I'm currently stuck and don`t know how to proceed.
This is my Spring Boot application.properties
...
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://${POSTGRES_HOST}:5432/postgres
spring.datasource.username=${POSTGRES_USER}
spring.datasource.password=${POSTGRES_PASSWORD}
spring.datasource.testWhileIdle=true
spring.datasource.validationQuery=SELECT 1
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
spring.jpa.hibernate.naming-strategy=org.hibernate.cfg.ImprovedNamingStrategy
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
#Setup SSL
server.port: 8443
server.ssl.key-store: ${TLS_CERTIFICATE}
server.ssl.key-store-password: ${TLS_PASSWORD}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias fundtr
...
My Deployment yaml for Spring Boot Application:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: f-app
namespace: default
spec:
replicas: 1
template:
metadata:
name: f-app
labels:
app: f-app
spec:
containers:
- name: f-app
image: eu.gcr.io/..../...
env:
- name: POSTGRES_USER
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_user
- name: POSTGRES_PASSWORD
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_password
- name: POSTGRES_HOST
valueFrom:
configMapKeyRef:
name: hostname-config
key: postgres_host
- name: TLS-CERTIFICATE
valueFrom:
secretKeyRef:
name: f-tls
key: Certificate.p12
- name: TLS-PASSWORD
valueFrom:
secretKeyRef:
name: f-tls
key: password
This is how I create secret in Kubernetes:
kubectl create secret generic f-tls --from-file=Certificate.p12 --from-literal=password=changeit
When it's deployed I'm getting
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: ContainerCannotRun
Message: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:295: setting oom score for ready process caused \"write /proc/13895/oom_score_adj: invalid argument\""
When I remove the Secrets from the Deployment yaml it's working fine, but I could not understand what it the root cause of this issue. I'm using Google Cloud Platform Container Engine.
To enable it, pass the --cluster-signing-cert-file and --cluster-signing-key-file parameters to the controller manager with paths to your Certificate Authority's keypair.
This is my deployment.yaml, which uses p12 key and password stored in Kubernetes secrets, created just like in your example. Works OK for me to make SSL curl calls. I fetch the content of p12 key and password files mounted as READ ONLY volume. Hope it helps.
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment-name
spec:
replicas: 3
selector:
matchLabels:
app: app-name
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
minReadySeconds: 30
template:
metadata:
labels:
app: app-name
spec:
volumes:
- name: application
emptyDir: {}
- name: secrets
secret:
secretName: key.p12
containers:
- name: php-fpm
image: index.docker.io/docker_account/docker_image:image_tag
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9000
volumeMounts:
- name: application
mountPath: /app
- name: secrets
mountPath: /api-p12-keys
readOnly: true
imagePullSecrets:
- name: docker-auth
This answer is specific to Springboot application and that is what asked in question.
Step 1: Create a generic secret from your keystore or p12 file
kubectl create secret generic f-tls-secret --from-file=Certificate.p12 --from-literal=password=changeit
Step 2: Mount the secret to your pod using deployment object
spec:
containers:
- image: eu.gcr.io/..../...
volumeMounts:
- name: tls
mountPath: /workspace/resources/
volumes:
- name: tls
secret:
secretName: f-tls-secret
#Setup SSL server.port: 8443 server.ssl.key-store: classpath:resources/Certificate.p12 server.ssl.key-store-password: ${TLS_PASSWORD} server.ssl.keyStoreType: PKCS12 server.ssl.keyAlias fundtr
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With