to the correct services.
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
OpenStack-Helm documentation will be updated to indicate the usage of the
|
|
nginx sidecar.
|