用于Kubernetes部署的Dockerizing Spring引导应用程序 [英] Dockerizing Spring boot application for Kubernetes Deployment
问题描述
我有一个spring boot应用程序,该应用程序的一些属性如下,该属性在application.properties中.
I have a spring boot application with some properties as below in my application.properties.
server.ssl.keyStore=/users/admin/certs/appcert.jks
server.ssl.keyStorePassword=certpwd
server.ssl.trustStore=/users/admin/certs/cacerts
server.ssl.trustStorePassword=trustpwd
此处将证书路径硬编码为某些路径.但是,我不想对此进行硬编码,因为该路径在Mesos或Kubernetes世界中是未知的.
Here the cert paths are hardcoded to some path. But, I dont want to hard code this as the path will not be known in Mesos or Kubernetes world.
我有一个docker文件,如下所示.
I have a docker file as follows.
FROM docker.com/base/jdk1.8:latest
MAINTAINER Application Engineering [ https://docker.com/ ]
RUN mkdir -p /opt/docker/svc
COPY application/weather-service.war /opt/docker/svc/
CMD java -jar /opt/docker/svc/weather-service.war --spring.config.location=file:/conf/application.properties -Dlogging.config=/conf/logback.xml
在这里,我可以在kubernetes中使用volume mount选项来放置应用程序.属性.
Here, I can use the volume mount option in kubernetes so as to place the application.proerties.
如何在application.properties中为证书文件实现相同的目的?
How can i achieve the same thing for cert files in the application.properties?
在这里,cert道具对于少数几个应用程序是可选的,而对于少数几个应用程序则是必需的.
Here, the cert props are optional for few applications and mandatory for few applications.
我需要一些选项以集成在docker映像中并使cert文件位于docker映像之外.
I need options to integrate within the docker images and having the cert files outside the docker image.
方法1 .在docker映像中
Approach 1. Within the docker image
从application.properties中删除属性"server.ssl.keyStore",并将其作为环境变量传递,如下所示.
Remove the property "server.ssl.keyStore" from application.properties and pass it as a environment variable like the below one.
CMD java -jar/opt/docker/svc/weather-service.war --spring.config.location =文件:/conf/application.properties -Dlogging.config =/conf/logback.xml -Dserver.ssl.keyStore =/certs/appcert.jks
CMD java -jar /opt/docker/svc/weather-service.war --spring.config.location=file:/conf/application.properties -Dlogging.config=/conf/logback.xml -Dserver.ssl.keyStore=/certs/appcert.jks
现在,该证书应该放在秘密位置,并在kubernetes中使用卷安装选项.
Now, the cert should be places in secrets and use the volume mount options with kubernetes.
方法2 .无需在docker文件中包含-Dserver.ssl.keyStore =/certs/appcert.jks,但仍从application.properties中删除属性"server.ssl.keyStore",然后执行以下操作.
Approach 2. No need to have -Dserver.ssl.keyStore=/certs/appcert.jks in the docker file, but still remove the property "server.ssl.keyStore" from application.properties and do as follows.
a.创建秘密
kubectl创建秘密的通用svc-truststore-cert --from-file =./cacerts
kubectl create secret generic svc-truststore-cert --from-file=./cacerts
b.创建一个如下的环境变量.
b. Create one env variable as below.
{ 名称":"JAVA_OPTS", 值":"-Dserver.ssl.trustStore =/certs/truststore/cacerts" }
{ "name": "JAVA_OPTS", "value": "-Dserver.ssl.trustStore=/certs/truststore/cacerts" }
c.在用于Pod的容器下创建卷安装.
c. Create Volume mounts under container for pod.
"volumeMounts":[ { "name":"truststore-cert", "mountPath":"/certs/truststore" } ]
"volumeMounts": [ { "name": "truststore-cert", "mountPath": "/certs/truststore" } ]
d.根据规格创建一个卷.
d. Create a volume under spec.
{ "name":"truststore-cert", 秘密": { "secretName":"svc-truststore-cert", 项目": [ { "key":证书", 路径":证书" } ] } }
{ "name": "truststore-cert", "secret": { "secretName": "svc-truststore-cert", "items": [ { "key": "cacerts", "path": "cacerts" } ] } }
方法3 .
使用Kubernetes持久卷.
Using Kubernetes Persistent Volume.
在Kubernetes上创建了一个持久卷.
Created a persistent volume on Kubernetes .
将卷安装到每个微服务的Pod(pod脚本文件中的更改).可以通过-'/shared/folder/certs'路径访问已挂载的文件系统.
Mount the volume to the Pod of each microservice (changes in the pod script file). Mounted file system accessible via - '/shared/folder/certs' path.
CMD java -jar/opt/docker/svc/weather-service.war --spring.config.location =文件:/conf/application.properties -Dlogging.config =/conf/logback.xml -Dserver.ssl.keyStore =/certs/appcert.jks
CMD java -jar /opt/docker/svc/weather-service.war --spring.config.location=file:/conf/application.properties -Dlogging.config=/conf/logback.xml -Dserver.ssl.keyStore=/certs/appcert.jks
我采用了第二种方法.这样对吗?还有其他更好的方法吗?
I have taken the second approach. Is this correct? Is there any other better approach?
谢谢
推荐答案
是的,第二种方法是最好的方法,并且是存储诸如证书,密钥等敏感数据的唯一方法.在文档中进行了介绍.
Yes, the second approach is the best one, and it is the only way if you are storing some sensitive data like certificates, keys, etc. That topic is covered in the documentation.
此外,您可以加密您的秘密以添加另一个保护级别.
Moreover, you can encrypt your secrets to add another level of protection.
这篇关于用于Kubernetes部署的Dockerizing Spring引导应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
