Getting encryption from your end-user to your load balancer with SSL Termination is usually a piece of cake, and for most applications, it's good enough. But how much more effort is it to get complete end-to-end encryption all the way down to the container?

I assume, for simplicity's sake, that either the load balancer or some other mechanism is forcing the HTTP -> HTTPS upgrades, so all inbound connections to the container are already HTTPS.

NGINX Configuration

First things first, we need to update the NGINX configuration to listen on port 443 and have an SSL Certificate configured.

For this example, I am assuming that you have a PHP-FPM container downstream, but the same concepts can be applied to anything.

server {
    listen 443 ssl;
    index index.php index.html;
    root /var/www/public;
    ssl_certificate /etc/ssl/certs/certificate.pem;
    ssl_certificate_key /etc/ssl/private/privatekey.pem;

    location / {
        try_files $uri /index.php?$args;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_buffers 16 16k; 
        fastcgi_buffer_size 32k;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;

SSL Certificates

Now that your web server is expecting a certificate, we have to get it one. I'll walk through two methods of doing this: within the Dockerfile (as an entrypoint) and via Kubernetes ConfigMaps.

SSL Certificates via Dockerfile

While not recommended for production use, this is an ideal option for more ephemeral environments (e.g. local or CI/CD) as every container spun up creates its certificate. The downside, however, is that the container boot-up time increases.

Your new Dockerfile will look something like this:

FROM nginx:alpine

WORKDIR /etc/nginx
RUN apk add openssl

ADD /etc/nginx/
RUN chmod +x /etc/nginx/
ADD vhost.conf /etc/nginx/conf.d/default.conf

CMD /bin/sh -c /etc/nginx/ && nginx -g 'daemon off;'

We need to install openssl and then call the file which will generate the private key and certificate:


openssl \
  req -out /etc/ssl/private/certificate.csr \
  -new -newkey rsa:2048 -nodes -keyout /etc/ssl/private/privatekey.pem \
  -subj "/C=US/ST=OR/L=Portland/O=Docker/"
openssl \
  req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
   -keyout /etc/ssl/private/privatekey.pem \
   -out /etc/ssl/private/certificate.crt \
  -subj "/C=US/ST=OR/L=Portland/O=Docker/"

SSL Certificates via Kubernetes ConfigMaps

If you prefer to have the same certificate across all containers or otherwise centrally manage where the certificate comes from, you can use a ConfigMap created from files and mount it to the container

kubectl -n charts create configmap nginx-ssl --from-file=/folder/containing/cert-and-privatekey
apiVersion: apps/v1beta1
kind: Deployment
  name: web
  replicas: 3
      maxSurge: 1
      maxUnavailable: 1
  minReadySeconds: 5
        app: web
        - name: nginx
          image: ##CONTAINER_IMAGE##
          imagePullPolicy: Always
            - containerPort: 443
            - name: nginx-ssl
              mountPath: /etc/ssl/private/certificate.pem
              readOnly: true
              subPath: certificate.pem
            - name: nginx-ssl
              mountPath: /etc/ssl/private/privatekey.pem
              readOnly: true
              subPath: privatekey.pem
              cpu: 250m
              cpu: 500m
        - name: nginx-ssl
            name: nginx-ssl

Complete, functional examples can be found here: