Spring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据

Posted

技术标签:

【中文标题】Spring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据【英文标题】:Spring Cloud Config - Vault and JDBC backend with JDBC creds in Vault 【发布时间】:2022-01-08 10:23:16 【问题描述】:

我正在尝试修改我们当前只有一个 JDBC 后端的 Spring Cloud Config 服务器以包含一个 Vault 后端,以使 JDBC 连接凭据保密。

保险柜:

 Listener 1: tcp (addr: "127.0.0.1:8400", cluster address: "127.0.0.1:8401", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")

C:\apps\HashiCorp>vault kv get secret/my-secrets
=============== Data ===============
Key                           Value
---                           -----
spring.datasource.password    yadayadayada
spring.datasource.username    cobar

bootstrap.yml

server:
  port: 8888
spring:
  application:
    name: config-server
  cloud:
    config:
      allowOverride: true
      server:
        jdbc:
          sql: SELECT prop_key, prop_value from CloudProperties where application=? and profile=? and label=?
          order: 2 
        #https://cloud.spring.io/spring-cloud-config/reference/html/#vault-backend
        vault:
          scheme: http
          host: localhost
          port: 8400
          defaultKey: my-secrets
          order: 1

application.yml

spring:
  main:
    banner-mode: off
    allow-bean-definition-overriding: true
  datasource:
    url: jdbc:mysql://localhost/bootdb?createDatabaseIfNotExist=true&autoReconnect=true&useSSL=false
    #username: cobar
    #password: yadayadayada
    driverClassName: com.mysql.jdbc.Driver
    hikari:
      connection-timeout: 60000
      maximum-pool-size: 5
  cloud:
    vault:
      scheme: http
      host: localhost
      port: 8400
      defaultKey: my-secrets
      token: root.RIJQjZ4jRZUS8mskzfCON88K

没有从保险库中检索到 spring.datasource 用户名和密码。

2021-12-01 12:43:39.927  INFO 5992 --- [  restartedMain]: The following profiles are active: jdbc,vault
2021-12-01 12:43:46.123 ERROR 5992 --- [  restartedMain] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Exception during pool initialization.
Login failed for user ''. ClientConnectionId:a32

【问题讨论】:

【参考方案1】:

将属性从引导程序移动到应用程序上下文。

调用 Vault 端点以获取机密并使用这些将数据源配置为 JDBC 后端。

@Slf4j
@SpringBootApplication
@EnableConfigServer
public class ConfigServerApplication 

    public static final String VAULT_URL_FRMT = "%s://%s:%s/v1/secret/%s";

    @Autowired
    private Environment env;

    public static void main(String[] args) 
        SpringApplication app = new SpringApplication(ConfigServerApplication.class);
        app.addListeners(new ApplicationPidFileWriter());
        app.addListeners(new WebServerPortFileWriter());
        app.run(args);
    
    
    
    @Order(1)
    @Bean("restTemplate")
    public RestTemplate restTemplate() 
        return new RestTemplate();
    

    @Configuration
    public class JdbcConfig 

        @Autowired
        private RestTemplate restTemplate;

        @Bean
        public DataSource getDataSource() 
            Secrets secrets = findSecrets();
            DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create();
            dataSourceBuilder.url(secrets.getData().get("spring.datasource.url"));
            dataSourceBuilder.username(secrets.getData().get("spring.datasource.username"));
            dataSourceBuilder.password(secrets.getData().get("spring.datasource.password"));
            return dataSourceBuilder.build();
        

        private Secrets findSecrets() 
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.set("X-Vault-Token", env.getProperty("spring.cloud.vault.token"));
            HttpEntity request = new HttpEntity(httpHeaders);
            String url = String.format(VAULT_URL_FRMT,
                env.getProperty("spring.cloud.vault.scheme"),
                env.getProperty("spring.cloud.vault.host"),
                env.getProperty("spring.cloud.vault.port"),
                env.getProperty("spring.cloud.vault.defaultKey")
            );
            return restTemplate.exchange(url, HttpMethod.GET, request, Secrets.class, 1).getBody();
        
    

@Getter
@Setter
public class Secrets implements Serializable 

    private String request_id;
    private String lease_id;
    private boolean renewable;
    private Duration lease_duration;
    private Map<String, String> data;



现在您有了一个带有 JDBC 后端的云配置,您可以将数据库属性保密。

【讨论】:

以上是关于Spring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据的主要内容,如果未能解决你的问题,请参考以下文章

无法通过 spring.cloud.config.enabled:false 禁用 Spring Cloud Config

0701-spring cloud config-简介Config Server开发Config Client开发

问题 spring-cloud-config 和 spring-cloud-bus

spring-cloud-config——Quick Start

spring cloud config 8888端口可以变么

spring-cloud-config-server——Environment Repository