将安全证书安装到 Google Cloud Kubernetes Engine 中,以便 Java 应用程序可以找到有效的证书路径
我正在使用 Google 的 Kubernetes Engine 部署一些 Spring Boot 应用程序。我已经使用 HTTPS 设置了入口,效果很好,但是当其中一个应用程序尝试访问我的授权服务器(位于 HTTPS 上)时,Java 会给出以下错误:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException
我知道如何在本地修复此问题,但是如何解决我是否可以修复此问题,以便部署在 GKE 上的 Java 应用程序能够找到有效的 .cer 文件?
我尝试将 .cer 文件直接包含在 Docker 映像上来自我的 Dockerfile,但是如果我的证书过期并且无法让它发挥作用。
我目前已将 crt 文件和密钥文件作为秘密安装,并且入口正在正常使用它。以前,我使用的是 Google Cloud 的自我管理证书,它也运行得很好,但我想使用 Kubernetes 密钥进行测试。 `
我认为最好的选择是将 .cer 安装到我的集群上,并让部署通过环境变量使用它。这样我就可以在它们过期时轻松更新,并且不必重新部署每个映像。
更新:
我将 keystore.jks 作为秘密卷安装到我的 deployment.yaml 上,并配置 Spring Boot 来查看该路径,但没有效果。
Spring 启动属性
server.ssl.key-store: /mnt/secret/keystore.jks
# other configuration removed for SSL
I am using Google's Kubernetes Engine to deploy a few Spring Boot apps. I have set ingress up with HTTPS which is working great, but when one of the apps tries to access my authorization server, which is on HTTPS, Java gives me the following error:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException
I know how to fix this locally, but how do I fix this so my Java apps deployed on GKE are able find the valid .cer file?
I tried including the .cer file directly on the Docker image from my Dockerfile, but that is not really intuitive if my certificates expire and was unable to get it work.
I currently have the crt file and key file mounted as a secret, and the ingress is using it just fine. Previously, I was using Google Cloud's self managed certificate which worked perfectly as well, but I wanted to test using Kubernetes secrets.
`
I figure the best option is to mount the .cer onto my cluster and point the deployments to use it through environment variables. That way I can easily update when they expire, and I won't have to redeploy each image.
Update:
I mounted the keystore.jks as a secret volume onto my deployment.yaml and configured Spring Boot to look at that path, but it was to no avail.
Spring Boot Properties
server.ssl.key-store: /mnt/secret/keystore.jks
# other configuration removed for SSL
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
要解决 GCP 的 GKE 中的此问题,有时替换 cacerts 文件有助于解决该问题,但遵循以下步骤是正确的方法:
a) 使用服务帐户。要获得有关 GCP 服务帐号的更多参考信息,请查看此官方文档。
b) 创建集群时将
storage-rw范围添加到集群的范围中。正如此文档所示,您可以使用以下命令来执行此操作:使用此 GCP GKE 官方文档有关 GCP 的 IAM 访问范围的更多参考。
c) 详细查看您如何创建 Kubernetes Secret。如需更多指导,请使用GKE 官方 Secrets 文档。
另外,您也可以使用这些线程作为参考 为什么是 cacerts Kubernetes 需要更新吗?, 如何修复 javax.net.ssl.SSLHandshakeException 和 KubernetesAPIJavaClient。
To solve this issue in GCP’s GKE, sometimes replacing cacerts files helps to solve it, but following these steps is the correct way to do it:
a) Use a Service Account. In order to have more reference about the GCP’s Service Accounts, take a look into this Official Documentation.
b) Add
storage-rwscope to the cluster’s scopes when creating the cluster. As this documentation indicates, you can do it with the command:Use this GCP GKE’s official documentation for more reference regarding to the GCP’s IAM Access Scopes.
c) Review in detail how you are creating your Kubernetes Secret. For more guidance, use this Official GKE’s Secrets Documentation.
Plus, you can use these threads as a reference too Why is cacerts update needed in Kubernetes?, How to Fix javax.net.ssl.SSLHandshakeException and KubernetesAPIJavaClient.