使用Google Jib和Kubernetes时添加SSL证书 [英] Adding SSL certificate when using Google Jib and Kubernetes
问题描述
因此,我试图为我的项目添加ssl证书,在本地计算机上,我只需遵循keytool命令就可以添加它,然后它就可以了.但是,当我尝试在装有k8s集群的计算机上执行相同操作时,它似乎根本无法工作.
我看到几个人在docker文件的cacerts中添加了cer,但是由于我正在使用Google的Jib而没有一个cer,所以我不确定它应该从这里去还是我应该添加到我的k8s部署文件中的配置?
背景
这里,我假设您的应用程序已部署到Kubernetes,并且正在连接到受Kubernetes外部服务器证书保护的外部服务器.例如,例如不使用操作系统中的系统CA证书存储,而是使用其自己的信任库:
代替使用Windows证书存储,它使用自己的实现.Java证书存储在名为
cacerts
的文件中,该文件位于C:\ Program Files(x86)\ Java \ jre1.x.x_xxx \ lib \ security \
因为您说过在本地成功使用了keytool,所以我假设您已经了解了此Java行为,并且应该将服务器证书导入到该位置,即,将其导入到JRE的默认 cacerts
文件中.JRE目录(除非您使用某些系统属性来告诉JVM在不同位置查找CA信任库).既然您说过让它在本地运行,那么从理论上讲您可以照做,它也应该在Kubernetes上也可以运行.
在构建时嵌入证书
一种直接的方法是在映像构建时将证书烘烤到映像中(如您所暗示的 Dockerfile
方法).为此,您可以使用Jib的< extraDirectories>
功能将任意文件复制到图像中.只需准备一个新的 cacerts
文件并将其放置在图像中JRE的默认位置即可.
在运行时提供证书
如果您不喜欢将证书放入映像中,而是想在运行时提供它,我相信您基本上可以遵循我上面链接的文章中介绍的最后一种方法(尽管对于Java,您应该当然,请放 cacerts
代替).我不是Kubernetes领域的专家,并且不确定Kubrenetes是否提供另一种专用解决方案,但是本文中的方法似乎是合理的,应该可以使用.
对于Kubernetes以外的其他容器运行时,它们都将具有自己的在运行时提供文件或附加卷的方式,因此您应该能够实现相同的目标.
更新:在许多Linux发行版中,通常< JRE>/lib/security/cacerts
是指向/etc/ssl/certs/java的符号链接/cacerts
,因此您可以选择更新后者而不是前者.
#ls -l/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacertslrwxrwxrwx 1 root root 1970年1月27日/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts->/etc/ssl/certs/java/cacerts
So I'm trying to add an ssl certificate for my project, on my local machine I was able to add it by simply following a keytool command and then it worked. But when I try to do the same on the machine that has my k8s cluster, it doesn't seem to work whatsoever.
I saw a couple of people adding the cer to cacerts in their docker file but I don't have one as i'm using google's Jib so I'm not sure how it's supposed to go from here, or is it a configuration I should add to my k8s deployment file?
Background
Here I assume that your application being deployed to Kubernetes is connecting to an external server protected by its server certificate outside Kubernetes. For example, like the case in this article.
Inasmuch as can be seen in the link above, there are really multiple ways to resolve this. However, note the methods explained in the article are not really applicable to Java as-is, because Java doesn't make use of the system CA cert store from the OS but uses its own truststore:
Instead of using the windows certificate store it uses its own implementation. Java certificates are stored in a file called
cacerts
located atC:\Program Files (x86)\Java\jre1.x.x_xxx\lib\security\
Because you said you successfully used keytool locally, I assume you are already aware of this Java behavior and where your server certificate should be imported into–that is, into the JRE's default cacerts
file under the JRE directory (unless you use some system property to tell the JVM to find a CA truststore at a different location). Since you said you made it work locally, theoretically you can follow the same and it should work on Kubernetes too.
Embedding cacerts
at build time
One straightforward way is to bake your cert into your image at image build time (as you hinted with the Dockerfile
approach). For this purpose, you can use Jib's <extraDirectories>
feature to copy arbitrary files into an image. Just prepare a new cacerts
file and place it into the JRE's default location in the image.
Supplying cacerts
at runtime
If you don't like the idea of baking a cert into the image but rather want to supply it at runtime, I believe you can basically follow the last method described in the article I linked above (although for Java, you should put cacerts
instead, of course). I am not a Kubernetes expert in this domain and unsure if Kubrenetes provides another dedicated solution, but the method in the article seems reasonable and should work.
For container runtimes other than Kubernetes, all of them will have their own way of supplying files or attaching volumes at runtime, so you should be able to achieve the same goal.
UPDATE: on many Linux distros, often <JRE>/lib/security/cacerts
is a symlink to /etc/ssl/certs/java/cacerts
, so you may opt to update the latter instead of the former.
# ls -l /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Jan 1 1970 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
这篇关于使用Google Jib和Kubernetes时添加SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!