Last active
August 27, 2022 04:37
-
-
Save welshstew/536e6b77f40e890c01a52b9172e84c11 to your computer and use it in GitHub Desktop.
Generating and using ssl client certificates for use in an nginx sidecar image
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [user@localhost certs]$ oc get builds | |
| NAME TYPE FROM STATUS STARTED DURATION | |
| nodejs-mongo-persistent-1 Source Git@e59fe75 Complete About an hour ago 2m37s | |
| simple-nginx-ssl-reverseproxy-1 Source Git@552932f Complete 16 minutes ago 47s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [user@localhost certs]$ mkdir nginx-certs | |
| [user@localhost certs]$ cp server.crt server.key ca.crt nginx-certs/ | |
| [user@localhost certs]$ oc create secret generic nginx-certs --from-file=nginx-certs/ | |
| secret/nginx-certs created |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [user@localhost certs]$ oc new-build nginx:1.12~https://github.com/welshstew/simple-nginx-ssl-reverseproxy.git | |
| --> Found image e6192d2 (3 weeks old) in image stream "openshift/nginx" under tag "1.12" for "nginx:1.12" | |
| Nginx 1.12 | |
| ---------- | |
| Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. The container image provides a containerized packaging of the nginx 1.12 daemon. The image can be used as a base image for other applications based on nginx 1.12 web server. Nginx server image can be extended using source-to-image tool. | |
| ... | |
| (abbreviated) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [user@localhost ~]$ oc new-project nginx-sidecar | |
| Now using project "nginx-sidecar" on server "https://api.crc.testing:6443". | |
| ... | |
| [user@localhost ~]$ oc new-app --template=nodejs-mongo-persistent | |
| --> Deploying template "openshift/nodejs-mongo-persistent" to project nginx-sidecar | |
| Node.js + MongoDB | |
| --------- | |
| An example Node.js application with a MongoDB database. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/nodejs-ex/blob/master/README.md. | |
| The following service(s) have been created in your project: nodejs-mongo-persistent, mongodb. | |
| ... | |
| (abbreviated) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generate the Root CA certificate | |
| openssl genrsa -aes256 -passout pass:password -out ca.pass.key 4096 | |
| openssl rsa -passin pass:password -in ca.pass.key -out ca.key | |
| openssl req -new -x509 -days 365 -key ca.key -out ca.crt | |
| #rm ca.pass.key | |
| # Create the Server Key, CSR, and Certificate - This will be used by the NGINX sidecar container (the Server) | |
| openssl genrsa -aes256 -passout pass:password -out server.pass.key 4096 | |
| openssl rsa -passin pass:password -in server.pass.key -out server.key | |
| openssl req -new -key server.key -out server.csr | |
| # We're self signing our own server cert here. This is a no-no in production. | |
| openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt | |
| # Create the Client Key and CSR - All of this is required for the client (the web browser client) | |
| openssl genrsa -aes256 -passout pass:password -out client.pass.key 4096 | |
| openssl rsa -passin pass:password -in client.pass.key -out client.key | |
| openssl req -new -key client.key -out client.csr | |
| # Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do. | |
| openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt | |
| # Bundle the private key & cert for end-user client use | |
| cat client.key client.crt ca.crt > client.full.pem | |
| # Bundle client key into a PFX file - this is what will be imported to the browser to use as a client certifcate | |
| openssl pkcs12 -export -out client.full.pfx -inkey client.key -in client.full.pem -certfile ca.crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [user@localhost certs]$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt | |
| You are about to be asked to enter information that will be incorporated | |
| into your certificate request. | |
| What you are about to enter is what is called a Distinguished Name or a DN. | |
| There are quite a few fields but you can leave some blank | |
| For some fields there will be a default value, | |
| If you enter '.', the field will be left blank. | |
| ----- | |
| Country Name (2 letter code) [XX]:UK | |
| State or Province Name (full name) []:AA | |
| Locality Name (eg, city) [Default City]:AA | |
| Organization Name (eg, company) [Default Company Ltd]:AA | |
| Organizational Unit Name (eg, section) []:AA | |
| Common Name (eg, your name or your server's hostname) []:Root | |
| Email Address []:[email protected] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssl on; | |
| ssl_certificate /etc/nginx/certs/server.crt; | |
| ssl_certificate_key /etc/nginx/certs/server.key; | |
| ssl_client_certificate /etc/nginx/certs/ca.crt; | |
| ssl_verify_client optional; | |
| server { | |
| listen 8443 ssl; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # For more information on configuration, see: | |
| # * Official English Documentation: http://nginx.org/en/docs/ | |
| # * Official Russian Documentation: http://nginx.org/ru/docs/ | |
| worker_processes auto; | |
| error_log /var/opt/rh/rh-nginx112/log/nginx/error.log; | |
| pid /var/opt/rh/rh-nginx112/run/nginx/nginx.pid; | |
| # Load dynamic modules. See /opt/rh/rh-nginx112/root/usr/share/doc/README.dynamic. | |
| include /opt/rh/rh-nginx112/root/usr/share/nginx/modules/*.conf; | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| '$status $body_bytes_sent "$http_referer" ' | |
| '"$http_user_agent" "$http_x_forwarded_for"'; | |
| access_log /var/opt/rh/rh-nginx112/log/nginx/access.log main; | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 65; | |
| types_hash_max_size 2048; | |
| include /etc/opt/rh/rh-nginx112/nginx/mime.types; | |
| default_type application/octet-stream; | |
| # Load modular configuration files from the /etc/nginx/conf.d directory. | |
| # See http://nginx.org/en/docs/ngx_core_module.html#include | |
| # for more information. | |
| include /opt/app-root/etc/nginx.d/*.conf; | |
| ssl on; | |
| ssl_certificate /etc/nginx/certs/server.crt; | |
| ssl_certificate_key /etc/nginx/certs/server.key; | |
| ssl_client_certificate /etc/nginx/certs/ca.crt; | |
| ssl_verify_client optional; | |
| server { | |
| listen 8443 ssl; | |
| server_name _; | |
| location / { | |
| proxy_pass http://localhost:8080/; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| } | |
| } | |
| } | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps.openshift.io/v1 | |
| kind: DeploymentConfig | |
| metadata: | |
| annotations: | |
| description: Defines how to deploy the application server | |
| openshift.io/generated-by: OpenShiftNewApp | |
| template.alpha.openshift.io/wait-for-ready: "true" | |
| creationTimestamp: null | |
| generation: 1 | |
| labels: | |
| app: nodejs-mongo-persistent | |
| template: nodejs-mongo-persistent | |
| name: nodejs-mongo-persistent | |
| selfLink: /apis/apps.openshift.io/v1/namespaces/nginx-sidecar/deploymentconfigs/nodejs-mongo-persistent | |
| spec: | |
| replicas: 1 | |
| revisionHistoryLimit: 10 | |
| selector: | |
| name: nodejs-mongo-persistent | |
| strategy: | |
| activeDeadlineSeconds: 21600 | |
| recreateParams: | |
| timeoutSeconds: 600 | |
| resources: {} | |
| type: Recreate | |
| template: | |
| metadata: | |
| annotations: | |
| openshift.io/generated-by: OpenShiftNewApp | |
| creationTimestamp: null | |
| labels: | |
| app: nodejs-mongo-persistent | |
| name: nodejs-mongo-persistent | |
| name: nodejs-mongo-persistent | |
| spec: | |
| containers: | |
| - image: image-registry.openshift-image-registry.svc:5000/nginx-sidecar/simple-nginx-ssl-reverseproxy:latest | |
| imagePullPolicy: IfNotPresent | |
| name: nginx-sidecar | |
| ports: | |
| - containerPort: 8443 | |
| protocol: TCP | |
| resources: {} | |
| terminationMessagePath: /dev/termination-log | |
| terminationMessagePolicy: File | |
| volumeMounts: | |
| - mountPath: /etc/nginx/certs | |
| name: nginx-certs | |
| - env: | |
| - name: DATABASE_SERVICE_NAME | |
| value: mongodb | |
| - name: MONGODB_USER | |
| valueFrom: | |
| secretKeyRef: | |
| key: database-user | |
| name: nodejs-mongo-persistent | |
| - name: MONGODB_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| key: database-password | |
| name: nodejs-mongo-persistent | |
| - name: MONGODB_DATABASE | |
| value: sampledb | |
| - name: MONGODB_ADMIN_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| key: database-admin-password | |
| name: nodejs-mongo-persistent | |
| image: image-registry.openshift-image-registry.svc:5000/nginx-sidecar/nodejs-mongo-persistent@sha256:036c0cd556dca427f7e723db4b14bb18452214601570a1339ec057bb60b779b5 | |
| imagePullPolicy: IfNotPresent | |
| livenessProbe: | |
| failureThreshold: 3 | |
| httpGet: | |
| path: / | |
| port: 8080 | |
| scheme: HTTP | |
| initialDelaySeconds: 30 | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 3 | |
| name: nodejs-mongo-persistent | |
| ports: | |
| - containerPort: 8080 | |
| protocol: TCP | |
| readinessProbe: | |
| failureThreshold: 3 | |
| httpGet: | |
| path: / | |
| port: 8080 | |
| scheme: HTTP | |
| initialDelaySeconds: 3 | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 3 | |
| resources: | |
| limits: | |
| memory: 512Mi | |
| terminationMessagePath: /dev/termination-log | |
| terminationMessagePolicy: File | |
| dnsPolicy: ClusterFirst | |
| restartPolicy: Always | |
| schedulerName: default-scheduler | |
| securityContext: {} | |
| terminationGracePeriodSeconds: 30 | |
| volumes: | |
| - name: nginx-certs | |
| secret: | |
| defaultMode: 420 | |
| secretName: nginx-certs | |
| test: false | |
| triggers: | |
| - imageChangeParams: | |
| automatic: true | |
| containerNames: | |
| - nodejs-mongo-persistent | |
| from: | |
| kind: ImageStreamTag | |
| name: nodejs-mongo-persistent:latest | |
| namespace: nginx-sidecar | |
| type: ImageChange | |
| - type: ConfigChange |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: route.openshift.io/v1 | |
| kind: Route | |
| metadata: | |
| annotations: | |
| openshift.io/generated-by: OpenShiftNewApp | |
| openshift.io/host.generated: "true" | |
| creationTimestamp: "2019-09-19T10:41:26Z" | |
| labels: | |
| app: nodejs-mongo-persistent | |
| template: nodejs-mongo-persistent | |
| name: nodejs-mongo-persistent | |
| namespace: nginx-sidecar | |
| resourceVersion: "254150" | |
| selfLink: /apis/route.openshift.io/v1/namespaces/nginx-sidecar/routes/nodejs-mongo-persistent | |
| uid: 07fc9110-daca-11e9-af34-0a580a800098 | |
| spec: | |
| host: nodejs-mongo-persistent-nginx-sidecar.apps-crc.testing | |
| subdomain: "" | |
| tls: | |
| termination: passthrough | |
| to: | |
| kind: Service | |
| name: nodejs-mongo-persistent | |
| weight: 100 | |
| wildcardPolicy: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| annotations: | |
| description: Exposes and load balances the application pods | |
| openshift.io/generated-by: OpenShiftNewApp | |
| service.alpha.openshift.io/dependencies: '[{"name": "mongodb", "kind": "Service"}]' | |
| creationTimestamp: "2019-09-19T10:41:26Z" | |
| labels: | |
| app: nodejs-mongo-persistent | |
| template: nodejs-mongo-persistent | |
| name: nodejs-mongo-persistent | |
| namespace: nginx-sidecar | |
| resourceVersion: "253714" | |
| selfLink: /api/v1/namespaces/nginx-sidecar/services/nodejs-mongo-persistent | |
| uid: 07f90f53-daca-11e9-ba93-52fdfc072182 | |
| spec: | |
| clusterIP: 172.30.51.37 | |
| ports: | |
| - name: web | |
| port: 8443 | |
| protocol: TCP | |
| targetPort: 8443 | |
| selector: | |
| name: nodejs-mongo-persistent | |
| sessionAffinity: None | |
| type: ClusterIP | |
| status: | |
| loadBalancer: {} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment