6. SDF Container Integration
Composite Container Application Implementation Guide
Caution
- Multi-Container Pattern Reference Material
- Add the ConfigMap used by the SDF Container to the corresponding business system namespace.
- Modify to the same namespace as the business system before running cloud-cdf-config.yaml.
- The SKMS_API_URL must be accessible from the POD where the SDF Container is installed.
Proxy Settings for Java Applications
JAVA_TOOL_OPTIONS (Java-specific settings)
- This environment variable is**Automatically applied every time the JVM (Java Virtual Machine) starts.**Specify system properties
- Useful for changing the behavior of all Java applications without modifying the code.
- Adding Environment Variables to ConfigMap
JAVA_TOOL_OPTIONS: >
-Dhttp.proxyHost=10.10.12.140 -Dhttp.proxyPort=3128
-Dhttps.proxyHost=10.10.12.140 -Dhttps.proxyPort=3128
-Dhttp.nonProxyHosts=localhost|127.0.0.1|*.svc|*.cluster.local|cloud-skms-service.security365.svc.cluster.local|*.security365.com|security365.com
-Dhttp.proxyHost=10.10.12.140: Specify the IP address of the proxy server to be used when the Java application sends HTTP requests.-Dhttp.proxyPort=3128: Specify the port number of the above proxy server-Dhttps.proxyHost=10.10.12.140: Specify the IP address of the proxy server to use when sending HTTPS requests.-Dhttps.proxyPort=3128: Specify the port number of the above proxy server-Dhttp.nonProxyHosts=...: Specify the list of hosts (addresses) to communicate with directly without going through a proxy.
localhost|127.0.0.1: My computer means itself*.svc|*.cluster.local: Kubernetes Cluster Internal Communication Address*.security365.com|security365.com: Specific domain and its subdomains- Each host is
|Delimited by (pipe) character
Standard settings commonly used by various system applications and libraries, including Java.
- MIP SDK Proxy Settings (Required for Deployment in Closed Networks)
- https://learn.microsoft.com/ko-kr/information-protection/develop/concept-mip-proxies
- Standard methods widely used in Linux/Unix systems
- Adding Environment Variables to ConfigMap
http_proxy: http://10.10.12.140:3128
https_proxy: http://10.10.12.140:3128
no_proxy: localhost,127.0.0.1,.svc,.cluster.local,cloud-skms-service.security365.svc.cluster.local,.security365.com,security365.com
http_proxy: http://10.10.12.140:3128: The address of the proxy server through which HTTP traffic will passhttps-proxy: http://10.10.12.140:3128: The address of the proxy server through which HTTPS traffic will passno_proxy: ...: List of exception addresses not to use a proxy
- Each host is
,(separated by commas)- When specifying the entire domain
.(starting with a dot, e.g.:.security365.com)
Add Sidecar Container to POD
SDF Container ConfigMap Configuration
- cloud-cdf-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cloud-cdf-config
namespace: dev
data:
## 필수 설정
# [SDF Container 전용] SKMS URL
SKMS_API_URL: "http://cloud-skms-service.dev.svc.cluster.local"
# [SDF Container 전용] 서비스 포트
CONTAINER_LINKER_SERVER_PORT: "8181"
# [SDF Container 전용] 로그 레벨 선택 설정(기본 값 info)
LOG_LEVEL: debug
# =================================================================
## 프록시 설정이 필요하지 않는 경우 관련된 4개의 환경 변수 삭제
## [폐쇄망에 구축 시 SDF Container의 프록시 설정] 프록시 IP, PORT 및 Dhttp.nonProxyHosts 설정은 고객사에 맞게 수정 필요
JAVA_TOOL_OPTIONS: >
-Dhttp.proxyHost=10.10.12.140 -Dhttp.proxyPort=3128
-Dhttps.proxyHost=10.10.12.140 -Dhttps.proxyPort=3128
-Dhttp.nonProxyHosts=localhost|127.0.0.1|*.svc|*.cluster.local|cloud-skms-service.security365.svc.cluster.local|*.security365.com|security365.com
## [폐쇄망에 구축 시 MIP SDK의 프록시 설정] 프록시 IP, PORT 및 no_proxy 설정은 고객사에 맞게 수정 필요
http_proxy: http://10.10.12.140:3128
https_proxy: http://10.10.12.140:3128
no_proxy: localhost,127.0.0.1,.svc,.cluster.local,cloud-skms-service.security365.svc.cluster.local,.security365.com,security365.com
# =================================================================
# [SDF Container 전용] 통합 로그 전송 선택 설정(기본 값 true, false로 설정하는 경우 SDF의 암복호화 로그는 전송하지 않음)
# LOG_SEND_USE: false
# scsl.jar에서 문서 변환 요청 시 원본 문서를 못찾는 증상에 대한 딜레이 설정
# FILE_CONVERT_DELAY: 100
# =================================================================
## 톰캣 접속 설정
# [컨테이너링커 전용] 생성할 수 있는 thread의 총 개수 선택 설정(기본 값 0 → maxThreads : 200)
# TOMCAT_MAX_THREAD: "0"
# [컨테이너링커 전용] 작업큐의 사이즈 선택 설정(기본 값 0 → acceptCount : 100)
# TOMCAT_ACCEPT_COUNT: "0"
# [컨테이너링커 전용] 연결 가능한 connection의 총 개수 선택 설정(기본 값 0 → maxConnections : 8192)
# TOMCAT_MAX_CONNECTIONS: "0"
# =================================================================
## 암복호화 요청 시 RPC(Request/Reply) 패턴 적용 설정 - 큐 생성 실패 시 기존과 같이 SKMS API 호출
# RPC(Request/Reply) 패턴 사용 여부(디폴트 : false)
# CUSTOM_RABBITMQ_USE: true
# RabbitMQ 클러스터의 ��모든 서버 URL 리스트(콤마로 구분) - ADDRESSES 값이 있을 경우 HOST,PORT는 무시됨
# CUSTOM_RABBITMQ_CLUSTER_ADDRESSES: "security365-rabbitmq-0.dev.svc.cluster.local:5672,security365-rabbitmq-1.dev.svc.cluster.local:5672,security365-rabbitmq-2.dev.svc.cluster.local:5672"
# CUSTOM_RABBITMQ_HOST: "security365-rabbitmq.dev.svc.cluster.local"
# CUSTOM_RABBITMQ_PORT: "5672"
# =================================================================
---
apiVersion: v1
kind: Secret
metadata:
name: cloud-cdf-secret
namespace: dev
type: Opaque
stringData:
# RABBITMQ 설정
# USTOM_RABBITMQ_PASSWORD: "security365"
# CUSTOM_RABBITMQ_USERNAME: "security365"
Add SDF Container (Sidecar Container)
- Add Sidecar Container (Security365 SDF Container) Service to the Main Container's Deployment yaml File
Caution
- Use from the shieldrm/cloud-containerlinker:20251104.1 image.
- Improvements in Container Security Vulnerabilities
- allowPrivilegeEscalation setting
- Applying seccomp profiles
- runAsNonRoot setting
- readOnlyRootFilesystem setting :::
## 사이트카 컨테이너 설정
- name: cloud-containerlinker-service
image: security365acr.azurecr.io/shieldrm/cloud-containerlinker:latest
imagePullPolicy: IfNotPresent
resources:
requests:
memory: 256Mi
limits:
memory: 512Mi
ports:
- containerPort: 8181
envFrom:
- configMapRef:
name: cloud-cdf-config
- secretRef:
name: cloud-cdf-secret
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
volumeMounts:
- name: containerlinker-tmp
mountPath: /tmp
- name: containerlinker-logs
mountPath: /opt/containerLinker/logs
- name: containerlinker-scsllog
mountPath: /opt/containerLinker/scsllog
- name: containerlinker-mip
mountPath: /opt/containerLinker/mip
## 공유 디렉토리(PVC 등) 정보
- name: data-cloud-drm-shared
mountPath: /rmswork
- Since it runs on the same POD as the client's business system, the call URL is always "http://127.0.0.1:8181" Use
- Need a shared directory (PVC) that allows file sharing and business system access.
- Sample Deployment yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloud-ssevtr-service
namespace: dev
labels:
app: cloud-ssevtr-service-label
# namespace: cloud-ss-svc
spec:
replicas: 1
selector:
matchLabels:
app: cloud-ssevtr-service-label
template:
metadata:
labels:
app: cloud-ssevtr-service-label
spec:
containers:
- name: cloud-ssevtr-service
image: scr.softcamp.co.kr/saas/cloud-ss-evtr-svc:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
envFrom:
- configMapRef:
name: cloud-ssevtr-config
volumeMounts:
## 공유 디렉토리 PVC 정보
- name: data-cloud-drm-shared
mountPath: /rmswork
resources:
requests:
memory: 2Gi
limits:
memory: 2Gi
##==========================[SDF Container 전용 START]==========================##
- name: cloud-containerlinker-service
image: security365acr.azurecr.io/shieldrm/cloud-containerlinker:latest
imagePullPolicy: IfNotPresent
resources:
requests:
memory: 256Mi
limits:
memory: 512Mi
ports:
- containerPort: 8181
envFrom:
- configMapRef:
name: cloud-cdf-config
- secretRef:
name: cloud-cdf-secret
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
volumeMounts:
- name: containerlinker-tmp
mountPath: /tmp
- name: containerlinker-logs
mountPath: /opt/containerLinker/logs
- name: containerlinker-scsllog
mountPath: /opt/containerLinker/scsllog
- name: containerlinker-mip
mountPath: /opt/containerLinker/mip
## 공유 디렉토리 PVC 정보
- name: data-cloud-drm-shared
mountPath: /rmswork
##==========================[SDF Container 전용 END]==========================##
volumes:
## 공유 디렉토리(PVC 등) 정보
- name: data-cloud-drm-shared
persistentVolumeClaim:
claimName: data-cloud-drm-shared
##==========================[SDF Container 전용 START]========================##
- name: containerlinker-tmp
emptyDir: {}
- name: containerlinker-logs
emptyDir: {}
- name: containerlinker-scsllog
emptyDir: {}
- name: containerlinker-mip
emptyDir: {}
##==========================[SDF Container 전용 END]==========================##
imagePullSecrets:
- name: security365acr
SDF Container Access and Log Check Commands
- Accessing SDF Container pod: kubectl -n dev exec --stdin --tty cloud-ssevtr-service-754b65cfb-bjzzr -c cloud-containerlinker-service sh
- SDF Container pod logs: kubectl logs -f --tail 10000 -n dev cloud-ssevtr-service-754b65cfb-bjzzr -c cloud-containerlinker-service