Why cacerts update is needed in Kubernetes

11/1/2018

When reading files from a Google Storage Bucket from within a container running in GKE or GCE. The following code fails:

public String readSmallTextFileFromBucket(String bucketName, String textFile) {

        Blob blob = storage.get(bucketName, textFile);
        String fileContent = new String(blob.getContent());
        return fileContent;
        }

With the error:

com.google.cloud.storage.StorageException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If I replace the default java/jdk-10.0.2/lib/security/cacerts file you get when you download OpenJDK with the one from my desktop, the code above works.

Why is that? and what is the correct way to enable the Java API to read from a storage bucket from within a container?

-- rossco
google-cloud-storage
google-kubernetes-engine
java

2 Answers

11/9/2018

Many base container images by default may not include the CA Certificates that's normally installed on every computer. (Because not everyone needs to use TLS in a container.) You often need to "apt-get install" or similar in your Dockerfile to install these certificates.

Without CA certificates present in a container, your code can't trust storage.googleapis.com.

See the commands required to add CA certificates to your container in this answer: https://superuser.com/a/633853/35769 Ideally you shouldn't copy these certs from your desktop machine.

-- AhmetB - Google
Source: StackOverflow

11/18/2018

This issue was resolved by changing 2 things.
a) Adding storage-rw to the cluster scopes and
b) There was a mistake with how I was creating my kubernetes secret

No idea how or why replacing cacerts file helped, but the above 2 fixes are the correct way to do this

-- rossco
Source: StackOverflow