camel-k
camel-k copied to clipboard
apache
NettySecureServer may not be able to access keystore
kubectl create secret generic http-keystore --from-file keystore.jks
kubectl create secret generic http-truststore --from-file truststore.jks
kamel run --dev \
-t mount.resources=secret:http-keystore/keystore.jks@/etc/ssl/keystore.jks \
-t mount.resources=secret:http-truststore/truststore.jks@/etc/ssl/truststore.jks \
-t container.port=8443 -t service.type=NodePort \
NettySecureServer.java
[1] Caused by: org.apache.camel.RuntimeCamelException: java.io.IOException: Could not open /etc/ssl/keystore.jks as a file, class path resource, or URL.
[1] at org.apache.camel.RuntimeCamelException.wrapRuntimeCamelException(RuntimeCamelException.java:51)
[1] at org.apache.camel.component.netty.http.HttpServerInitializerFactory.<init>(HttpServerInitializerFactory.java:67)
[1] at org.apache.camel.component.netty.http.NettyHttpComponent.newHttpServerBootstrapFactory(NettyHttpComponent.java:352)
[1] at org.apache.camel.component.netty.http.NettyHttpComponent.lambda$getOrCreateHttpNettyServerBootstrapFactory$1(NettyHttpComponent.java:344)
[1] at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1220)
[1] at org.apache.camel.component.netty.http.NettyHttpComponent.getOrCreateHttpNettyServerBootstrapFactory(NettyHttpComponent.java:344)
[1] at org.apache.camel.component.netty.http.NettyHttpEndpoint.createConsumer(NettyHttpEndpoint.java:98)
[1] at org.apache.camel.impl.engine.DefaultRoute.gatherRootServices(DefaultRoute.java:640)
[1] at org.apache.camel.impl.engine.DefaultRoute.gatherServices(DefaultRoute.java:624)
[1] at org.apache.camel.impl.engine.DefaultRoute.initializeServices(DefaultRoute.java:209)
[1] at org.apache.camel.impl.engine.RouteService.doSetup(RouteService.java:150)
[1] at org.apache.camel.impl.engine.RouteService.setUp(RouteService.java:129)
[1] ... 28 more
[1] Caused by: java.io.IOException: Could not open /etc/ssl/keystore.jks as a file, class path resource, or URL.
[1] at org.apache.camel.support.jsse.JsseParameters.resolveResource(JsseParameters.java:120)
[1] at org.apache.camel.support.jsse.KeyStoreParameters.createKeyStore(KeyStoreParameters.java:192)
[1] at org.apache.camel.support.jsse.KeyManagersParameters.createKeyManagers(KeyManagersParameters.java:102)
[1] at org.apache.camel.support.jsse.SSLContextParameters.createSSLContext(SSLContextParameters.java:269)
[1] at org.apache.camel.component.netty.http.HttpServerInitializerFactory.createSSLContext(HttpServerInitializerFactory.java:150)
[1] at org.apache.camel.component.netty.http.HttpServerInitializerFactory.<init>(HttpServerInitializerFactory.java:65)
[1] ... 38 more
From within the container, I can access those files
root@netty-server-75cfcb58d-wlnb8:/deployments# keytool -list -keystore /etc/ssl/keystore.jks
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
entryname, May 23, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 06:69:0B:F0:8C:DA:42:19:19:36:08:F8:96:30:D8:C1:1E:22:BB:FC:BF:24:8E:F5:2A:1F:2F:65:F6:B3:B7:B9
root@netty-server-75cfcb58d-wlnb8:/deployments# keytool -list -keystore /etc/ssl/truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
entryname, May 23, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 06:69:0B:F0:8C:DA:42:19:19:36:08:F8:96:30:D8:C1:1E:22:BB:FC:BF:24:8E:F5:2A:1F:2F:65:F6:B3:B7:B9
I wonder if this is because the /etc/ssl path is forbidden by the OS. Can you try the same changing to some other directory (ie, /tmp/ssl, just for the sake of testing)?
nope ...
[1] Caused by: org.apache.camel.RuntimeCamelException: java.io.IOException: Could not open /tmp/ssl/keystore.jks as a file, class path resource, or URL.
[1] at org.apache.camel.RuntimeCamelException.wrapRuntimeCamelException(RuntimeCamelException.java:51)
[1] at org.apache.camel.component.netty.http.HttpServerInitializerFactory.<init>(HttpServerInitializerFactory.java:67)
[1] at org.apache.camel.component.netty.http.NettyHttpComponent.newHttpServerBootstrapFactory(NettyHttpComponent.java:352)
[1] at org.apache.camel.component.netty.http.NettyHttpComponent.lambda$getOrCreateHttpNettyServerBootstrapFactory$1(NettyHttpComponent.java:344)
[1] at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1220)
[1] at org.apache.camel.component.netty.http.NettyHttpComponent.getOrCreateHttpNettyServerBootstrapFactory(NettyHttpComponent.java:344)
[1] at org.apache.camel.component.netty.http.NettyHttpEndpoint.createConsumer(NettyHttpEndpoint.java:98)
[1] at org.apache.camel.impl.engine.DefaultRoute.gatherRootServices(DefaultRoute.java:640)
[1] at org.apache.camel.impl.engine.DefaultRoute.gatherServices(DefaultRoute.java:624)
[1] at org.apache.camel.impl.engine.DefaultRoute.initializeServices(DefaultRoute.java:209)
[1] at org.apache.camel.impl.engine.RouteService.doSetup(RouteService.java:150)
[1] at org.apache.camel.impl.engine.RouteService.setUp(RouteService.java:129)
[1] ... 28 more
[1] Caused by: java.io.IOException: Could not open /tmp/ssl/keystore.jks as a file, class path resource, or URL.
[1] at org.apache.camel.support.jsse.JsseParameters.resolveResource(JsseParameters.java:120)
[1] at org.apache.camel.support.jsse.KeyStoreParameters.createKeyStore(KeyStoreParameters.java:192)
[1] at org.apache.camel.support.jsse.KeyManagersParameters.createKeyManagers(KeyManagersParameters.java:102)
[1] at org.apache.camel.support.jsse.SSLContextParameters.createSSLContext(SSLContextParameters.java:269)
[1] at org.apache.camel.component.netty.http.HttpServerInitializerFactory.createSSLContext(HttpServerInitializerFactory.java:150)
[1] at org.apache.camel.component.netty.http.HttpServerInitializerFactory.<init>(HttpServerInitializerFactory.java:65)
[1] ... 38 more
This fails very early in the camel context lifecycle. Do we perhaps have something that allows us to hook into that context lifecycle and examine the filesystem? Is it guaranteed that the mount has already happened?
[1] 2024-05-24 09:29:00,393 ERROR [org.apa.cam.qua.mai.CamelMainRuntime] (main) Failed to start application: org.apache.camel.FailedToStartRouteException: Failed to start route route1 because of java.io.IOException: Could not open /tmp/ssl/keystore.jks as a file, class path resource, or URL.
[1] at org.apache.camel.impl.engine.RouteService.setUp(RouteService.java:131)
[1] at org.apache.camel.impl.engine.InternalRouteStartupManager.doInitRoutes(InternalRouteStartupManager.java:88)
[1] at org.apache.camel.impl.engine.AbstractCamelContext.doInit(AbstractCamelContext.java:2387)
[1] at org.apache.camel.quarkus.core.FastCamelContext.doInit(FastCamelContext.java:194)
[1] at org.apache.camel.support.service.BaseService.init(BaseService.java:78)
[1] at org.apache.camel.impl.engine.AbstractCamelContext.init(AbstractCamelContext.java:2021)
[1] at org.apache.camel.support.service.BaseService.start(BaseService.java:105)
[1] at org.apache.camel.impl.engine.AbstractCamelContext.start(AbstractCamelContext.java:2040)
[1] at org.apache.camel.impl.DefaultCamelContext.start(DefaultCamelContext.java:212)
I've moved the issue into the main project repo to get the proper attention. Smells like a bug.
It works with Camel 3. It seems to be a Camel bug, reported in https://issues.apache.org/jira/browse/CAMEL-20811
It turns out it's a change required in the new Camel. You need to forcefully specify the file: prefix. @tdiesler can you take care changing the example accordingly? thanks!