使用Google Jib和Kubernetes时添加SSL证书 [英] Adding SSL certificate when using Google Jib and Kubernetes
问题描述
因此,我试图为我的项目添加ssl证书,在本地计算机上,我只需遵循keytool命令就可以添加它,然后它就可以了.但是,当我尝试在装有k8s集群的计算机上执行相同操作时,它似乎根本无法工作.
我看到几个人在docker文件的cacerts中添加了cer,但是由于我正在使用Google的Jib而没有一个cer,所以我不确定它应该从这里去还是我应该添加到我的k8s部署文件中的配置?
背景
这里,我假设您的应用程序已部署到Kubernetes,并且正在连接到受Kubernetes外部服务器证书保护的外部服务器.例如,例如将任意文件复制到图像中.只需准备一个新的 cacerts 文件并将其放置在图像中JRE的默认位置即可.
在运行时提供证书
如果您不喜欢将证书放入映像中,而是想在运行时提供它,我相信您基本上可以遵循我上面链接的文章中介绍的最后一种方法(尽管对于Java,您应该当然,请放 cacerts 代替).我不是Kubernetes领域的专家,并且不确定Kubrenetes是否提供另一种专用解决方案,但是本文中的方法似乎是合理的,应该可以使用.
对于Kubernetes以外的其他容器运行时,它们都将具有自己的在运行时提供文件或附加卷的方式,因此您应该能够实现相同的目标.
更新:在许多Linux发行版中,通常< JRE>/lib/security/cacerts 是指向/etc/ssl/certs/java的符号链接/cacerts ,因此您可以选择更新后者而不是前者.
#ls -l/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacertslrwxrwxrwx 1 root root 1970年1月27日/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts->/etc/ssl/certs/java/cacerts So I'm trying to add an ssl certificate for my project, on my local machine I was able to add it by simply following a keytool command and then it worked. But when I try to do the same on the machine that has my k8s cluster, it doesn't seem to work whatsoever.
I saw a couple of people adding the cer to cacerts in their docker file but I don't have one as i'm using google's Jib so I'm not sure how it's supposed to go from here, or is it a configuration I should add to my k8s deployment file?
Background
Here I assume that your application being deployed to Kubernetes is connecting to an external server protected by its server certificate outside Kubernetes. For example, like the case in this article.
Inasmuch as can be seen in the link above, there are really multiple ways to resolve this. However, note the methods explained in the article are not really applicable to Java as-is, because Java doesn't make use of the system CA cert store from the OS but uses its own truststore:
Instead of using the windows certificate store it uses its own implementation. Java certificates are stored in a file called
cacertslocated atC:\Program Files (x86)\Java\jre1.x.x_xxx\lib\security\
Because you said you successfully used keytool locally, I assume you are already aware of this Java behavior and where your server certificate should be imported into–that is, into the JRE's default cacerts file under the JRE directory (unless you use some system property to tell the JVM to find a CA truststore at a different location). Since you said you made it work locally, theoretically you can follow the same and it should work on Kubernetes too.
Embedding cacerts at build time
One straightforward way is to bake your cert into your image at image build time (as you hinted with the Dockerfile approach). For this purpose, you can use Jib's <extraDirectories> feature to copy arbitrary files into an image. Just prepare a new cacerts file and place it into the JRE's default location in the image.
Supplying cacerts at runtime
If you don't like the idea of baking a cert into the image but rather want to supply it at runtime, I believe you can basically follow the last method described in the article I linked above (although for Java, you should put cacerts instead, of course). I am not a Kubernetes expert in this domain and unsure if Kubrenetes provides another dedicated solution, but the method in the article seems reasonable and should work.
For container runtimes other than Kubernetes, all of them will have their own way of supplying files or attaching volumes at runtime, so you should be able to achieve the same goal.
UPDATE: on many Linux distros, often <JRE>/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts, so you may opt to update the latter instead of the former.
# ls -l /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Jan 1 1970 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
这篇关于使用Google Jib和Kubernetes时添加SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
