File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -352,6 +352,25 @@ using JDK APIs only.
352352Both RSA and EC (P-256) private keys are accepted; the algorithm is detected
353353automatically.
354354
355+ ** Deployment.** Don't bake ` privkey.pem ` into your container image — you
356+ lose rotation and leak the key into image layers and registries. Mount the
357+ two PEM files at runtime from a secret manager:
358+
359+ - ** Kubernetes:** [ cert-manager] ( https://cert-manager.io ) writes the
360+ certificate and key into a ` Secret ` ; mount it as a volume at the path you
361+ pass to ` .https(...) ` . Renewal is automatic; restart the pod (e.g. via a
362+ rolling deploy keyed off the Secret's revision) to pick up the new cert.
363+ - ** GCP:** Store both files in Secret Manager and project them with the
364+ [ Secret Manager CSI driver] ( https://cloud.google.com/secret-manager/docs/access-control )
365+ or a Workload Identity-bound init container that writes the files to an
366+ ` emptyDir ` shared with the app container.
367+ - ** AWS:** [ Secrets Manager] ( https://docs.aws.amazon.com/secretsmanager/ ) via
368+ the [ AWS Secrets and Configuration Provider] ( https://github.com/aws/secrets-store-csi-driver-provider-aws )
369+ for the CSI driver follows the same pattern.
370+
371+ Whatever the source: mount the volume read-only, give ` privkey.pem ` mode
372+ ` 0400 ` (owner-read only), and ensure the JVM process owns or can read it.
373+
355374When ` .https(...) ` is set, the default port changes from ` 8080 ` to ` 8443 ` .
356375` port(int) ` still overrides explicitly:
357376
You can’t perform that action at this time.
0 commit comments