Skip to content

Commit 0ecf725

Browse files
committed
docs: Recommend mounting HTTPS PEMs from a secret manager
1 parent ad80372 commit 0ecf725

1 file changed

Lines changed: 19 additions & 0 deletions

File tree

README.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -352,6 +352,25 @@ using JDK APIs only.
352352
Both RSA and EC (P-256) private keys are accepted; the algorithm is detected
353353
automatically.
354354

355+
**Deployment.** Don't bake `privkey.pem` into your container image — you
356+
lose rotation and leak the key into image layers and registries. Mount the
357+
two PEM files at runtime from a secret manager:
358+
359+
- **Kubernetes:** [cert-manager](https://cert-manager.io) writes the
360+
certificate and key into a `Secret`; mount it as a volume at the path you
361+
pass to `.https(...)`. Renewal is automatic; restart the pod (e.g. via a
362+
rolling deploy keyed off the Secret's revision) to pick up the new cert.
363+
- **GCP:** Store both files in Secret Manager and project them with the
364+
[Secret Manager CSI driver](https://cloud.google.com/secret-manager/docs/access-control)
365+
or a Workload Identity-bound init container that writes the files to an
366+
`emptyDir` shared with the app container.
367+
- **AWS:** [Secrets Manager](https://docs.aws.amazon.com/secretsmanager/) via
368+
the [AWS Secrets and Configuration Provider](https://github.com/aws/secrets-store-csi-driver-provider-aws)
369+
for the CSI driver follows the same pattern.
370+
371+
Whatever the source: mount the volume read-only, give `privkey.pem` mode
372+
`0400` (owner-read only), and ensure the JVM process owns or can read it.
373+
355374
When `.https(...)` is set, the default port changes from `8080` to `8443`.
356375
`port(int)` still overrides explicitly:
357376

0 commit comments

Comments
 (0)