Kubernetes秘密和弹簧启动配置

时间:2018-06-17 10:50:13

标签: spring spring-boot kubernetes kubernetes-security kubernetes-secrets

我们的服务在kubernetes集群中运行。 我试图通过SSL保护我们的服务。

为此,我添加到application.properties:

security.require-ssl=true 
server.ssl.key-store-type=JKS
server.ssl.key-store=serviceCertificates.jks
server.ssl.key-store-password=${KEYSTORE_PASSWORD}
server.ssl.key-alias=certificate

我想从kubernetes secret中获取的密钥库密码,它是在集群中定义的 当服务开始运行时,我收到错误Password verification failed

  

" org.apache.catalina.LifecycleException:无法启动组件[Connector [HTTP / 1.1-8080]] \ n \ tat org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) )\ n \ tat org.apache.catalina.core.StandardService.addConnector(StandardService.java:225)\ n \ tat org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:256)\ n \ tat org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:198)\ n \ tat org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:300 )\ n \ tat org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:162)\ n \ tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:553)\ n \ tat org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServer ApplicationContext.java:140)\n\tat org.springframework.boot.SpringApplication.refresh(SpringApplication.java:759) \ n \ tat org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:395)\ n \ tat org.springframework.boot.SpringApplication.run(SpringApplication.java:327)\ n \ tat org.springframework.boot.SpringApplication.run(SpringApplication.java:1255)\ n \ tat org.springframework.boot.SpringApplication.run( SpringApplication.java:1243)\n\tat com.ibm.securityservices.cryptoutils.Application.main(Application.java:9)\ n \ tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\ n \ tat sun.reflect .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\ n \ tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\ n \ tat java.lang.reflect.Method.invoke(Method.java:498)\ n \ tat org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)\ n \ tat org.springframework.boot.loader.Launcher.launch(Launcher.java:87)\ n \ tat org.sprin gframework.boot.loader.Launcher.launch(Launcher.java:50)\ n \ tat org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:51)\ n由:org.apache.catalina.LifecycleException引起:协议处理程序启动失败\ n \ tat org.apache.catalina.connector.Connector.startInternal(Connector.java:1020)\ n \ tat org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)\ n \ t ... 21个常见框架被省略\ n原因:java.lang.IllegalArgumentException:密钥库被篡改,或密码不正确\ n \ tat org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java: 116)\ n \ tat org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)\ n \ tat org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) \ n \ tat org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1150)\ n \ tat org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:591)\ n \ tat org。 apache.catalina.connector.Connector.startInternal(连接到ctor.java:1018)\n\t ...省略了22个常见帧\ n原因:java.io.IOException:Keystore被篡改,或密码不正确\ n \ tat sun.security.provider.JavaKeyStore.engineLoad( JavaKeyStore.java:780)\n\tat sun.security.provider.JavaKeyStore $ JKS.engineLoad(JavaKeyStore.java:56)\ n \ tat sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)\ n \ sun sun.security.provider.JavaKeyStore $ DualFormatJKS.engineLoad(JavaKeyStore.java:70)\ n \ tat java.security.KeyStore.load(KeyStore.java:1445)\ n \ tat org.apache.tomcat.util。 net.SSLUtilBase.getStore(SSLUtilBase.java:139)\ n \ tat org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)\ n \ tat org.apache.tomcat.util.net。 jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)\ n \ tat org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)\ n \ t ... 27个常见帧被省略\ n由:java.security.UnrecoverableKeyException:密码验证fai led \ n \ tat sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)\ n \ t ...省略了35个常见帧\ n"}

我的调查:
  1.如果我在代码中打印

    System.out.println("KEYSTORE_PASSWORD: "+ System.getenv("KEYSTORE_PASSWORD"));

我看到了正确的价值   2.如果我在应用程序属性中设置硬编码常量密码值,它就可以运行,服务已启动并运行。

所以我猜问题是为应用程序属性设置机密值 我们将非常感谢您的帮助和建议

1 个答案:

答案 0 :(得分:1)

我认为您的秘密描述符中存在拼写错误或隐藏字符。您可以执行进入pod,验证系统属性,还可以尝试使用命令行工具解密密码。

相关问题
最新问题