我现在卡住了,不知道如何继续。
这是我的Spring Boot application.properties
...
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://${POSTGRES_HOST}:5432/postgres
spring.datasource.username=${POSTGRES_USER}
spring.datasource.password=${POSTGRES_PASSWORD}
spring.datasource.testWhileIdle=true
spring.datasource.validationQuery=SELECT 1
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
spring.jpa.hibernate.naming-strategy=org.hibernate.cfg.ImprovedNamingStrategy
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
#Setup SSL
server.port: 8443
server.ssl.key-store: ${TLS_CERTIFICATE}
server.ssl.key-store-password: ${TLS_PASSWORD}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias fundtr
...
我的部署yaml for Spring Boot Application:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: f-app
namespace: default
spec:
replicas: 1
template:
metadata:
name: f-app
labels:
app: f-app
spec:
containers:
- name: f-app
image: eu.gcr.io/..../...
env:
- name: POSTGRES_USER
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_user
- name: POSTGRES_PASSWORD
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres_password
- name: POSTGRES_HOST
valueFrom:
configMapKeyRef:
name: hostname-config
key: postgres_host
- name: TLS-CERTIFICATE
valueFrom:
secretKeyRef:
name: f-tls
key: Certificate.p12
- name: TLS-PASSWORD
valueFrom:
secretKeyRef:
name: f-tls
key: password
这就是我在Kubernetes中创造秘密的方式:
kubectl create secret generic f-tls --from-file=Certificate.p12 --from-literal=password=changeit
部署后,我正在
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: ContainerCannotRun
Message: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:295: setting oom score for ready process caused \"write /proc/13895/oom_score_adj: invalid argument\""
当我从部署yaml中移除秘密时,它工作正常,但我无法理解这个问题的根本原因。我正在使用Google Cloud Platform Container Engine。
答案 0 :(得分:2)
这是我的deployment.yaml,它使用存储在Kubernetes秘密中的p12密钥和密码,就像你的例子一样。工作正常,我可以进行SSL卷曲调用。我获取作为READ ONLY卷安装的p12密钥和密码文件的内容。希望它有所帮助。
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment-name
spec:
replicas: 3
selector:
matchLabels:
app: app-name
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
minReadySeconds: 30
template:
metadata:
labels:
app: app-name
spec:
volumes:
- name: application
emptyDir: {}
- name: secrets
secret:
secretName: key.p12
containers:
- name: php-fpm
image: index.docker.io/docker_account/docker_image:image_tag
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9000
volumeMounts:
- name: application
mountPath: /app
- name: secrets
mountPath: /api-p12-keys
readOnly: true
imagePullSecrets:
- name: docker-auth
答案 1 :(得分:1)
此答案特定于 Springboot 应用程序,这就是所问的问题。
第 1 步:从您的密钥库或 p12 文件创建通用密钥
kubectl create secret generic f-tls-secret --from-file=Certificate.p12 --from-literal=password=changeit
第 2 步:使用部署对象将密钥挂载到您的 Pod
spec:
containers:
- image: eu.gcr.io/..../...
volumeMounts:
- name: tls
mountPath: /workspace/resources/
volumes:
- name: tls
secret:
secretName: f-tls-secret
#Setup SSL
server.port: 8443
server.ssl.key-store: classpath:resources/Certificate.p12
server.ssl.key-store-password: ${TLS_PASSWORD}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias fundtr