GCP Dicom: Enable TLS for inbound traffic to dicomweb-adapter

[Robhy Bustami]

Our company is setting up a dicom data integration between a clinic's on-premise PACS system and a cloud provider (working on HIPAA compliant environments w/ GCP ). We've set up a test environment with following implementation that GCP recommends: https://cloud.google.com/healthcare/docs/how-tos/dicom-connect-pacs The clinic PACS leverages the IP, Port, and Application Entity Title of the adapter to forward data via TCP.

The flow of data looks like this: Clinic (on prem) -> dicom adapter (runs on GKE) -> GCP Dicom storage

Here is the github repo of the adapter: https://github.com/GoogleCloudPlatform/healthcare-dicom-dicomweb-adapter

Question: One thing that's not clear is how to implement TLS encryption between the clinic PACS system and the dicom adapter. We were thinking about setting up a sidecar proxy on the adapter's container that would handle TLS encryption since the protocol between the clinic and the TCP/IP (not https). Note that we don't plan on setting up a VPN between the server and the dicom adapter but want to encrypt using TLS over the public network. 

Ideally if there was a way to configure TLS directly on the dicom-adapter or if there is some baked in feature in GKE/GCP that we're missing we'd rather go that route instead of configuring a sidecar proxy to manage tls encryption