jkstrustinit

command module

v1.0.6 Latest Latest Go to latest Published: Apr 13, 2022 License: GPL-3.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gavinmcnair/jkstrustinit

Links

Open Source Insights

README ¶

jksTrustInit

GitHub GitHub tag (latest by date) CircleCI

Problem statement

Do you have a Java application which uses a JKS file but you only have a standard pem encoded Key and Certificate?

jksTrustInit is an initContainer which takes certificates from either local files or environment variables and writes out a Java Keystore (JKS) file to an emptyDir which can be shared with the main container

Environment Variable	Default	Description
PASSWORD	password	The password used for the keystore
FILE_MODE	false	If to use the env vars or files
KEY	NA	Public Key environment variable
CERTIFICATE	NA	Certificate environment variable
KEY_FILE	NA	Public Key file
CERTIFICATE_FILE	NA	Certificate file
OUTPUT_FILE	/var/run/secrets/truststore.jks	The filename used to write the file out

How to use in Kubernetes

We can supply the PEM encoded key and certificate either within the environment variable or as files mounted upon the filesystem. Both of which can be sourced with secrets or configmaps as appropriate. When using files you need to set FILE_MODE to true

The init container will start and write the output file to the OUTPUT_FILE path.

This is then available to the target JVM.

Example pod

apiVersion: v1
kind: Pod
metadata:
  name: KafkaClient
spec:
  initContainers:
    - name: jksTrustInit
      image: gavinmcnair/jkstrustinit:v1.0.4
      env:
        - name: KEY
          value: "pem encoded key"
        - name: CERTIFICATE
          value: "pem encoded cert"
      volumeMounts:
        - mountPath: /var/run/secrets
          name: kafkasecrets
  containers:
    - name: kafkaclient
      image: kafkaclient:1.0.0
      env:
        - name: JAVA_JKS_FILE
          value: "/var/run/secrets/truststore.jks"
        - name: JAVA_JKS_PASSWORD
          value: "password"
      volumeMounts:
        - mountPath: /var/run/secrets
          name: kafkasecrets
  volumes:
    - emptyDir: {}
      name: kafkasecrets

Motivation

In the conventional way we need to use an insecure Java container which often contains an entire Linux operating system.

This already large insecure container then has to execute multiple java keystore commands.

In comparison this container is a single binary build upon a scratch container. Its much smaller and has far less security implications.

It should be both quick and reliable.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL