The certificate file with extension .p12 is transferred to one of the Kubernetes Control Plane servers and moved/copied to /etc/ssl/certs directory.

While at the relevant address, the certificate file is uploaded to Kubernetes as secfret with the following command.


kubectl create secret generic apinizer-portal-tls --from-file=portal.p12 -n apinizer-portal
POWERSHELL

If you only have a .jks file, you can create a .p12 file from this file as follows. Then the previous step is applied.


Run the following code to get the alias definition of the certificate.

keytool -list -v -keystore  portal.p12 -storetype PKCS12
XML

Create .p12 file from .jks file with known alias definition.

keytool -genkeypair -alias <ALIAS> -keyalg RSA -keysize 4096 -storetype PKCS12 -keystore portal.p12 -validity 3650 -storepass <PASSWORD>
XML


Variables that need to be defined:

VariableExplanation
SSL_KEY_STOREThe path to the keystore containing the SSL certificate. In our example, we want Spring Boot to look for this in classpath.
SSL_KEY_STORE_PASSWORDThe password used to access the keystore.
SSL_KEY_STORE_TYPEType of keystore (Usage: PKCS12).
SSL_KEY_ALIASAlias that identifies the key in the keystore.
SSL_ENABLEDEnables the Spring Boot application to use the HTTPS protocol.
SERVER_PORT

The port the server is listening on. 8443 is used instead of the default 8080.


A sample deployment yaml file using certificate information would be as follows.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: apinizer-portal
  namespace: apinizer-portal
spec:
  replicas: 1
  selector:
    matchLabels:
      app: apinizer-portal
      version: v1
  template:
    metadata:
      labels:
        app: apinizer-portal
        version: v1
    spec:
      volumes:
      - name: apinizer-portal-tls
        secret: 
          secretName: apinizer-portal-tls
      containers:
      - name: apinizer-portal
        image: apinizercloud/portal:<APINIZER_VERSION>
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 1
            memory: 2Gi
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/sh
              - -c
              - sleep 10
        ports:
        - containerPort: 8443
          protocol: TCP
        env:
        - name: SPRING_PROFILES_ACTIVE
          value: prod
        - name: JAVA_OPTS
          value: "-XX:MaxRAMPercentage=75.0"
        - name: SSL_KEY_STORE
          value: /etc/ssl/certs/portal.p12
        - name: SSL_KEY_STORE_PASSWORD
          value: <PASSWORD>
        - name: SSL_KEY_STORE_TYPE
          value: PKCS12
        - name: SSL_KEY_ALIAS
          value: <ALIAS>
        - name: SSL_ENABLED
          value: "true"
        - name: SERVER_PORT
          value: "8443"
        - name: API_PORTAL_MANAGEMENT_API_BASE_URL
          valueFrom:
            secretKeyRef:
              key: apinizerManagementApiBaseUrl
              name: apinizer-portal-secret
        - name: API_PORTAL_MANAGEMENT_API_KEY
          valueFrom:
            secretKeyRef:
              key: apiKey
              name: apinizer-portal-secret
        volumeMounts:
        - name: apinizer-portal-tls
          mountPath: /etc/ssl/certs
      dnsPolicy: ClusterFirst
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: apinizer-portal-https-service
  namespace: apinizer-portal
  labels:
    app: apinizer-portal
spec:
  selector:
    app: apinizer-portal
  type: NodePort
  ports:
    - name: http
      port: 8443
      nodePort: 31843
YML