使用 Google Jib 和 Kubernetes 时添加 SSL 证书 [英] Adding SSL certificate when using Google Jib and Kubernetes
问题描述
所以我正在尝试为我的项目添加一个 ssl 证书,在我的本地机器上,我只需按照 keytool 命令添加它,然后它就可以工作了.但是当我尝试在拥有 k8s 集群的机器上做同样的事情时,它似乎没有任何效果.
So I'm trying to add an ssl certificate for my project, on my local machine I was able to add it by simply following a keytool command and then it worked. But when I try to do the same on the machine that has my k8s cluster, it doesn't seem to work whatsoever.
我看到有几个人在他们的 docker 文件中将 cer 添加到 cacerts 中,但我没有,因为我使用的是 google 的 Jib,所以我不确定它应该如何从这里开始,或者它是一个我应该将配置添加到我的 k8s 部署文件中吗?
I saw a couple of people adding the cer to cacerts in their docker file but I don't have one as i'm using google's Jib so I'm not sure how it's supposed to go from here, or is it a configuration I should add to my k8s deployment file?
推荐答案
背景
这里我假设您部署到 Kubernetes 的应用程序连接到外部服务器,该服务器受 Kubernetes 外部的服务器证书保护.例如,像 这篇文章.
从上面的链接中可以看出,确实有多种方法可以解决此问题.但是,请注意文章中解释的方法并不真正适用于 Java,因为 Java 不使用操作系统的系统 CA 证书存储,而是使用自己的信任存储:
Inasmuch as can be seen in the link above, there are really multiple ways to resolve this. However, note the methods explained in the article are not really applicable to Java as-is, because Java doesn't make use of the system CA cert store from the OS but uses its own truststore:
它使用自己的实现而不是使用 Windows 证书存储.Java 证书存储在名为 cacerts 的文件中,该文件位于 C:Program Files (x86)Javajre1.x.x_xxxlibsecurity
Instead of using the windows certificate store it uses its own implementation. Java certificates are stored in a file called
cacertslocated atC:Program Files (x86)Javajre1.x.x_xxxlibsecurity
因为您说您在本地成功使用了 keytool,所以我假设您已经知道这种 Java 行为以及您的服务器证书应该导入到哪里 - 即导入 JRE 下的默认 cacerts 文件JRE 目录(除非您使用某些系统属性来告诉 JVM 在不同位置查找 CA 信任库).既然你说你让它在本地工作,理论上你可以遵循同样的方法,它也应该在 Kubernetes 上工作.
Because you said you successfully used keytool locally, I assume you are already aware of this Java behavior and where your server certificate should be imported into–that is, into the JRE's default cacerts file under the JRE directory (unless you use some system property to tell the JVM to find a CA truststore at a different location). Since you said you made it work locally, theoretically you can follow the same and it should work on Kubernetes too.
一种直接的方法是在映像构建时将您的证书烘焙到您的映像中(正如您使用 Dockerfile 方法所暗示的那样).为此,您可以使用 Jib 的 cacerts 文件并将其放入 JRE 在图像中的默认位置.
One straightforward way is to bake your cert into your image at image build time (as you hinted with the Dockerfile approach). For this purpose, you can use Jib's <extraDirectories> feature to copy arbitrary files into an image (usage: Maven / Gradle). Just prepare a new cacerts file and place it into the JRE's default location in the image.
如果您不喜欢将证书烘焙到图像中的想法,而是想在运行时提供它,我相信您基本上可以遵循我上面链接的文章中描述的最后一种方法(尽管对于 Java,您应该当然,用 cacerts 代替).我不是这个领域的 Kubernetes 专家,不确定 Kubrenetes 是否提供了另一个专门的解决方案,但文章中的方法似乎合理,应该可行.
If you don't like the idea of baking a cert into the image but rather want to supply it at runtime, I believe you can basically follow the last method described in the article I linked above (although for Java, you should put cacerts instead, of course). I am not a Kubernetes expert in this domain and unsure if Kubrenetes provides another dedicated solution, but the method in the article seems reasonable and should work.
对于 Kubernetes 以外的容器运行时,它们都有自己的方式在运行时提供文件或附加卷,因此您应该能够实现相同的目标.
For container runtimes other than Kubernetes, all of them will have their own way of supplying files or attaching volumes at runtime, so you should be able to achieve the same goal.
UPDATE:在许多 Linux 发行版上,通常 /etc/ssl/certs/java 的符号链接/cacerts,因此您可以选择更新后者而不是前者.
UPDATE: on many Linux distros, often <JRE>/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts, so you may opt to update the latter instead of the former.
# ls -l /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Jan 1 1970 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
这篇关于使用 Google Jib 和 Kubernetes 时添加 SSL 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
