In the previous post we created a certificate for a subdomain and now we want to use it in our .NET Core project and create it as a container image. Later it will be used for an Ingress with SSL-Pass-Through.

Creating the projects

The source code is hosted on GitHub and consists two simple API services. The use of SSL and Docker was directly activated during creation. Only the Kestrel configuration in the Program.cs has to be changed to use SSL. Make sure to use “Any” (and not “Loopback”) for the IP address. The created certificate is not in GitHub and must be added to the project before. Please make sure that the certificate is always copied with the settings in VS. Otherwise it will not be copied into the build container and from there not into the runtime container.

Creating Docker Images

Next, the Docker Images will be built. The docker file generated by the VS can be used directly.

docker build -t sslservice1 -f ./Service1/Dockerfile .
docker build -t sslservice2 -f ./Service2/Dockerfile .
docker rmi $(docker images -a -f "dangling=true" -q)

The generated <none>-images are created from the multi-stage build of the VS docker file. These can be removed with line 3.

Test the Docker Images

We can now test the resulting images locally and see whether our certificates are used and correctly stored in the container.

$ docker run -p 443:443 sslservice1
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
      No XML encryptor configured. Key {2076d931-91d6-47a7-9799-c5c0376f5add} may be persisted to storage in unencrypted form.
warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Overriding address(es) 'http://+:80'. Binding to endpoints defined in UseKestrel() instead.
Hosting environment: Production
Content root path: /app
Now listening on: https://0.0.0.0:443
Application started. Press Ctrl+C to shut down.

Disclaimer ^^: It is not a good idea to store a certificate in an image! On the one hand it is much more difficult to exchange a certificate in the images/pods and on the other hand the certificate is stored in the image and can be stolen from there. Therefore, an ingress is used for SSL offloading with K8s clusters. In this special example, however, the SSL offloading will be executed explicitly by the pods and passed through the ingress.