我有一些 spring-boot 微服务向 spring-boot-admin (SBA) 注册。当我在本地运行微服务和 SBA 服务器时,客户端能够通过 HTTP 向 SBA 服务器注册自己。
当我将应用程序部署到 Kubernetes 集群时,向 SBA 注册是通过 HTTPS(通过 Ingress)完成的,我在日志中得到一个 javax.net.ssl.SSLHandshakeException
d.c.b.a.c.r.ApplicationRegistrator : Failed to register application as Application(name=my-app, managementUrl=https://my-app-dev.mydomain.com/actuator, healthUrl=https://my-app-dev.mydomain.com/actuator/health, serviceUrl=https://my-app-dev.mydomain.com) at spring-boot-admin ([https://my-admin-dev.mydomain.com/instances]): I/O error on POST request for "https://my-admin-dev.mydomain.com/instances": Received fatal alert: protocol_version; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version. Further attempts are logged on DEBUG level
在微服务(SBA 客户端)中,我使用以下依赖项
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>2.4.0</version>
</dependency>
application.yaml
中的以下内容
spring.boot.admin.client:
url: "https://my-admin-dev.mydomain.com"
instance.service-url: "https://my-app-dev.mydomain.com"
我能够查看 spring-boot-admin-starter-client
代码。首先,我从日志消息中的 ApplicationRegistrator
开始,这导致我找到了一个可覆盖的 BlockingRegistrationClient
实例(是的!)
public class SpringBootAdminClientAutoConfiguration {
...
@Configuration(proxyBeanMethods = false)
@ConditionalOnBean(RestTemplateBuilder.class)
public static class BlockingRegistrationClientConfig {
@Bean
@ConditionalOnMissingBean
public BlockingRegistrationClient registrationClient(ClientProperties client) {
RestTemplateBuilder builder = new RestTemplateBuilder().setConnectTimeout(client.getConnectTimeout())
.setReadTimeout(client.getReadTimeout());
if (client.getUsername() != null && client.getPassword() != null) {
builder = builder.basicAuthentication(client.getUsername(), client.getPassword());
}
return new BlockingRegistrationClient(builder.build());
}
}
使用 this post 作为指导,我能够创建一个 RestTemplate
,并将信任存储加载到 SSLContext
中。然后,我可以使用自己的包装自定义 BlockingRegistrationClient
的实例覆盖 RestTemplate
实例。
@Bean
public BlockingRegistrationClient registrationClient(
@Value("${ssl.protocol}") String protocol,
@Value("${ssl.trustStore.path}") String trustStorePath,
@Value("${ssl.trustStore.password}") String trustStorePassword,
ClientProperties client) throws Exception {
SSLContext sslContext = SSLContextBuilder.create()
.loadTrustMaterial(new File(trustStorePath), trustStorePassword.toCharArray())
.setProtocol(protocol)
.build();
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setSSLContext(sslContext)
.build();
RestTemplateBuilder builder = new RestTemplateBuilder()
.setConnectTimeout(client.getConnectTimeout())
.setReadTimeout(client.getReadTimeout())
.requestFactory(() -> new HttpComponentsClientHttpRequestFactory(httpClient));
if (client.getUsername() != null && client.getPassword() != null) {
builder = builder.basicAuthentication(client.getUsername(), client.getPassword());
}
return new BlockingRegistrationClient(builder.build());
}
application.yaml
ssl:
protocol: TLSv1.2
trustStore:
path: "/opt/java/openjdk/lib/security/cacerts"
password: "*****"