Nginx Sidecar

Blueprint: https://blueprints.launchpad.net/openstack-helm/+spec/nginx-sidecar

Problem Description

In a secured deployment, TLS certificates are used to protect the transports amongst the various components. In some cases, this requires additional mechanism to handle TLS offloading and to terminate the connection gracefully:

  • services do not handle TLS offloading and termination,

  • services whose native handling of TLS offloading and termination cause major performance impact, for example, eventlet.

Proposed Change

This specification proposes to add a nginx sidecar container to the pod for service that requires the tls offloading. The nginx can be used to handle the TLS offoading and terminate the TLS connection, and routes the traffic to the service via localhost (127.0.0.1).

Security Impact

This enhances the system’s security design by allowing pods with services that cannot natively manage TLS to secure the traffic to the service pod.

Performance Impact

There is no significant performance impact as the traffic will be locally routed (via 127.0.0.1) and may potentially improve performance for services whose native TLS handling is inefficient.

Alternatives

  • Instead of using nginx, haproxy can be used instead.

Implementation

Assignee(s)

Primary assignee:

Pete Birley <pete@port.direct>

Work Items

  • Update helm toolkit to provide snippet to create the nginx sidecar container for the services that require it.

  • Update service charts to use the updated helm toolkit.

  • Update relevant Documentation.

Testing

The testing will be performed by the OpenStack-Helm gate to demonstrate the sidecar container correctly routes traffic to the correct services.

Documentation Impact

OpenStack-Helm documentation will be updated to indicate the usage of the nginx sidecar.