CertWrapper (SSL Sidecar)

Overview

CertWrapper provides SSL termination as a sidecar container that runs alongside your application processes. Unlike SecureProxy which runs as a separate service, CertWrapper shares the same ECS task resources (CPU/RAM) with your application, providing cost-effective SSL termination with automatic Let’s Encrypt certificate management using Traefik.

Purpose and Benefits

• Cost-Effective SSL: No additional compute costs - shares resources with your application
• Sidecar Architecture: Runs as a sidecar container within your existing ECS tasks
• Zero-Downtime Deployments: Application deployments don’t affect SSL termination
• Automatic Certificates: Let’s Encrypt certificate provisioning and renewal with Traefik
• Localhost Proxy: Proxies HTTPS traffic to your application on localhost
• Shared Resources: Uses existing CPU and memory allocation efficiently

How CertWrapper Works

Sidecar Container Architecture

CertWrapper runs as:

• Sidecar Container: Additional container in your application’s ECS task definition
• Shared Resources: Uses the same CPU and memory allocation as your main application
• Localhost Communication: Proxies traffic from HTTPS (port 443) to your app (typically port 8080)
• Traefik Integration: Uses Traefik for reverse proxy and certificate management
• Let’s Encrypt: Automatic SSL certificate provisioning and renewal

vs. SecureProxy Comparison

CLI Usage

Create CertWrapper

tapit  create certwrapper [acme_email=my@email.com]

Optional Parameters

• acme_email: Email address for Let’s Encrypt certificate registration (default: app owner email)

List and Show CertWrapper

# List all addons (including CertWrapper)
tapit list addons

# Show specific CertWrapper details
tapit show addon name=certwrapper

Delete CertWrapper

tapit delete addon name=certwrapper

Resource Sharing

• CPU: Sidecar uses units from your task allocation
• Memory: Sidecar uses ~64-128 MB from your task allocation