I have a springboot application that connects to a mail server using TLS certificate.
I am trying to follow the third method in this article, but it is not working.
I made changes to load the certificate from the secret in the template file. We use Jenkins pipeline to run the deployment, and I am not seeing any errors when I run the deployment, but when the app tries to connect to the mail server, I am still getting the certificate error:
"javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
I am not sure if I put the volumeMount correctly, or if I am missing something.
Any help will be greatly appreciated.
What I did so far is the following:
- I imported the ca certificate (PEM) file into a generic secret on openshift, the secret called ca-cert-secret, and has a key with same name
- I tried to change the kubernetes template for the DeployConfig to import the certificate from the secret as follow:
apiVersion: v1
kind: Template
metadata:
name: my-app-runtime
labels:
template: my-app-runtime
app: my-app
parameters:
- name: ENV_NAME
description: environment level being created such as master,sys, qa, prd
- name: NAMESPACE
description: namespace to use in generating artifacts
objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
generation: 1
labels:
app: ${NAMESPACE}-${ENV_NAME}
environment: ${ENV_NAME}
name: ${NAMESPACE}-${ENV_NAME}
spec:
replicas: ${{REPLICAS}}
selector:
deploymentconfig: ${NAMESPACE}-${ENV_NAME}
strategy:
activeDeadlineSeconds: 21600
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
creationTimestamp: null
labels:
deploymentconfig: ${NAMESPACE}-${ENV_NAME}
environment: ${ENV_NAME}
spec:
containers:
- env:
- name: GC_MAX_METASPACE_SIZE
value: '300'
- name: JAVA_OPTS_APPEND
value: ${JAVA_OPTS_APPEND}
image: ${REGISTRY_HOST}/${PROJECT_NAME}/${NAMESPACE}:${IMAGE_TAG}
imagePullPolicy: Always
name: ${NAMESPACE}-${ENV_NAME}
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: ${{MEMORY_LIMIT}}
requests:
cpu: ${{CPU_REQUEST}}
memory: ${{MEMORY_REQUEST}}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumeMounts:
- name: ca-cert-volume
mountPath: /etc/pki/ca-trust/source/anchors/ca.crt
subPath: ca.crt
volumes:
- name: ca-cert-volume
secret:
secretName: ca-cert-secret
test: false
triggers:
- type: ConfigChange
- apiVersion: v1
kind: Service
metadata:
labels:
app: ${NAMESPACE}
environment: ${ENV_NAME}
name: ${NAMESPACE}-${ENV_NAME}
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deploymentconfig: ${NAMESPACE}-${ENV_NAME}
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
- apiVersion: v1
kind: Route
metadata:
labels:
app: ${NAMESPACE}
environment: ${ENV_NAME}
name: ${NAMESPACE}-${ENV_NAME}
spec:
host: ${ROUTE_HOST}
port:
targetPort: 8080-tcp
tls:
termination: edge
to:
kind: Service
name: ${NAMESPACE}-${ENV_NAME}
weight: 100
wildcardPolicy: None
New contributor
Sandy AB is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.