Add TLS support to UI docker container

[d2lam]

SUMMARY

What we tried

First attempt

• Edit nginx.conf to include:

  server {
  listen 443;
  ssl on;
  ssl_certificate     /etc/ssl/cacert.pem;
  ssl_certificate_key /etc/ssl/privkey.pem;
  }

• Build another UI image: testtls
• Edit deployment to use this new image. This doesn't work since the cert files were not available. Makes sense.

Second attempt

• Change nginx.conf to read certs from ENV. For example: ssl_certificate os.getenv("UICERT"); (UICERT is reading from a secret)
• Build another UI image: testtls2
• Edit deployment to use this new image. This doesn't work either. Looks like the os.getenv doesn't work.

What worked - sorta

Third attempt

• Pull an older UI image: v1.0.90
• Go inside the pod

  kubectl exec sdui-pod -it /bin/sh --namespace=screwdriver

• Put the cert and key files inside the pod
• Modify nginx.conf(/etc/nginx/nginx.conf) directly like attempt 1
• Outside the pod: kubectl port-forward to listen to localhost:4443 and forward to sd-ui pod port 443

  kubectl port-forward sdui-pod 4443:443

• Try on browser: https://127.0.0.1:4443 --> works!

TODO

• Figured out how to make it read from ENV, since right now we manually go inside the pod & put the files there.
• Figured out why routing doesn't work? Why only work on localhost, not the cname?

Resources: http://nginx.org/en/docs/http/configuring_https_servers.html

Where we are (12/5/16)

We tried to make nginx.conf read from environment variables:

• In Dockerfile, add:

  ARG MYENV
  RUN echo $MYENV > testenv

• Build a new UI image. When building, use docker build --build-arg=MYENV=somevalue . (Similar to https://github.com/screwdriver-cd/screwdriver/blob/master/hooks/build)
• In the UI deployment, use this image
• Go inside the pods, we see that testenv is there. So that means it worked.
• We need to make it like the screwdriver repo: put the build command inside /hooks/build, and then put the secrets in the screwdriver.yaml. This seems a bit weird, but that's what we got so far.

[bdangit]

If you terminate SSL at the Pod level, you should take advantage of K8s Secrets API. You get to volume mount those files to where you will need them. It will be a whole lot better instead of feeding in a very "return line" (aka \n) sensitive string via environment vars.

[stjohnjohnson]

Closing in favor of using SSL terminated ingress like NGinx.