DevOps/Cert manager

[Cert manager] SpringBoot(tomcat) HTTPS ์ ์šฉํ•˜๊ธฐ

ooeunz 2021. 2. 6. 16:37
๋ฐ˜์‘ํ˜•

๐Ÿค” ์ฃผ์˜

ํ•ด๋‹น ํฌ์ŠคํŒ…์€ ๋‹จ์ˆœํžˆ Spring Boot์— HTTPS๋ฅผ ์ ์šฉํ•˜๋Š” ๊ฒƒ์„ ๋ชฉ์ ์œผ๋กœ ํ•˜๋Š” ํฌ์ŠคํŒ…์ด ์•„๋‹Œ cert manager๋ฅผ ์ดํ•ดํ•˜๊ณ  kubernetes์—์„œ https ์ ์šฉ์„ ์ž๋™ํ™”ํ•˜๋Š” ๊ฒƒ์„ ๋ชฉ์ ์œผ๋กœ ํ•ฉ๋‹ˆ๋‹ค. ์•„์ง cert manager์— ๋Œ€ํ•ด ์ œ๋Œ€๋กœ ์ดํ•ดํ•˜๊ณ  ์žˆ์ง€ ์•Š๋‹ค๋ฉด ์ด์ „ ๊ธ€์„ ์ฐธ๊ณ ํ•ด์ฃผ์‹œ๊ธฐ ๋ฐ”๋ž๋‹ˆ๋‹ค. ํ•ด๋‹น ํฌ์ŠคํŒ…์—์„  ์ด์ „ ๊ธ€์˜ ๋‚ด์šฉ์„ ๋ชจ๋‘ ์ดํ•ดํ•˜๊ณ  ์žˆ๋‹ค๋Š” ์ „์ œํ•˜์— ํฌ์ŠคํŒ…์„ ์ง„ํ–‰ํ•ฉ๋‹ˆ๋‹ค.


์ด๋ฒˆ์—๋Š” cert-manager๋ฅผ ์ด์šฉํ•ด์„œ tomcat ํ†ต์‹ ์„ ์•”ํ˜ธํ™” ํ•ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. "์ด์ „์— MySQL์„ ์•”ํ˜ธํ™”ํ•˜๋Š” ๊ฒƒ์ฒ˜๋Ÿผ ์‰ฝ๊ฒŒ secret ํŒŒ์ผ ์ ์šฉํ•˜๋ฉด ๋˜๋Š” ๊ฑฐ ์•„๋ƒ?!"๋ผ๊ณ  ์ƒ๊ฐํ•˜์‹ค ์ˆ˜๋„ ์žˆ์ง€๋งŒ, ์ด์ „๊ณผ ์กฐ๊ธˆ ๋‹ค๋ฅธ ๋ถ€๋ถ„์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ด์ „์— ์‚ฌ์šฉํ–ˆ๋˜ Certificate yaml ํŒŒ์ผ(์•„๋ž˜์˜ ์ฝ”๋“œ)์„ ๋ณด๋ฉด keyEncoding ๊ฐ’์ด pkcs1๋กœ ๋˜์–ด์ ธ ์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

์—ฌ๊ธฐ์„œ PKCS๋ž€ ๊ณต๊ฐœํ‚ค ๊ธฐ๋ฐ˜๊ตฌ์กฐ์—์„œ ์ธํ„ฐ๋„ท์„ ์ด์šฉํ•ด ์•ˆ์ „ํ•˜๊ฒŒ ์ •๋ณด๋ฅผ ๊ตํ™˜ํ•˜๊ธฐ ์œ„ํ•œ ์ œ์กฐ์‚ฌ๊ฐ„ ํ”„๋กœํ† ์ฝœ๋กœ RSA๊ฐ€ ๊ฐœ๋ฐœํ•œ ์•”ํ˜ธ ์ž‘์„ฑ ์‹œ์Šคํ…œ์ž…๋‹ˆ๋‹ค. cert-manager์—์„œ๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ default key encoding ๊ฐ’์ธ PKCS#1๊ณผ PKCS#8๋งŒ์„ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  Spring์—์„  PKCS#11๊ณผ PKCS#12๋งŒ์„ ์ง€์›ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ž ์ด์ œ ๋ฌด์—‡์ด ๋ฌธ์ œ์ธ์ง€ ์•„์‹œ๊ฒ ๋‚˜์š”...?

 

์šฐ๋ฆฌ๊ฐ€ ๋งŒ๋“  secret ํŒŒ์ผ์€ PKCS#1 ์ธ์ฝ”๋”ฉ์ด๊ธฐ ๋•Œ๋ฌธ์— spring์— ์ ์šฉํ•˜๊ธฐ์— ์•Œ๋งž์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ ์ถ”๊ฐ€์ ์œผ๋กœ ๋ณ€ํ™˜์„ ํ•ด์ฃผ๊ฑฐ๋‚˜ cert-manager์—์„œ ์ œ๊ณตํ•˜๋Š” ๋‹ค๋ฅธ ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ํฌ์ŠคํŒ…์—์„  ์ด ๋‘ ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์„ ๋ชจ๋‘ ์‚ดํŽด๋ณด๊ณ  ์™œ cert-manager์—์„  PKCS#1๊ณผ PKCS#8๋งŒ์„ ์ง€์›ํ•˜๋Š”์ง€ ์•Œ์•„๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

โš ๏ธ ํ•ด๋‹น ํฌ์ŠคํŒ…์˜ ์˜ˆ์ œ๋Š” ์ด์ „ ํฌ์ŠคํŒ…์„ ์ฐธ๊ณ ํ•˜์—ฌ secret ๋ฆฌ์†Œ์Šค๊ฐ€ Spring Boot deployment์— ์ฃผ์ž…๋˜์–ด ์žˆ๋‹ค๊ณ  ๊ฐ€์ •ํ•˜๊ณ  ์ง„ํ–‰ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.
# ์ด์ „ ํฌ์ŠคํŒ…์—์„œ ์‚ฌ์šฉํ–ˆ๋˜ Certificate yamlํŒŒ์ผ

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: selfsigned-cert
  namespace: default
spec:
  secretName: selfsigned-cert-tls
  duration: 2880h # 120d
  renewBefore: 360h # 15d
  commonName: Selfsigned certificate
  isCA: false
  keySize: 4096
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io

 

๐Ÿ– ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ๋‚ด์—์„œ Encoding ๋ณ€ํ™˜ํ•˜๊ธฐ

์ฒซ ๋ฒˆ์งธ ๋ฐฉ๋ฒ•์œผ๋ก  Spring Boot ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ๋‚ด์—์„œ PKCS#1 ์ธ์ฝ”๋”ฉ ๋œ key๋“ค์„ PKCS#12๋กœ ๋ณ€ํ™˜ํ•ด์„œ ์‚ฌ์šฉํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ๋จผ์ € ์ด์— ํ•„์š”ํ•œ dependency๋ฅผ ์ถ”๊ฐ€ํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ํ•ด๋‹น ์˜ˆ์‹œ์—์„  maven ๊ธฐ๋ฐ˜์œผ๋กœ ์˜ˆ์‹œ๋ฅผ ์ง„ํ–‰ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

// poam.xml

        <dependency>
            <groupId>de.dentrassi.crypto</groupId>
            <artifactId>pem-keystore</artifactId>
            <version>2.2.0</version> <!-- check for most recent version -->
        </dependency>

 

 

ctron/pem-keystore

A PKCS #1 PEM KeyStore for Java. Contribute to ctron/pem-keystore development by creating an account on GitHub.

github.com

 

dependency๋ฅผ ์ถ”๊ฐ€ํ–ˆ์œผ๋ฉด ์•„๋ž˜์™€ ๊ฐ™์ด PemKeyStoreProvider๋ฅผ ์ถ”๊ฐ€ํ•ด์ค๋‹ˆ๋‹ค. 

import de.dentrassi.crypto.pem.PemKeyStoreProvider;

…

public static void main(final String[] args) throws Exception {
  Security.addProvider(new PemKeyStoreProvider());
  SpringApplication.run(Application.class, args);
}

 

๊ทธ๋Ÿฐ ๋‹ค์Œ keystore.properties์— ์ฃผ์ž…๋ฐ›์€ key๋“ค์„ ์ž…๋ ฅํ•ด ์ค€ ๋‹ค์Œ, application.properties์—์„œ ์•„๋ž˜์™€ ๊ฐ™์ด classpath๋ฅผ ์ง€์ •ํ•ด์ฃผ๋ฉด SSL ์ ์šฉ์ด ์™„๋ฃŒ๋ฉ๋‹ˆ๋‹ค.

# keystore.properties

alias=keycert
source.key=/etc/tomcat/tls/tls.key
source.cert=/etc/tomcat/tls/tls.crt
# application.properties

server.ssl.key-store-type=PEMCFG.MOD
server.ssl.key-store=classpath:keystore.properties
server.ssl.key-password=
server.ssl.key-alias=keycert

 

๐Ÿ– Cert-manager๋กœ jks ๋˜๋Š” PKCS#12 keystore ๋งŒ๋“ค๊ธฐ

๋‹ค์Œ์€ cert-manager ๋‹จ์—์„œ Spring์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก jks๋‚˜ PKCS#12๋กœ ์ด๋ฃจ์–ด์ง„ keystore๋ฅผ ๋งŒ๋“œ๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

 

"์กฐ๊ธˆ ์ „์— PKCS#12 ์ธ์ฝ”๋”ฉ์€ ์ง€์›ํ•˜์ง€ ์•Š๋Š”๋‹ค๊ณ  ํ–ˆ์œผ๋ฉด์„œ ๋ฌด์Šจ ์†Œ๋ฆฌ์ง€?" ๋ผ๋Š” ์ƒ๊ฐ์ด ๋“œ์‹ค ์ˆ˜ ์žˆ๋Š”๋ฐ, ์ •ํ™•ํžˆ ๋ง์”€๋“œ๋ฆฌ๋ฉด PKCS#12 ์ธ์ฝ”๋”ฉ์€ ์ง€์›ํ•˜์ง€ ์•Š๋Š”๋ฐ PKCS#12๋กœ ์ธ์ฝ”๋”ฉ๋œ keystore ํŒŒ์ผ์€ ๋งŒ๋“ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

์™œ ๊ตณ์ด ์ด๋ ‡๊ฒŒ ์ง€์› ํ•˜๋Š๋ƒ๋ผ๋Š” ์˜๋ฌธ์ด ๋“œ์‹ค ์ˆ˜ ์žˆ๋Š”๋ฐ ๊ทธ๊ฑด cert manager๊ฐ€ ๋‚ด๋ถ€์ ์œผ๋กœ golang์„ ์ด์šฉํ•˜์—ฌ ์ธ์ฆ์„œ๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ทธ๋ ‡์Šต๋‹ˆ๋‹ค.

 

์šฐ์„  JKS์™€ Keystore์— ๋Œ€ํ•ด ๋ชจ๋ฅด๋Š” ๋…์ž๋ฅผ ์œ„ํ•ด JKS์™€ Keystore์— ๋Œ€ํ•ด์„œ ์‚ดํŽด๋ณด๊ณ  ์ด ๋ฌธ์ œ์— ๋Œ€ํ•ด ์ด์•ผ๊ธฐ๋ฅผ ์ด์–ด๊ฐ€๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

๐Ÿค” JKS์™€ Keystore์˜ ์ฐจ์ด์ ์ด ๋ญ”๊ฐ€์š”?

JKS๋Š” Java Key Store์˜ ์•ฝ์ž์ด๊ณ  ์ž๋ฐ” ๋‚ด์—์„œ ์‚ฌ์šฉํ•˜๋Š” keystore์ž…๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  keystore๋ž€ ์ธ์ฆ์„œ, ๋น„๋ฐ€ ํ‚ค ๋“ฑ์˜ ์ปจํ…Œ์ด๋„ˆ์ž…๋‹ˆ๋‹ค. ์ฆ‰ ์šฐ๋ฆฌ๊ฐ€ ์ด์ „ ํฌ์ŠคํŒ…์—์„œ ๋งŒ๋“ค์—ˆ๋˜ secret ํŒŒ์ผ์˜ ๋ฐ์ดํ„ฐ๋“ค์ด ์ปจํ…Œ์ด๋„ˆ ํ˜น์€ ๊ฐ์ฒด์ฒ˜๋Ÿผ ์ƒ์„ฑ๋œ ํŒŒ์ผ์ด๋ผ๊ณ  ์ƒ๊ฐํ•˜์‹œ๋ฉด ํŽธํ•  ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

์ด ๋‘˜์€ ๋‹จ์ˆœํžˆ ํ‚ค ์ €์žฅ์†Œ์˜ ์œ ํ˜•์˜ ์ฐจ์ด์ผ ๋ฟ ํฐ ์ฐจ์ด๋Š” ์—†์Šต๋‹ˆ๋‹ค.

 

์ข€ ๋” ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜์˜ URL์—์„œ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.

 

Difference between .keystore file and .jks file

I have tried to find the difference between .keystore files and .jks files, yet I could not find it. I know jks is for "Java keystore" and both are a way to store key/value pairs. Is there any

stackoverflow.com


๊ทธ๋Ÿผ ๊ณ„์†ํ•ด์„œ ์–ด์งธ์„œ KeyEncoding์€ PKCS#1๊ณผ PKCS#8์€ ์ง€์›ํ•˜๋ฉด์„œ ์™œ PKCS#12๋Š” jks๋‚˜ keystore๋งŒ์„ ์ง€์›ํ•˜๋Š”์ง€ ์•Œ์•„๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ํ•ด๋‹น ๋ฌธ์ œ์— ๊ด€ํ•ด์„œ๋Š” cert-manager์˜ ๋‚ด๋ถ€ ๊ตฌํ˜„ ์ฝ”๋“œ๋ฅผ ํ™•์ธํ•˜๋ฉด ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

์•„๋ž˜์˜ ์ฝ”๋“œ๋Š” cert manager์˜ ์ฝ”๋“œ(114๋ฒˆ์งธ ๋ผ์ธ)๋ฅผ ๋ฐœ์ทŒํ•œ ๊ฒƒ์ž…๋‹ˆ๋‹ค.

// the type of key encoding and then inspecting the type of key provided.
// It only supports encoding RSA or ECDSA keys.
func EncodePrivateKey(pk crypto.PrivateKey, keyEncoding v1.PrivateKeyEncoding) ([]byte, error) {
	switch keyEncoding {
	case v1.PrivateKeyEncoding(""), v1.PKCS1:
		switch k := pk.(type) {
		case *rsa.PrivateKey:
			return EncodePKCS1PrivateKey(k), nil
		case *ecdsa.PrivateKey:
			return EncodeECPrivateKey(k)
		default:
			return nil, fmt.Errorf("error encoding private key: unknown key type: %T", pk)
		}
	case v1.PKCS8:
		return EncodePKCS8PrivateKey(pk)
	default:
		return nil, fmt.Errorf("error encoding private key: unknown key encoding: %s", keyEncoding)
	}
}

// EncodePKCS1PrivateKey will marshal a RSA private key into x509 PEM format.
func EncodePKCS1PrivateKey(pk *rsa.PrivateKey) []byte {
	block := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(pk)}

	return pem.EncodeToMemory(block)
}

// EncodePKCS8PrivateKey will marshal a private key into x509 PEM format.
func EncodePKCS8PrivateKey(pk interface{}) ([]byte, error) {
	keyBytes, err := x509.MarshalPKCS8PrivateKey(pk)
	if err != nil {
		return nil, err
	}
	block := &pem.Block{Type: "PRIVATE KEY", Bytes: keyBytes}

	return pem.EncodeToMemory(block), nil
}

ํ•ด๋‹น ์ฝ”๋“œ๋ฅผ ์‚ดํŽด๋ณด๋ฉด x509.MarshalPKCS1PrivateKey() ์™€ ๊ฐ™์€ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ(go์–ธ์–ด ์ž์ฒด๋กœ ๋‚ด์žฅํ•˜๊ณ  ์žˆ๋Š” ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์ž…๋‹ˆ๋‹ค.)๋ฅผ ํ˜ธ์ถœํ•ด์„œ PKCS#1๊ณผ PKCS#8์„ ํ‚ค๋ฅผ ์ƒ์„ฑํ•˜๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

๋ฐ˜๋ฉด PKCS#12์— ๊ด€ํ•ด์„œ๋Š” ์œ„ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์—์„œ ์ง€์›ํ•ด์ฃผ์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— cert manager๋Š” pkcs12 ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.

์™œ keyEncoding ๊ฐ’์— ๋”ฐ๋ผ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅด ๊ตฌ๋ถ„ํ•ด๋‘”์ง€๋Š” ์ž˜ ๋ชจ๋ฅด๊ฒ ์ง€๋งŒ... (ํ˜น์‹œ ์•ˆ๋‹ค๋ฉด ์•Œ๋ ค์ฃผ์„ธ์š” ๐Ÿ˜ญ) cert manager๊ฐ€ key encoding ๊ฐ’์— ๋”ฐ๋ผ certificate๋ฅผ ๋‹ค๋ฅด๊ฒŒ ์ƒ์„ฑํ•˜๋Š” ์ด์œ ์— ๋Œ€ํ•ด์„œ๋Š” ์•Œ ์ˆ˜ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค.

 

 

๐Ÿง‘๐Ÿป‍๐Ÿ’ปJKS๋ฅผ ์ด์šฉํ•ด์„œ Spring์— HTTPS ์ ์šฉํ•˜๊ธฐ

์„œ๋ก ์ด ๊ธธ์—ˆ์Šต๋‹ˆ๋‹ค๋งŒ... ์–ด์ฐŒ์–ด์ฐŒ cert-manager์—์„œ JKS์™€ Keystore๋ฅผ ์™œ ๋”ฐ๋กœ ์ง€์›ํ•˜๋Š”์ง€๋ฅผ ์•Œ์•˜์œผ๋‹ˆ ํ•ด๋‹น ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•ด์„œ tomcat์— HTTPS๋ฅผ ์ ์šฉํ•ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ํ•ด๋‹น ํฌ์ŠคํŒ…์—์„  JKS๋ฅผ ์ด์šฉํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. (๋ฐฉ๋ฒ•์ด ํฌ๊ฒŒ ๋‹ค๋ฅด์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์˜ต์…˜ ํ•˜๋‚˜ ์ฐจ์ด.)

 

๊ทธ๋Ÿฌ๊ธฐ ์œ„ํ•ด์„œ ๋จผ์ € JKS ํŒŒ์ผ์— ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ถ€์—ฌํ•ด์ฃผ๊ธฐ ์œ„ํ•œ secret ํŒŒ์ผ ํ•˜๋‚˜๋ฅผ ์ƒ์„ฑํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ์ด ํŒŒ์ผ์„ ์ด์šฉํ•ด์„œ ์šฐ๋ฆฌ๋Š” JKS์— ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ถ€์—ฌํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 

secret์€ ์•ˆ์— ํฌํ•จํ•˜๊ณ  ์žˆ๋Š” ๋ฐ์ดํ„ฐ๋ฅผ base64๋กœ ์ธ์ฝ”๋”ฉํ•ด์„œ ๋„ฃ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. (์ž์„ธํ•œ ๋‚ด์šฉ์€ ์—ฌ๊ธฐ๋ฅผ ์ฐธ์กฐํ•˜์„ธ์š”.) ํ•ด๋‹น ์˜ˆ์‹œ์—์„  password๋ฅผ ํŽธ์˜๋ฅผ ์œ„ํ•ด "1234"๋กœ ์ง€์ •ํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ์ด password๋ฅผ ์ด์šฉํ•ด์„œ secret์„ ๋งŒ๋“ค๊ธฐ ์œ„ํ•ด์„œ ๋จผ์ € base64 ๊ฐ’์œผ๋กœ ๋ณ€ํ™˜ํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

์ด์ œ ๋ณ€ํ™˜ํ•œ ๊ฐ’์„ ์ด์šฉํ•ด์„œ secret ํŒŒ์ผ์„ ๋งŒ๋“ญ๋‹ˆ๋‹ค.

# jks-password-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: jks-password-secret
  namespace: default
type: Opaque
data:
  password-key: MTIzNA==  # 1234

๊ทธ๋Ÿฐ ๋‹ค์Œ ํ•ด๋‹น ํ‚ค ๊ฐ’์„ ์ด์šฉํ•ด์„œ Certificate๋ฅผ ๋งŒ๋“ค์–ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

โš ๏ธํ•ด๋‹น ํฌ์ŠคํŒ…์—์„  ์ด์ „ ํฌ์ŠคํŒ…์„ ํ†ตํ•ด์„œ ClusterIssuer๊ฐ€ ์ƒ์„ฑ๋˜์–ด์ ธ ์žˆ๋‹ค๊ณ  ๊ฐ€์ •ํ•ฉ๋‹ˆ๋‹ค.

# selfsigned-jks.yaml

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: selfsigned-jks
  namespace: noah-test
spec:
  secretName: selfsigned-cert-jks
  duration: 2880h # 120d
  renewBefore: 360h # 15d
  commonName: ooeunz.tistory.com
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  keystores:
    jks:
      create: true
      passwordSecretRef: # Password used to encrypt the keystore
        key: password-key
        name: jks-password-secret
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io

spec.keystores.passwordSecretRef๋ฅผ ๋ณด์‹œ๋ฉด name์— ๋ฐฉ๊ธˆ ์ƒ์„ฑํ•œ secret์˜ ์ด๋ฆ„์„ ์ง€์ •ํ•˜๊ณ  key์— jks-password-secret.yaml์—์„œ ๋„ฃ์€ key๊ฐ’์ด ๋“ค์–ด๊ฐ„ ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ํ•ด๋‹น ๋ฐ์ดํ„ฐ๋ฅผ jks์— password๋กœ ์‚ฌ์šฉํ•˜๊ฒ ๋‹ค๋Š” ๋œป์œผ๋กœ, spring์—์„œ ํ•ด๋‹น jks๋ฅผ ์‚ฌ์šฉํ•  ๋•Œ ์•„๊นŒ ์ž…๋ ฅํ•ด๋‘” ํŒจ์Šค์›Œ๋“œ๋ฅผ ์‚ฌ์šฉํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 

โš ๏ธ๋งŒ์•ฝ jks๊ฐ€ ์•„๋‹ˆ๋ผ keystore๋ฅผ ์‚ฌ์šฉํ•˜๊ณ  ์‹ถ๋‹ค๋ฉด jks๊ฐ€ ์•„๋‹Œ pkcs12๋ฅผ ๋„ฃ์–ด์ฃผ์‹œ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

 

์ด์ œ ๋ชจ๋“  ์ค€๋น„๊ฐ€ ๋๋‚ฌ์Šต๋‹ˆ๋‹ค. ์•„๊นŒ์™€ ๊ฐ™์ด ์ƒˆ๋กœ ๋งŒ๋“  secret ํŒŒ์ผ์„ deployment์— ์ฃผ์ž…์‹œ์ผœ ์ค๋‹ˆ๋‹ค. ๊ทธ๋Ÿฐ ๋‹ค์Œ, ์ด๋ฒˆ์—๋Š” application.properties๋งŒ ์•„๋ž˜์™€ ๊ฐ™์ด ๋ณ€๊ฒฝํ•ด์ค๋‹ˆ๋‹ค.

# application.properties

server.ssl.enabled=true
server.ssl.key-store=/etc/tomcat/tls/keystore.jks
server.ssl.key-store-password=1234

์กฐ๊ธˆ ๋ˆˆ ์—ฌ๊ฒจ ๋ณผ ๋ถ€๋ถ„์€, server.ssl.key-store์—๋Š” mount ํ•ด์ค€ seccret์˜ ๊ฒฝ๋กœ๋ฅผ ์žก์•„์ฃผ๊ณ  server.ssl.key-store-password์— jks-password-secret์— ๋„ฃ์–ด์ค€ passrod๋ฅผ ๋„ฃ์–ด์ค€๋‹ค๋Š” ์ ์ž…๋‹ˆ๋‹ค.


์—ฌ๊ธฐ๊นŒ์ง€ Spring์—์„œ๋„ cert-manager๋ฅผ ์ด์šฉํ•ด์„œ HTTPS๋ฅผ ์ ์šฉํ•ด๋ณด์•˜์Šต๋‹ˆ๋‹ค. ์ด์™ธ์—๋„ ์ด์ „ ํฌ์ŠคํŒ…์—์„œ ์ž ๊น ์–ธ๊ธ‰ํ–ˆ๋˜ isCa ์˜ต์…˜์„ ์ด์šฉํ•ด์„œ namespace๋ณ„๋กœ CA๋ฅผ ๋ณ„๋„๋กœ ๊ด€๋ฆฌํ•˜๋Š” ๋“ฑ ๋‹ค์–‘ํ•œ ํ™œ์šฉ ๋ฐฉ๋ฒ•์ด ์žˆ์œผ๋‹ˆ ์ฐธ๊ณ ํ•˜์‹œ๋ฉด ์ข‹์„ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

 

๋งˆ์ง€๋ง‰์œผ๋กœ ์•„๋ž˜์˜ URL์—์„œ ํ•ด๋‹น ํฌ์ŠคํŒ…์—์„œ ์‚ฌ์šฉํ•œ ์ฝ”๋“œ๋ฅผ ํ™•์ธํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๐Ÿ˜Š

 

ooeunz/blog-code

Contribute to ooeunz/blog-code development by creating an account on GitHub.

github.com

 

๋ฐ˜์‘ํ˜•