Skip to content

Commit

Permalink
Use TLS_CERTIFICATE in Nginx app. (GoogleCloudPlatform#520)
Browse files Browse the repository at this point in the history
  • Loading branch information
@wgrzelak
wgrzelak authored May 7, 2019
1 parent 4d9b651 commit 676d65b
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 13 deletions.
39 changes: 32 additions & 7 deletions k8s/nginx/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,28 @@ for i in "IMAGE_NGINX" "IMAGE_NGINX_INIT" "IMAGE_METRICS_EXPORTER"; do
done
```

#### Create TLS certificate for Nginx

1. If you already have a certificate that you want to use, copy your
certificate and key pair to the `/tmp/tls.crt`, and `/tmp/tls.key` files,
then skip to the next step.

To create a new certificate, run the following command:

```shell
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /tmp/tls.key \
-out /tmp/tls.crt \
-subj "/CN=nginx/O=nginx"
```

1. Set `TLS_CERTIFICATE_KEY` and `TLS_CERTIFICATE_CRT` variables:

```shell
export TLS_CERTIFICATE_KEY="$(cat /tmp/tls.key | base64)"
export TLS_CERTIFICATE_CRT="$(cat /tmp/tls.crt | base64)"
```

#### Create a namespace in your Kubernetes cluster

If you use a different namespace than `default`, run the command below to create
Expand All @@ -196,13 +218,16 @@ expanded manifest file for future updates to the application.

```shell
helm template chart/nginx \
--name $APP_INSTANCE_NAME \
--namespace $NAMESPACE \
--set nginx.replicas=$REPLICAS \
--set nginx.initImage=$IMAGE_NGINX_INIT \
--set nginx.image=$IMAGE_NGINX \
--set metrics.image=$IMAGE_METRICS_EXPORTER \
--set metrics.enabled=$METRICS_EXPORTER_ENABLED > "${APP_INSTANCE_NAME}_manifest.yaml"
--name "$APP_INSTANCE_NAME" \
--namespace "$NAMESPACE" \
--set "nginx.replicas=$REPLICAS" \
--set "nginx.initImage=$IMAGE_NGINX_INIT" \
--set "nginx.image=$IMAGE_NGINX" \
--set "metrics.image=$IMAGE_METRICS_EXPORTER" \
--set "metrics.enabled=$METRICS_EXPORTER_ENABLED" \
--set "tls.base64EncodedPrivateKey=$TLS_CERTIFICATE_KEY" \
--set "tls.base64EncodedCertificate=$TLS_CERTIFICATE_CRT" \
> "${APP_INSTANCE_NAME}_manifest.yaml"
```

#### Apply the manifest to your Kubernetes cluster
Expand Down
2 changes: 1 addition & 1 deletion k8s/nginx/chart/nginx/templates/application.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:
url: https://www.nginx.com/resources/wiki/start/
notes: |-
# Configuring the web content of NGINX server
Follow this instructions to upload web content to your Web Server:
1. Navigate to a folder where directory containing your website is located
Expand Down
10 changes: 5 additions & 5 deletions k8s/nginx/chart/nginx/templates/nginx-secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-nginx-secret
labels:
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/component: nginx-server
data:
# this certificate was created on 7/16/2018 and will be valid for the next 365 days; it's a self-signed certificate for temporary use only
https1.cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVrRENDQTNpZ0F3SUJBZ0lKQU9IZnlsZzUyUVVtTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUhjTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnd3TlRXOTFiblJoYVc0ZwpWbWxsZHpFck1Da0dBMVVFQ2d3aVYyVmlJRk5sY25abGNpQXRJRlJsYlhCdmNtRnllU0JEWlhKMGFXWnBZMkYwClpURXJNQ2tHQTFVRUN3d2lWMlZpSUZObGNuWmxjaUF0SUZSbGJYQnZjbUZ5ZVNCRFpYSjBhV1pwWTJGMFpURWUKTUJ3R0ExVUVBd3dWZDNkM0xuZGxZaTEwWlcxd2IzSmhjbmt1WTI5dE1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaApaRzFwYmtCM1pXSXRkR1Z0Y0c5eVlYSjVMbU52YlRBZUZ3MHhPREEzTVRZeE1ESXhOVGhhRncweE9UQTNNVFl4Ck1ESXhOVGhhTUlIY01Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFV01CUUcKQTFVRUJ3d05UVzkxYm5SaGFXNGdWbWxsZHpFck1Da0dBMVVFQ2d3aVYyVmlJRk5sY25abGNpQXRJRlJsYlhCdgpjbUZ5ZVNCRFpYSjBhV1pwWTJGMFpURXJNQ2tHQTFVRUN3d2lWMlZpSUZObGNuWmxjaUF0SUZSbGJYQnZjbUZ5CmVTQkRaWEowYVdacFkyRjBaVEVlTUJ3R0ExVUVBd3dWZDNkM0xuZGxZaTEwWlcxd2IzSmhjbmt1WTI5dE1TWXcKSkFZSktvWklodmNOQVFrQkZoZGhaRzFwYmtCM1pXSXRkR1Z0Y0c5eVlYSjVMbU52YlRDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9aVmxKeE5sMEFXc3FCSTAxOERIeHhLSHZ3ZzZtZlhnUG51CmRXcFZGc2RLdk1rZTRrR2RjM2xoekxmcGpEbGpwQm1TczFQVGlsUGV6Zm5sczFIYlQvTExuRjdZem1zMjhWM0EKZk9lT0NzNnFsL3BoMkhsVmZFbFJUeU90NVVZMEhib1NyNEpRTGt0dHhVZXJtT2lkQ1p3ZmRrYkUxUElWUkIzMwpHT1N4d2hqMm56WUtyWUNoTEY3YzNJRlRYb1J5bm9aanpSandxaEtDclhnUnprbkEwZGtiSUpsZHlROGNxQmt0CkZqalV0WmV5L09nb3FhYjhrdVVDMXlQaDA2TkNYbmozUUZ6N0NhL296MHhSWC9QcGhuVVFHeUNyMHFmT0hvd0wKTElqR0hHVHByc3lDUG5nYnVrcTYwejZiRG5Za0ZNdC9JVUh0ekNKNFM5MmwxYlJFNVlrQ0F3RUFBYU5UTUZFdwpIUVlEVlIwT0JCWUVGQkg0OGtRSklVNVUvSkNnRnpyYWlpMHBoR1RHTUI4R0ExVWRJd1FZTUJhQUZCSDQ4a1FKCklVNVUvSkNnRnpyYWlpMHBoR1RHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHVjZwaExUSkJEMUxzOEc3bWl4NWxUQUI1dmJHTm1md0huYkxZUHNCRFc4R0xuMW1NaVBEbkNLRkowcAphaW1KY01sUGFFbjVSVlRab2lab1hrNlpGaHNtOVlvQlIyOWlqRDlheTZlbktoRmpBSUg5bUh2Zk8xeFN0Sm1HCnIzSi9TNWlWc3VYMThoYi9aYVBJZ1BSNEo4ZG9qclBoaVFxVXNvY1M2dlAwM0ZHRDFhSFpvMityS0Naeko4aDYKTGlSelhCYzhYa2hCU0VUejgrU3FOVjliTnBuclVwTzJpR3JibVNYdFhNbUxnaWJDcVpVczZZZVpQTnl3MG1SYwpDZmRkb2cwY3B3YkFWbUlTTncvcW84Y3NXT1c2NkRiQnpyOXBCVlBiZllGRTZ5V3loTEUxYytZcG13c2lnNFI2CnVhc2dmZEc0aDRGMmN3SnVaRXN1QmU1MTFYND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
# this is a private key for the certificate that was created on 7/16/2018 and will be valid for the next 365 days;
https1.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRG1WWlNjVFpkQUZyS2cKU05OZkF4OGNTaDc4SU9wbjE0RDU3blZxVlJiSFNyekpIdUpCblhONVljeTM2WXc1WTZRWmtyTlQwNHBUM3MzNQo1Yk5SMjAveXk1eGUyTTVyTnZGZHdIem5qZ3JPcXBmNllkaDVWWHhKVVU4anJlVkdOQjI2RXErQ1VDNUxiY1ZICnE1am9uUW1jSDNaR3hOVHlGVVFkOXhqa3NjSVk5cDgyQ3EyQW9TeGUzTnlCVTE2RWNwNkdZODBZOEtvU2dxMTQKRWM1SndOSFpHeUNaWGNrUEhLZ1pMUlk0MUxXWHN2em9LS21tL0pMbEF0Y2o0ZE9qUWw1NDkwQmMrd212Nk05TQpVVi96NllaMUVCc2dxOUtuemg2TUN5eUl4aHhrNmE3TWdqNTRHN3BLdXRNK213NTJKQlRMZnlGQjdjd2llRXZkCnBkVzBST1dKQWdNQkFBRUNnZ0VBT2NoMGJMWEdZT3lReVVjYng3VW53OWdRWjkzMkVERHZDVVE2TG4vRUpDRHEKdFdYTEN2enQ4Q0NKMUFXQ0NRK25Ka2M0TjZwVkJHOWJxdnBsL3Y0TzAzRWkvR1JWZkc0ZkpRN2FCdGtLZXdndQo4a0JEcDBTNzFrVFFucm5NVDgxWk84bmVQOG5QbzFxWmFENXpNTC9jbms4Q1JBU3pDendzaDN2cXdjeWFUZHB1CjVWL3REd0NkdEQ4b3dHZi94anc2M2hkRitMZkZmYnd4NG11cXppV2oyYnJrdWJHZmU0NUxsU2w1ckxrdE14L28KYTd5blZOckVJZ05IQm1JczZmWEJJVWs1dEdTaG1tQkd0dXNnYm9BUXBQNDF6bjNOTnZHQlR6VU5BQlgvL2hrVgp4bXRkdGFBSWpULzFPeG5MZll4TG1GeUx3S1hFZFhpajdGM293Nll2SlFLQmdRRCtRZlZldFJHRm1XUHJNQk5iClhCN0xaOXlwSXJrc0JNRkVYbDhxbExGSWdkN3lvQU1OQmVxc081UmNoMkdsMWJtTHJGZ2FqOHJkOWU2U0U5L0QKUnFmNzdiZHk3MmZBOVRSOThJK2hVTTR6eTcrQXVGUGxxS3dkRkQ3NzFMM1JtUEtXNys5eVA1a0IrSzgydUI0bgpHTTNzWkd0MVJPTHNrZnV6bDBTbGRRL1pTd0tCZ1FEbjZhZFBCNk55VUwxMFRsT2MrbVMzcWJLZyt1aFh0ZUR1CmpHSktYVi9aMGhQTUhpaVFBNi9IUnByNFdOcVA0cWZucThDUkQyaEFaNzhvdHB6aFNmeEsvQkhtV09oWS9ESjQKby80TGlCMWdRUG9jUGVkS2ZPTWdkVmp1aG16bzNzb0VnOGxQSis2RG05dlZKOUVkLzA3Q2EwZGRmaTNJREhuRgpObFFuVk9ucit3S0JnRXVZRnJqU3d1UGl5Q2Rid3RXTjNRWUMya05iTkl6VzJSTlhyNW04WGIwK0I2aEJWTWJoCmRIVkN2WWlKSThvbmNpUUoyS1FGRG43UnFOMjdsUEs5SmlLcitiZnRYLzZwcUxLcy9EY3REREd3S1Q2L0R3cWcKREpRVXVla3J4a2Z6M21Scjc5Z2Erb1h3aHorUW5ENXBqSWYxRDFIdGFqNkY1THp2ZzVSaDZwVmpBb0dCQUtrcAphZnpmbVgxOUgzU0MzY0tYY25mMXRISndFcUpIN0xhVWQrMitobmdnSUlpM1J1Y2xpVVpXWGh2ZzFDdzRMRGwwCnNwWWRJdkkzdXR3N3Q5c3RXSFpwdjdUQ0RWazdQS1Y3R1lmWDFYV3NiOFBCODhBRnNMYXdZaG82dTU1eFEvSmYKSHF3NmVHUlBmOTdQbUYzRktQSHZ4cktQbzExVW5FNFovdkJobysrWkFvR0FOWXh3a0JYaUg0T2RQSUswZ1hBNQp0amNxVkRXSEdvRHV4cUxaNVVsUUVoQk9PSUx0ODNxZ1o1RzJaekNvWkhUNHZaQU82MUJJZ0p5MUhkZTF5U1pvCndXUXB6dCs2RDVxemgySE9WcWpFcjFyL1VnNlhoRzFWaDZWOG0xZkNFNWhKVWR2TVh4WXVwdlA3YVJxbDVGbjIKMTdiR0E3MmhVZHVzS0hpU3dqQjYzWGc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
https1.cert: |
{{ .Values.tls.base64EncodedCertificate | indent 4 }}
https1.key: |
{{ .Values.tls.base64EncodedPrivateKey | indent 4 }}
3 changes: 3 additions & 0 deletions k8s/nginx/chart/nginx/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ nginx:
image: null
initImage: null
replicas: null
tls:
base64EncodedPrivateKey: null
base64EncodedCertificate: null
metrics:
image: null
enabled: false
Expand Down
8 changes: 8 additions & 0 deletions k8s/nginx/schema.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ properties:
description: The number of Pods run within NGINX solution
default: 3
minimum: 1
certificate:
type: string
x-google-marketplace:
type: TLS_CERTIFICATE
tlsCertificate:
generatedProperties:
base64EncodedPrivateKey: tls.base64EncodedPrivateKey
base64EncodedCertificate: tls.base64EncodedCertificate
metrics.image:
type: string
default: $REGISTRY/prometheus-to-sd:$TAG
Expand Down

0 comments on commit 676d65b

Please sign in to comment.