有没有办法在不使用 Java 密钥库的情况下使用 WebFlux 在 Azure Kubernetes 服务中配置 SSL 证书？

Question

我在 AKS 平台中有一个微服务部署，这个微服务必须连接一个使用 SSL 证书的外部 API。 我怀疑是否有一种方法可以在不使用 java Keystore 的情况下配置 SSL 证书，我的项目是使用带有 WebFlux 的 Spring Boot 以 Java 语言开发的。 我找到了一个例子，说明如何使用 jks 文件和 Webflux 但不起作用。

我使用下一个代码来生成一个 SslContext：

public  SslContext getSslContext(){
 SslContext sslContext;  
 try {  
   KeyStore ks = KeyStore.getInstance("JKS");
   try (InputStream is = getClass().getResourceAsStream("/my- 
   truststore.jks")) 
  {
     ks.load(is, "truststore-password".toCharArray());
  }
  X509Certificate[] trusted = 
  Collections.list(ks.aliases()).stream().map(alias -> {
     try {
         return (X509Certificate) ks.getCertificate(alias);
     } catch (KeyStoreException e) {
         throw new RuntimeException(e);
     }
  }).toArray(X509Certificate[]::new);
  sslContext = SslContextBuilder.forClient().trustManager(trusted).build();
 } catch (GeneralSecurityException | IOException e) {
  throw new RuntimeException(e);
 }
}

我使用 next 来生成一个 WebClient：

public  WebClient getSslWebClient (){

    try {

        sslContext = getSslContext();

    } catch (Exception e) {

        e.printStackTrace();
    }
    SslContext finalSslContext = sslContext;
    TcpClient tcpClient = TcpClient.create().secure(sslContextSpec -> 
                          sslContextSpec.sslContext(finalSslContext));
    HttpClient httpClient = HttpClient.from(tcpClient);
    ClientHttpConnector httpConnector = new 
                                      ReactorClientHttpConnector(httpClient);   
    return WebClient.builder().clientConnector(httpConnector).build();
}

我提前感谢您的支持。 问候。

Answer 1

好吧，经过几天的研究，我找到了一种无需使用 Java KeyStore (JKS) 即可使用证书的方法。 为此，我需要 PEM 格式的证书，然后将此证书作为属性复制到参数文件中，然后直接调用它：

public class SslConfig {

@Value("${ocp.http-client.certificate}")
private  String certificate;

private final static String certificateType = "X.509";
private final static String alias = "root";

private static SslContext sslContext;

public  WebClient getSslWebClient (){

    try {

        sslContext = getSslContext();

    } catch (Exception e) {

        e.printStackTrace();
    }
    SslContext finalSslContext = sslContext;
    TcpClient tcpClient = TcpClient.create().secure(sslContextSpec -> sslContextSpec.sslContext(finalSslContext));
    HttpClient httpClient = HttpClient.from(tcpClient);
    ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);

    return WebClient.builder().clientConnector(httpConnector).build();
}

//Se configura el contexto sobre el cual se trabajara la comunicacion SSL
public  SslContext getSslContext(){

    try {
        ByteArrayInputStream is = new ByteArrayInputStream(certificate.getBytes());
        final KeyStore keyStore = readKeyStore(is);

        X509Certificate[] trusted = Collections.list(keyStore.aliases()).stream().map(alias -> {
            try {
                return (X509Certificate) keyStore.getCertificate(alias);
            } catch (KeyStoreException e) {
                System.out.println(e.getMessage());
                throw new RuntimeException(e);

            }
        }).toArray(X509Certificate[]::new);
        sslContext = SslContextBuilder.forClient().trustManager(trusted).build();
    }catch (GeneralSecurityException | SSLException e ){
        System.out.println(e.getMessage());
        throw new RuntimeException(e);
    } catch (IOException e) {
        e.printStackTrace();
    }
    return sslContext;
}

private static KeyStore readKeyStore(InputStream is) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {

    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(null, null);
    CertificateFactory cf = CertificateFactory.getInstance(certificateType);
    Certificate cert = null;
    while (is.available() > 0) {
        cert = cf.generateCertificate(is);
    }
    ks.setCertificateEntry(alias, cert);
    return ks;
}
}

在此之后，我可以提出请求并获得我需要的响应。