我有一个 springboot 应用程序,它使用 TLS 证书连接到邮件服务器。 我正在尝试遵循this文章中的第三种方法,但它不起作用。
我进行了更改以从模板文件中的密钥加载证书。我们使用 Jenkins 管道来运行部署,运行部署时我没有看到任何错误,但是当应用程序尝试连接到邮件服务器时,我仍然收到证书错误:
"javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
我不确定是否正确放置了volumeMount,或者是否遗漏了某些内容。 任何帮助将不胜感激。
到目前为止我所做的如下:
apiVersion: v1
kind: Template
metadata:
name: my-app-runtime
labels:
template: my-app-runtime
app: my-app
parameters:
- name: ENV_NAME
description: environment level being created such as master,sys, qa, prd
- name: NAMESPACE
description: namespace to use in generating artifacts
objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
generation: 1
labels:
app: ${NAMESPACE}-${ENV_NAME}
environment: ${ENV_NAME}
name: ${NAMESPACE}-${ENV_NAME}
spec:
replicas: ${{REPLICAS}}
selector:
deploymentconfig: ${NAMESPACE}-${ENV_NAME}
strategy:
activeDeadlineSeconds: 21600
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
creationTimestamp: null
labels:
deploymentconfig: ${NAMESPACE}-${ENV_NAME}
environment: ${ENV_NAME}
spec:
containers:
- env:
- name: GC_MAX_METASPACE_SIZE
value: '300'
- name: JAVA_OPTS_APPEND
value: ${JAVA_OPTS_APPEND}
image: ${REGISTRY_HOST}/${PROJECT_NAME}/${NAMESPACE}:${IMAGE_TAG}
imagePullPolicy: Always
name: ${NAMESPACE}-${ENV_NAME}
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: ${{MEMORY_LIMIT}}
requests:
cpu: ${{CPU_REQUEST}}
memory: ${{MEMORY_REQUEST}}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumeMounts:
- name: ca-cert-volume
mountPath: /etc/pki/ca-trust/source/anchors/ca.crt
subPath: ca.crt
volumes:
- name: ca-cert-volume
secret:
secretName: ca-cert-secret
test: false
triggers:
- type: ConfigChange
- apiVersion: v1
kind: Service
metadata:
labels:
app: ${NAMESPACE}
environment: ${ENV_NAME}
name: ${NAMESPACE}-${ENV_NAME}
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deploymentconfig: ${NAMESPACE}-${ENV_NAME}
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
- apiVersion: v1
kind: Route
metadata:
labels:
app: ${NAMESPACE}
environment: ${ENV_NAME}
name: ${NAMESPACE}-${ENV_NAME}
spec:
host: ${ROUTE_HOST}
port:
targetPort: 8080-tcp
tls:
termination: edge
to:
kind: Service
name: ${NAMESPACE}-${ENV_NAME}
weight: 100
wildcardPolicy: None
您需要将证书导入到应用程序的 Java 信任库中,以便 Java 应用程序使用证书。
您可以配置信任库并将其包含在 Docker 映像中,也可以将信任库挂载为卷并通过 JVM 系统参数将其传递到您的 Java 应用程序。
有关执行此操作的指南可以在此处或 Google 上的其他地方找到: