It also modifies the stunnel configuration if environment variables are defined. If a certificate isn’t inject at runtime, this script will generate a self-signed certificate. A shell scripts that runs in the container.
Quick Aside: Although we’re talking about a specific use case here (tunneling TCP traffic into Openshift), the exact same technique works anytime we need to take an unsecure TCP protocol and tunnel it over an insecure network. We run two instances of stunnel: a server instance inside our OpenShift pod that will terminate the tunnel, and a client instance running outside of OpenShift with our client to initiate the tunnel. If both conditions are not met, an alternative is to tunnel traffic over TLS. In order for TCP connections to use the router, they need to be encrypted with TLS and the client needs to support Server Name Indication (SNI). Ideally, we could use standard Routes for all traffic, including TCP. Both NodePort and External IPs require some amount of configuration of routing, load balancing, and firewalls to work. In a previous post I outlined the standard techniques used with OpenShift to connect TCP clients outside of OpenShift with TCP servers running inside of Openshift’s SDN. Stunnel and OpenShift (or any other virtual hosting)