Reputation: 2500
Mount Security Certificate into Google Cloud Kubernetes Engine so Java Apps can find valid cert path
I am using Google's Kubernetes Engine to deploy a few Spring Boot apps. I have set ingress up with HTTPS which is working great, but when one of the apps tries to access my authorization server, which is on HTTPS, Java gives me the following error:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException
I know how to fix this locally, but how do I fix this so my Java apps deployed on GKE are able find the valid .cer file?
I tried including the .cer file directly on the Docker image from my Dockerfile, but that is not really intuitive if my certificates expire and was unable to get it work.
I currently have the crt file and key file mounted as a secret, and the ingress is using it just fine. Previously, I was using Google Cloud's self managed certificate which worked perfectly as well, but I wanted to test using Kubernetes secrets. `
I figure the best option is to mount the .cer onto my cluster and point the deployments to use it through environment variables. That way I can easily update when they expire, and I won't have to redeploy each image.
Update:
I mounted the keystore.jks as a secret volume onto my deployment.yaml and configured Spring Boot to look at that path, but it was to no avail.
Spring Boot Properties
server.ssl.key-store: /mnt/secret/keystore.jks
# other configuration removed for SSL
Upvotes: 1
Views: 1213
Answers (1)
Reputation: 1102
To solve this issue in GCP’s GKE, sometimes replacing cacerts files helps to solve it, but following these steps is the correct way to do it:
a) Use a Service Account. In order to have more reference about the GCP’s Service Accounts, take a look into this Official Documentation.
b) Add storage-rw scope to the cluster’s scopes when creating the cluster. As this documentation indicates, you can do it with the command:
gcloud container clusters create example-cluster --scopes=bigquery,storage-rw,compute-ro
Use this GCP GKE’s official documentation for more reference regarding to the GCP’s IAM Access Scopes.
c) Review in detail how you are creating your Kubernetes Secret. For more guidance, use this Official GKE’s Secrets Documentation.
Plus, you can use these threads as a reference too Why is cacerts update needed in Kubernetes?, How to Fix javax.net.ssl.SSLHandshakeException and KubernetesAPIJavaClient.
Upvotes: 1
Related Questions
- Add certificates to global Java truststore in code (programatically)
- Loading a SSL certificate to container's JVM
- Kubernate Pod : How to import Certificate into Java Truststore?
- Adding SSL certificate when using Google Jib and Kubernetes
- How to enable Client Certificate in Google Kubernetes Engine Cluster
- Loading certificate to GKE service
- How can I enable SSL for Kubernetes services?
- How to configure a SSL certificate to be used by Kubernetes with Google Cloud?
- How to install self signed certificate for Java in Docker/Kubernetes?
- How to get ssl on a kubernetes application?