IBM Cloud Docs
Satellite Connector end-to-end example

Satellite Connector end-to-end example

After the tunnel has been established, you can run an application container on your machine and access its endpoints from IBM Cloud.

To configure Satellite Connectors, you must have Administrator access to the Satellite service in IAM access policies.

In this example, use a simple Nginx container.

Creating a Docker container

  1. Create the following directories.
    ~/agent/nginx/etc/nginx
    ~/agent/nginx/www/data
    
  2. Create a file called index.html in ~/agent/nginx/www/data with the following value.
    Hello from ngnix running at my location.
    
  3. Create a file called nginx.conf in ~/agent/nginx/etc/nginx with the following value.
    events {
    worker_connections  1024;
    }
    
    http {
    server {
        listen 80;
        root /www/data;
    
        location / {
        }
      }
    }
    
  4. Run the Nginx container.
    docker run -d -p 80:80 -v ~/agent/nginx/etc/nginx:/etc/nginx:ro -v ~/agent/nginx/www/data:/www/data:ro nginx
    
    You now have a running Nginx container.

Adding TLS support

This section modifies the previous example to add support for TLS to Nginx.

  1. Create the following directories.

    ~/agent/nginx/etc/nginx/ssl/certs
    ~/agent/nginx/etc/nginx/ssl/private
    
  2. Create a self-signed certificate. When you are prompted for your DN, enter a value for the first field and leave the rest at the default values.

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ~/agent/nginx/etc/nginx/ssl/private/nginx-selfsigned.key -out ~/agent/nginx/etc/nginx/ssl/certs/nginx-selfsigned.crt
    
  3. Edit the nginx.conf file at ~/agent/nginx/etc/nginx to add the SSL settings. The file looks similar to the following example.

    events {
    worker_connections  1024;
    }
    
    http {
    server {
        listen 80;
        listen 443 ssl;
        ssl_certificate /etc/nginx/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/nginx/ssl/private/nginx-selfsigned.key;
        root /www/data;
    
        location / {
        }
      }
    }
    
  4. Restart the Nginx container and include the expose option. If there is an instance currently running, stop it first and then restart.

    docker stop <nginx container id> 
    docker run -d --expose=443 -v ~/agent/nginx/etc/nginx:/etc/nginx:ro -v ~/agent/nginx/www/data:/www/data:ro nginx
    
  5. Create another Location type link endpoint as you did in the previous section that uses the following settings.

    • Use a different name such as MyNginx-ssl.
    • For destination port specify 443.
    • Keep the Source protocol as TCP as SSL termination is done at the nginx server.
  6. Now if you select this endpoint, you see an Endpoint Address that refers to a CSE endpoint that is accessible from within the IBM Cloud network. So if you run a VSI instance or use the VPC VPN, you can curl your Nginx endpoint. As the target endpoint is using SSL, make sure to specify https in the curl command. Also, because a self-signed certificate is used, specify the -k option. For example:

    curl -k https://c-02.private.us-east.link.satellite.cloud.ibm.com:<port>
    Hello from ngnix running at my location.
    

The Nginx container IP address might change when the Nginx container is restarted. If that happens, you must update the Link endpoint destination address.