Spring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据

【问题标题】:Spring Cloud Config - Vault and JDBC backend with JDBC creds in VaultSpring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据
【发布时间】:2022-01-08 10:23:16
【问题描述】:

我正在尝试修改我们当前只有一个 JDBC 后端的 Spring Cloud Config 服务器以包含一个 Vault 后端,以使 JDBC 连接凭据保密。

保险柜:

 Listener 1: tcp (addr: "127.0.0.1:8400", cluster address: "127.0.0.1:8401", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")

C:\apps\HashiCorp>vault kv get secret/my-secrets
=============== Data ===============
Key                           Value
---                           -----
spring.datasource.password    yadayadayada
spring.datasource.username    cobar

bootstrap.yml

server:
  port: 8888
spring:
  application:
    name: config-server
  cloud:
    config:
      allowOverride: true
      server:
        jdbc:
          sql: SELECT prop_key, prop_value from CloudProperties where application=? and profile=? and label=?
          order: 2 
        #https://cloud.spring.io/spring-cloud-config/reference/html/#vault-backend
        vault:
          scheme: http
          host: localhost
          port: 8400
          defaultKey: my-secrets
          order: 1

application.yml

spring:
  main:
    banner-mode: off
    allow-bean-definition-overriding: true
  datasource:
    url: jdbc:mysql://localhost/bootdb?createDatabaseIfNotExist=true&autoReconnect=true&useSSL=false
    #username: cobar
    #password: yadayadayada
    driverClassName: com.mysql.jdbc.Driver
    hikari:
      connection-timeout: 60000
      maximum-pool-size: 5
  cloud:
    vault:
      scheme: http
      host: localhost
      port: 8400
      defaultKey: my-secrets
      token: root.RIJQjZ4jRZUS8mskzfCON88K

没有从保险库中检索到 spring.datasource 用户名和密码。

2021-12-01 12:43:39.927  INFO 5992 --- [  restartedMain]: The following profiles are active: jdbc,vault
2021-12-01 12:43:46.123 ERROR 5992 --- [  restartedMain] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Exception during pool initialization.
Login failed for user ''. ClientConnectionId:a32

【问题讨论】:

    标签: spring-boot spring-cloud spring-cloud-config


    【解决方案1】:

    将属性从引导程序移动到应用程序上下文。

    调用 Vault 端点以获取机密并使用这些将数据源配置为 JDBC 后端。

    @Slf4j
@SpringBootApplication
@EnableConfigServer
public class ConfigServerApplication {

    public static final String VAULT_URL_FRMT = "%s://%s:%s/v1/secret/%s";

    @Autowired
    private Environment env;

    public static void main(String[] args) {
        SpringApplication app = new SpringApplication(ConfigServerApplication.class);
        app.addListeners(new ApplicationPidFileWriter());
        app.addListeners(new WebServerPortFileWriter());
        app.run(args);
    }
    
    
    @Order(1)
    @Bean("restTemplate")
    public RestTemplate restTemplate() {
        return new RestTemplate();
    }

    @Configuration
    public class JdbcConfig {

        @Autowired
        private RestTemplate restTemplate;

        @Bean
        public DataSource getDataSource() {
            Secrets secrets = findSecrets();
            DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create();
            dataSourceBuilder.url(secrets.getData().get("spring.datasource.url"));
            dataSourceBuilder.username(secrets.getData().get("spring.datasource.username"));
            dataSourceBuilder.password(secrets.getData().get("spring.datasource.password"));
            return dataSourceBuilder.build();
        }

        private Secrets findSecrets() {
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.set("X-Vault-Token", env.getProperty("spring.cloud.vault.token"));
            HttpEntity request = new HttpEntity(httpHeaders);
            String url = String.format(VAULT_URL_FRMT,
                env.getProperty("spring.cloud.vault.scheme"),
                env.getProperty("spring.cloud.vault.host"),
                env.getProperty("spring.cloud.vault.port"),
                env.getProperty("spring.cloud.vault.defaultKey")
            );
            return restTemplate.exchange(url, HttpMethod.GET, request, Secrets.class, 1).getBody();
        }
    }
}

    @Getter
@Setter
public class Secrets implements Serializable {

    private String request_id;
    private String lease_id;
    private boolean renewable;
    private Duration lease_duration;
    private Map<String, String> data;

}

    现在您有了一个带有 JDBC 后端的云配置,您可以将数据库属性保密。

    【讨论】:

      猜你喜欢
      • 2018-01-12
      • 2017-08-11
      • 1970-01-01
      • 2018-05-21
      • 2018-12-19
      • 2016-12-22
      • 2018-07-25
      • 2017-06-23
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode