K
Q

Kubernetes - how to pass truststore path and password to JVM arguments

7/1/2020

I need to add jks file to my JVM for SSL Handshake with the server. The JKS is mounted in volume and available to the docker container. How do I pass the JKS truststore path and password to the Springboot(JVM) during start up. One option I think is as an environment variables (-Djavax.net.ssl.trustStore, -Djavax.net.ssl.trustStorePassword) . For Openshift, following works as described in the url below.

Option 1:

      env:
          - name: JAVA_OPTIONS
            value: -Djavax.net.ssl.trustStore=/var/run/secrets/java.io/keystores/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit

https://developers.redhat.com/blog/2017/11/22/dynamically-creating-java-keystores-openshift/

But, I don't seem to find similar JAVA_OPTIONS environment variable for Kubernetes.

Option2 :

My Docker file is:

FROM openjdk:8-jre-apline
..........
........
ENTRYPOINT ["java", "-jar", "xxx.jar"]

Can this be changed as below and the $JAVA_OPTS can be set as env variable to JVM via configmap?

FROM openjdk:8-jre-apline
..........
........
ENTRYPOINT [ "sh", "-c", "java $JAVA_OPTS -jar xxx.jar" ]

Configmap:

JAVA_OPTS: "-Djavax.net.ssl.trustStore=/var/run/secrets/java.io/keystores/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit"

Please suggest if this would work or anyother better solutions. More preferred if we can get store the password in secret.

-- jack
configmap
dockerfile
environment-variables
kubernetes
ssl-certificate

Similar Questions

How insert,update,delete for a record go to same container among multiple in kuberenetes?
Kubernetes PVC volume mount
Permission denied when connecting to docker daemon on jenkinsci/blueocean image deployed to kubernetes
Minikube out of resources
Cannot connect frontend app{Angular} to Backend{SpringBoot} in kubernetes

2 Answers

2/25/2021

I am able to do this in a K8s deployment using _JAVA_OPTION environment variable for a Spring Boot 2.3.x application in Docker container running Java 8 (Got tip for this envvar from this SO answer https://stackoverflow.com/a/11615960/309261).

      env:
        - name: _JAVA_OPTIONS
          value: >
            -Djavax.net.ssl.trustStore=/path/to/truststore.jks
            -Djavax.net.ssl.trustStorePassword=changeit
-- Neon
Source: StackOverflow
7/2/2020

A couple of options:

1: You can break it all up and use secrets to store your credentials only as env vars, secret to store the keystore which can be mounted as a file on disk in the container, and a ConfigMap to hold other java options as env variables then use an entrypoint script in your container to validate and mash it all together to form the JAVA_OPTS string.

2: You can put the whole string in a JAVA_OPTS secret that you consume at run-time.

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: myimage
    env:
      - name: JAVA_OPTS
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: JAVA_OPTS
  restartPolicy: Never
-- Jake Nelson
Source: StackOverflow