Kubernetes Secret TLS 证书 P12 和 Spring 引导部署不起作用
Kubernetes Secret TLS Certificate P12 and Spring Boot Deployment doesn't work
我目前卡住了,不知道如何继续。
这是我的Spring引导application.properties
...
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://${POSTGRES_HOST}:5432/postgres
spring.datasource.username=${POSTGRES_USER}
spring.datasource.password=${POSTGRES_PASSWORD}
spring.datasource.testWhileIdle=true
spring.datasource.validationQuery=SELECT 1
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
spring.jpa.hibernate.naming-strategy=org.hibernate.cfg.ImprovedNamingStrategy
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
#Setup SSL
server.port: 8443
server.ssl.key-store: ${TLS_CERTIFICATE}
server.ssl.key-store-password: ${TLS_PASSWORD}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias fundtr
...
我的 Spring 启动应用程序的部署 yaml:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: f-app
namespace: default
spec:
replicas: 1
template:
metadata:
name: f-app
labels:
app: f-app
spec:
containers:
- name: f-app
image: eu.gcr.io/..../...
env:
- name: POSTGRES_USER
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_user
- name: POSTGRES_PASSWORD
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_password
- name: POSTGRES_HOST
valueFrom:
configMapKeyRef:
name: hostname-config
key: postgres_host
- name: TLS-CERTIFICATE
valueFrom:
secretKeyRef:
name: f-tls
key: Certificate.p12
- name: TLS-PASSWORD
valueFrom:
secretKeyRef:
name: f-tls
key: password
这是我在 Kubernetes 中创建秘密的方式:
kubectl create secret generic f-tls --from-file=Certificate.p12 --from-literal=password=changeit
部署后我得到
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: ContainerCannotRun
Message: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:295: setting oom score for ready process caused \"write /proc/13895/oom_score_adj: invalid argument\""
当我从 Deployment yaml 中删除 Secrets 时,它工作正常,但我无法理解此问题的根本原因。我正在使用 Google Cloud Platform Container Engine。
这是我的 deployment.yaml,它使用存储在 Kubernetes 机密中的 p12 密钥和密码,就像在您的示例中一样创建。可以正常进行 SSL curl 调用。我获取作为只读卷安装的 p12 密钥和密码文件的内容。希望对你有帮助。
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment-name
spec:
replicas: 3
selector:
matchLabels:
app: app-name
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
minReadySeconds: 30
template:
metadata:
labels:
app: app-name
spec:
volumes:
- name: application
emptyDir: {}
- name: secrets
secret:
secretName: key.p12
containers:
- name: php-fpm
image: index.docker.io/docker_account/docker_image:image_tag
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9000
volumeMounts:
- name: application
mountPath: /app
- name: secrets
mountPath: /api-p12-keys
readOnly: true
imagePullSecrets:
- name: docker-auth
这个答案特定于 Springboot 应用程序,这就是问题所在。
第 1 步:从您的密钥库或 p12 文件创建通用机密
kubectl create secret generic f-tls-secret --from-file=Certificate.p12 --from-literal=password=changeit
第 2 步:使用部署对象将机密装载到您的 pod
spec:
containers:
- image: eu.gcr.io/..../...
volumeMounts:
- name: tls
mountPath: /workspace/resources/
volumes:
- name: tls
secret:
secretName: f-tls-secret
- 在 application.properties 文件中配置 SSL
#Setup SSL
server.port: 8443
server.ssl.key-store: classpath:resources/Certificate.p12
server.ssl.key-store-password: ${TLS_PASSWORD}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias fundtr
我目前卡住了,不知道如何继续。
这是我的Spring引导application.properties
...
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://${POSTGRES_HOST}:5432/postgres
spring.datasource.username=${POSTGRES_USER}
spring.datasource.password=${POSTGRES_PASSWORD}
spring.datasource.testWhileIdle=true
spring.datasource.validationQuery=SELECT 1
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
spring.jpa.hibernate.naming-strategy=org.hibernate.cfg.ImprovedNamingStrategy
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
#Setup SSL
server.port: 8443
server.ssl.key-store: ${TLS_CERTIFICATE}
server.ssl.key-store-password: ${TLS_PASSWORD}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias fundtr
...
我的 Spring 启动应用程序的部署 yaml:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: f-app
namespace: default
spec:
replicas: 1
template:
metadata:
name: f-app
labels:
app: f-app
spec:
containers:
- name: f-app
image: eu.gcr.io/..../...
env:
- name: POSTGRES_USER
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_user
- name: POSTGRES_PASSWORD
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_password
- name: POSTGRES_HOST
valueFrom:
configMapKeyRef:
name: hostname-config
key: postgres_host
- name: TLS-CERTIFICATE
valueFrom:
secretKeyRef:
name: f-tls
key: Certificate.p12
- name: TLS-PASSWORD
valueFrom:
secretKeyRef:
name: f-tls
key: password
这是我在 Kubernetes 中创建秘密的方式:
kubectl create secret generic f-tls --from-file=Certificate.p12 --from-literal=password=changeit
部署后我得到
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: ContainerCannotRun
Message: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:295: setting oom score for ready process caused \"write /proc/13895/oom_score_adj: invalid argument\""
当我从 Deployment yaml 中删除 Secrets 时,它工作正常,但我无法理解此问题的根本原因。我正在使用 Google Cloud Platform Container Engine。
这是我的 deployment.yaml,它使用存储在 Kubernetes 机密中的 p12 密钥和密码,就像在您的示例中一样创建。可以正常进行 SSL curl 调用。我获取作为只读卷安装的 p12 密钥和密码文件的内容。希望对你有帮助。
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment-name
spec:
replicas: 3
selector:
matchLabels:
app: app-name
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
minReadySeconds: 30
template:
metadata:
labels:
app: app-name
spec:
volumes:
- name: application
emptyDir: {}
- name: secrets
secret:
secretName: key.p12
containers:
- name: php-fpm
image: index.docker.io/docker_account/docker_image:image_tag
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9000
volumeMounts:
- name: application
mountPath: /app
- name: secrets
mountPath: /api-p12-keys
readOnly: true
imagePullSecrets:
- name: docker-auth
这个答案特定于 Springboot 应用程序,这就是问题所在。
第 1 步:从您的密钥库或 p12 文件创建通用机密
kubectl create secret generic f-tls-secret --from-file=Certificate.p12 --from-literal=password=changeit
第 2 步:使用部署对象将机密装载到您的 pod
spec:
containers:
- image: eu.gcr.io/..../...
volumeMounts:
- name: tls
mountPath: /workspace/resources/
volumes:
- name: tls
secret:
secretName: f-tls-secret
- 在 application.properties 文件中配置 SSL
#Setup SSL server.port: 8443 server.ssl.key-store: classpath:resources/Certificate.p12 server.ssl.key-store-password: ${TLS_PASSWORD} server.ssl.keyStoreType: PKCS12 server.ssl.keyAlias fundtr