Satellite Connector end-to-end example

After the tunnel has been established, you can run an application container on your machine and access its endpoints from IBM Cloud.

To configure Satellite Connectors, you must have Administrator access to the Satellite service in IAM access policies.

In this example, use a simple Nginx container.

Creating a Docker container

Create the following directories.

~/agent/nginx/etc/nginx
~/agent/nginx/www/data

Create a file called index.html in ~/agent/nginx/www/data with the following value.
```
Hello from ngnix running at my location.
```

Create a file called nginx.conf in ~/agent/nginx/etc/nginx with the following value.

events {
worker_connections  1024;
}

http {
server {
    listen 80;
    root /www/data;

    location / {
    }
  }
}

Run the Nginx container.

docker run -d -p 80:80 -v ~/agent/nginx/etc/nginx:/etc/nginx:ro -v ~/agent/nginx/www/data:/www/data:ro nginx

You now have a running Nginx container.

Creating your Link endpoint

Create a Location link endpoint in your Satellite Connector on IBM Cloud.
1. From the Satellite console, select your connector.
2. From the User Endpoints tab, click Create endpoint.
3. In the Endpoint name field, enter MyNginx.
4. In the Destination FQDN or IP field, enter the IP address of the Nginx container, for example, 172.17.0.3. To find the Nginx IP address, run docker inspect <nginx container id> | grep IPAddress.
5. In the Destination port field, enter 80.
6. Click Next.
7. In the Source protocol field, select TCP.
8. Leave the rest of fields blank.
9. Click Next.
10. Optionally, select an ACL rule or create a new ACL rule to control which clients can access location endpoint resources. If no ACL rule is selected, any client that is connected to the IBM Cloud private network can use the endpoint to connect to the destination resource that runs in your location.
11. Click Next.
12. Leave the connection settings at their default values.
13. Click Create endpoint.
In the Endpoint details, you can see an Endpoint Address that refers to a CSE endpoint that is accessible from within the IBM Cloud network. If you run a VSI instance or use the VPC VPN, you can curl your Nginx endpoint. For example:
```
curl http://c-02.private.us-east.link.satellite.cloud.ibm.com:<port>
Hello from ngnix running at my location.
```

Adding TLS support

This section modifies the previous example to add support for TLS to Nginx.

Create the following directories.

~/agent/nginx/etc/nginx/ssl/certs
~/agent/nginx/etc/nginx/ssl/private

Create a self-signed certificate. When you are prompted for your DN, enter a value for the first field and leave the rest at the default values.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ~/agent/nginx/etc/nginx/ssl/private/nginx-selfsigned.key -out ~/agent/nginx/etc/nginx/ssl/certs/nginx-selfsigned.crt

Edit the nginx.conf file at ~/agent/nginx/etc/nginx to add the SSL settings. The file looks similar to the following example.

events {
worker_connections  1024;
}

http {
server {
    listen 80;
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/nginx/ssl/private/nginx-selfsigned.key;
    root /www/data;

    location / {
    }
  }
}

Restart the Nginx container and include the expose option. If there is an instance currently running, stop it first and then restart.

docker stop <nginx container id> 
docker run -d --expose=443 -v ~/agent/nginx/etc/nginx:/etc/nginx:ro -v ~/agent/nginx/www/data:/www/data:ro nginx

Create another Location type link endpoint as you did in the previous section that uses the following settings.
- Use a different name such as MyNginx-ssl.
- For destination port specify 443.
- Keep the Source protocol as TCP as we are expecting SSL termination to be done at the nginx server.
Now if you select this endpoint, you see an Endpoint Address that refers to a CSE endpoint that is accessible from within the IBM Cloud network. So if you run a VSI instance or use the VPC VPN, you can curl your Nginx endpoint. As the target endpoint is using SSL, make sure to specify https in the curl command. Also, because a self-signed certificate is used, specify the -k option. For example:
```
curl -k https://c-02.private.us-east.link.satellite.cloud.ibm.com:<port>
Hello from ngnix running at my location.
```

The Nginx container IP address might change when the Nginx container is restarted. If that happens, you must update the Link endpoint destination address.