Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Kubernetes Secret TLS Certificate P12 and Spring Boot Deployment doesn't work

I'm currently stuck and don`t know how to proceed.

This is my Spring Boot application.properties

...
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://${POSTGRES_HOST}:5432/postgres
spring.datasource.username=${POSTGRES_USER}
spring.datasource.password=${POSTGRES_PASSWORD}
spring.datasource.testWhileIdle=true
spring.datasource.validationQuery=SELECT 1
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
spring.jpa.hibernate.naming-strategy=org.hibernate.cfg.ImprovedNamingStrategy
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect

#Setup SSL
server.port: 8443
server.ssl.key-store: ${TLS_CERTIFICATE}
server.ssl.key-store-password: ${TLS_PASSWORD}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias fundtr
...

My Deployment yaml for Spring Boot Application:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: f-app
  namespace: default
spec:
  replicas: 1
  template:
    metadata:
      name: f-app
      labels:
        app: f-app
    spec:
      containers:
      - name: f-app
        image: eu.gcr.io/..../...
        env:
          - name: POSTGRES_USER
            valueFrom:
              configMapKeyRef:
                name: postgres-config
                key: postgres_user
          - name: POSTGRES_PASSWORD
            valueFrom:
              configMapKeyRef:
                name: postgres-config
                key: postgres_password
          - name: POSTGRES_HOST
            valueFrom:
              configMapKeyRef:
                name: hostname-config
                key: postgres_host
          - name: TLS-CERTIFICATE
            valueFrom:
              secretKeyRef:
                name: f-tls
                key: Certificate.p12
          - name: TLS-PASSWORD
            valueFrom:
              secretKeyRef:
                name: f-tls
                key: password

This is how I create secret in Kubernetes:

kubectl create secret generic f-tls --from-file=Certificate.p12 --from-literal=password=changeit

When it's deployed I'm getting

State:         Waiting
  Reason:      CrashLoopBackOff
Last State:    Terminated
  Reason:      ContainerCannotRun
  Message:     oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:295: setting oom score for ready process caused \"write /proc/13895/oom_score_adj: invalid argument\""

When I remove the Secrets from the Deployment yaml it's working fine, but I could not understand what it the root cause of this issue. I'm using Google Cloud Platform Container Engine.

like image 867
Philip Petrov Avatar asked Apr 25 '18 11:04

Philip Petrov


People also ask

How do I enable TLS in Kubernetes?

To enable it, pass the --cluster-signing-cert-file and --cluster-signing-key-file parameters to the controller manager with paths to your Certificate Authority's keypair.


2 Answers

This is my deployment.yaml, which uses p12 key and password stored in Kubernetes secrets, created just like in your example. Works OK for me to make SSL curl calls. I fetch the content of p12 key and password files mounted as READ ONLY volume. Hope it helps.

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: deployment-name
spec:
  replicas: 3
  selector:
    matchLabels:
      app: app-name

  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  minReadySeconds: 30

  template:
    metadata:
      labels:
        app: app-name
    spec:
      volumes:
        - name: application
          emptyDir: {}
        - name: secrets
          secret:
            secretName: key.p12

      containers:
        - name:  php-fpm
          image: index.docker.io/docker_account/docker_image:image_tag
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 9000

          volumeMounts:
            - name:      application
              mountPath: /app
            - name:      secrets
              mountPath: /api-p12-keys
              readOnly:  true

      imagePullSecrets:
        - name: docker-auth
like image 84
Mark Hilton Avatar answered Sep 20 '22 09:09

Mark Hilton


This answer is specific to Springboot application and that is what asked in question.

Step 1: Create a generic secret from your keystore or p12 file

kubectl create secret generic f-tls-secret --from-file=Certificate.p12 --from-literal=password=changeit

Step 2: Mount the secret to your pod using deployment object

spec:
  containers:
  - image: eu.gcr.io/..../...
    volumeMounts:
      - name: tls
        mountPath: /workspace/resources/

  volumes:
    - name: tls
      secret: 
        secretName: f-tls-secret
  1. Configure SSL in application.properties file
#Setup SSL
 server.port: 8443
 server.ssl.key-store: classpath:resources/Certificate.p12
 server.ssl.key-store-password: ${TLS_PASSWORD}
 server.ssl.keyStoreType: PKCS12
 server.ssl.keyAlias fundtr
like image 25
Steephen Avatar answered Sep 22 '22 09:09

Steephen