stackoom
  简体   繁体   中英

Mount Security Certificate into Google Cloud Kubernetes Engine so Java Apps can find valid cert path

 原文  2022-02-28 18:53:36       java/ spring-boot/ google-cloud-platform/ google-kubernetes-engine

Question

I am using Google's Kube.netes Engine to deploy a few Spring Boot apps. I have set ingress up with HTTPS which is working great, but when one of the apps tries to access my authorization server, which is on HTTPS, Java gives me the following error:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException

I know how to fix this locally, but how do I fix this so my Java apps deployed on GKE are able find the valid .cer file?

I tried including the .cer file directly on the Docker image from my Dockerfile, but that is not really intuitive if my certificates expire and was unable to get it work.

I currently have the crt file and key file mounted as a secret, and the ingress is using it just fine. Previously, I was using Google Cloud's self managed certificate which worked perfectly as well, but I wanted to test using Kube.netes secrets. `

I figure the best option is to mount the .cer onto my cluster and point the deployments to use it through environment variables. That way I can easily update when they expire, and I won't have to redeploy each image.

Update:

I mounted the keystore.jks as a secret volume onto my deployment.yaml and configured Spring Boot to look at that path, but it was to no avail.

Spring Boot Properties 

server.ssl.key-store: /mnt/secret/keystore.jks
# other configuration removed for SSL

1 answers

solution1
 1 ACCPTED  2022-03-01 22:09:37

To solve this issue in GCP’s GKE , sometimes replacing cacerts files helps to solve it, but following these steps is the correct way to do it:

a) Use a Service Account . In order to have more reference about the GCP’s Service Accounts , take a look into this Official Documentation .

b) Add storage-rw scope to the cluster's scopes when creating the cluster. As this documentation indicates, you can do it with the command:

gcloud container clusters create example-cluster --scopes=bigquery,storage-rw,compute-ro

Use this GCP GKE's official documentation for more reference regarding to the GCP’s IAM Access Scopes .

c) Review in detail how you are creating your Kube.netes Secret . For more guidance, use thisOfficial GKE's Secrets Documentation .

Plus, you can use these threads as a reference too Why is cacerts update needed in Kube.netes? , How to Fix javax.net.ssl.SSLHandshakeException and Kube.netesAPIJavaClient .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google Kubernetes Engine to Cloud SQL Mount a kubernetes pod (on GKE) to google cloud storage to persist data How to migrate data from Google Cloud VM to Google Kubernetes Engine? Can't SSH to Google Cloud Compute Engine with sshtunnel VS Code using wrong Google Cloud account when running project locally with Google Kubernetes Engine Can't connect to Google Cloud SQL from Google Compute Engine with Cloud SQL Proxy in a google cloud Kubernetes cluster my pods sometimes all restart, how do I find the reason for the restart? Google Cloud App Engine - Eclipse shows "runtime: java 11" in app.yaml is not Java Elastic APM Error | Google Kubernetes Engine http -> https redirect in Google Kubernetes Engine
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM