无法在 Openshift 4.3 的 Java spring 引导应用程序中启用 tls
Not able to enable tls in Java spring boot app in Openshift 4.3
- 我在我的命名空间中添加了 JAVA_KEYSTORE_PASSWORD 作为秘密
- 在我的部署中使用 inicontainer 从 tls 密钥创建密钥库,并使用服务注释生成证书
service.beta.openshift.io/serving-cert-secret-name。 Initcontainer 使用 docker 图像 docker.io/abc/cert:latest,它是从 jre-alpine 创建的,并在其上安装了 openssl。
- name: pem-to-keystore
image: docker.io/abc/cert:latest
env:
- name: keyfile
value: /var/run/secrets/openshift.io/services_serving_certs/tls.key
- name: crtfile
value: /var/run/secrets/openshift.io/services_serving_certs/tls.crt
- name: keystore_pkcs12
value: /var/run/secrets/java.io/keystores/keystore.pkcs12
- name: keystore_jks
value: /var/run/secrets/java.io/keystores/keystore.jks
command: ['/bin/sh']
args: ['-c', "openssl pkcs12 -export -inkey $keyfile -in $crtfile -out $keystore_pkcs12 -password pass:$JAVA_KEYSTORE_PASSWORD && keytool -importkeystore -noprompt -srckeystore $keystore_pkcs12 -srcstoretype pkcs12 -destkeystore $keystore_jks -storepass $JAVA_KEYSTORE_PASSWORD -srcstorepass $JAVA_KEYSTORE_PASSWORD"]
volumeMounts:
- mountPath: /var/run/secrets/java.io/keystores
name: keystore-volume
- mountPath: /var/run/secrets/openshift.io/services_serving_certs
name: service-certs
volumes:
- name: keystore-volume
emptyDir: {}
- name: service-certs
secret:
secretName: ${APP_NAME}-${NAMESPACE}-service-serving-cert-secret
- 已更新application.properties
server.ssl.key-store-type=JKS
server.ssl.key-store=/var/run/secrets/java.io/keystores/keystore.jks
server.ssl.key-store-password=${$JAVA_KEYSTORE_PASSWORD}
server.ssl.enabled=true
- 更新了 Dockerfile
ENTRYPOINT keytool -importcert -file /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt -keystore "$JAVA_HOME/lib/security/cacerts" -noprompt -storepass $JAVA_KEYSTORE_PASSWORD ; \
java $JAVA_OPTS -Dcom.jsse2.overrideDefaultTLS=true -Djava.security.egd=file:/dev/./urandom -jar app.jar
但是我在 POD 中遇到错误
keytool error (likely untranslated): java.io.IOException: Keystore was tampered with, or password was incorrect
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
密码在 application.properties 和我自己设置的 openssl 命令中有效。但是它在我在 Dockerfile
中的下面的命令中不起作用
keytool -importcert -file /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt -keystore "$JAVA_HOME/lib/security/cacerts" -noprompt -storepass $JAVA_KEYSTORE_PASSWORD
这在我使用 keytool 的默认密码 changeit 时有效
之后错误消息消失了,我可以看到 Certificate was added to keystore
另一种方法是更改密钥工具的默认密码并使用它。
- 我在我的命名空间中添加了 JAVA_KEYSTORE_PASSWORD 作为秘密
- 在我的部署中使用 inicontainer 从 tls 密钥创建密钥库,并使用服务注释生成证书
service.beta.openshift.io/serving-cert-secret-name。 Initcontainer 使用 docker 图像docker.io/abc/cert:latest,它是从 jre-alpine 创建的,并在其上安装了 openssl。
- name: pem-to-keystore
image: docker.io/abc/cert:latest
env:
- name: keyfile
value: /var/run/secrets/openshift.io/services_serving_certs/tls.key
- name: crtfile
value: /var/run/secrets/openshift.io/services_serving_certs/tls.crt
- name: keystore_pkcs12
value: /var/run/secrets/java.io/keystores/keystore.pkcs12
- name: keystore_jks
value: /var/run/secrets/java.io/keystores/keystore.jks
command: ['/bin/sh']
args: ['-c', "openssl pkcs12 -export -inkey $keyfile -in $crtfile -out $keystore_pkcs12 -password pass:$JAVA_KEYSTORE_PASSWORD && keytool -importkeystore -noprompt -srckeystore $keystore_pkcs12 -srcstoretype pkcs12 -destkeystore $keystore_jks -storepass $JAVA_KEYSTORE_PASSWORD -srcstorepass $JAVA_KEYSTORE_PASSWORD"]
volumeMounts:
- mountPath: /var/run/secrets/java.io/keystores
name: keystore-volume
- mountPath: /var/run/secrets/openshift.io/services_serving_certs
name: service-certs
volumes:
- name: keystore-volume
emptyDir: {}
- name: service-certs
secret:
secretName: ${APP_NAME}-${NAMESPACE}-service-serving-cert-secret
- 已更新application.properties
server.ssl.key-store-type=JKS
server.ssl.key-store=/var/run/secrets/java.io/keystores/keystore.jks
server.ssl.key-store-password=${$JAVA_KEYSTORE_PASSWORD}
server.ssl.enabled=true
- 更新了 Dockerfile
ENTRYPOINT keytool -importcert -file /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt -keystore "$JAVA_HOME/lib/security/cacerts" -noprompt -storepass $JAVA_KEYSTORE_PASSWORD ; \
java $JAVA_OPTS -Dcom.jsse2.overrideDefaultTLS=true -Djava.security.egd=file:/dev/./urandom -jar app.jar
但是我在 POD 中遇到错误
keytool error (likely untranslated): java.io.IOException: Keystore was tampered with, or password was incorrect
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
密码在 application.properties 和我自己设置的 openssl 命令中有效。但是它在我在 Dockerfile
中的下面的命令中不起作用keytool -importcert -file /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt -keystore "$JAVA_HOME/lib/security/cacerts" -noprompt -storepass $JAVA_KEYSTORE_PASSWORD
这在我使用 keytool 的默认密码 changeit 时有效
之后错误消息消失了,我可以看到 Certificate was added to keystore
另一种方法是更改密钥工具的默认密码并使用它。