我在Web服务和远程托管的Postgres数据库之间建立SSL连接时遇到了麻烦。使用与Web服务相同的证书和密钥文件,我可以使用pgAdmin和DataGrip等工具连接到数据库。这些文件是从Google Cloud Console中的Postgres实例下载的。
问题:
在Spring Boot服务启动时,会发生以下错误:
org.postgresql.util.PSQLException: Could not read SSL key file /tls/tls.key
在我查看Postgres服务器日志的情况下,错误记录为
LOG: could not accept SSL connection: UNEXPECTED_RECORD
设定:
Spring Boot服务在Minikube(本地)上运行,GKE连接到Google Cloud SQL Postgres实例。
采取的措施:
我已经下载了客户端证书&键。我使用下载的客户端证书和创建了一个K8s TLS Secret。键。我还确保通过在k8s部署配置上运行以下命令从卷装入读取文件:
command: ["bin/sh", "-c", "cat /tls/tls.key"]
这是通过环境变量(DATASOURCE)输入的数据源URL。
"jdbc:postgresql://[Database-Address]:5432/[database]?ssl=true&sslmode=require&sslcert=/tls/tls.crt&sslkey=/tls/tls.key"
这是k8s部署yaml,我知道哪里出错了?
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "service.name" . }}
labels:
release: {{ template "release.name" . }}
chart: {{ template "chart.name" . }}
chart-version: {{ template "chart.version" . }}
release: {{ template "service.fullname" . }}
spec:
replicas: {{ $.Values.image.replicaCount }}
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
template:
metadata:
labels:
app: {{ template "service.name" . }}
release: {{ template "release.name" . }}
env: {{ $.Values.environment }}
spec:
imagePullSecrets:
- name: {{ $.Values.image.pullSecretsName }}
containers:
- name: {{ template "service.name" . }}
image: {{ $.Values.image.repo }}:{{ $.Values.image.tag }}
# command: ["bin/sh", "-c", "cat /tls/tls.key"]
imagePullPolicy: {{ $.Values.image.pullPolicy }}
volumeMounts:
- name: tls-cert
mountPath: "/tls"
readOnly: true
ports:
- containerPort: 80
env:
- name: DATASOURCE_URL
valueFrom:
secretKeyRef:
name: service
key: DATASOURCE_URL
- name: DATASOURCE_USER
valueFrom:
secretKeyRef:
name: service
key: DATASOURCE_USER
- name: DATASOURCE_PASSWORD
valueFrom:
secretKeyRef:
name: service
key: DATASOURCE_PASSWORD
volumes:
- name: tls-cert
projected:
sources:
- secret:
name: postgres-tls
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
答案 0 :(得分:1)