Spring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据
Posted
技术标签:
【中文标题】Spring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据【英文标题】:Spring Cloud Config - Vault and JDBC backend with JDBC creds in Vault 【发布时间】:2022-01-08 10:23:16 【问题描述】:我正在尝试修改我们当前只有一个 JDBC 后端的 Spring Cloud Config 服务器以包含一个 Vault 后端,以使 JDBC 连接凭据保密。
保险柜:
Listener 1: tcp (addr: "127.0.0.1:8400", cluster address: "127.0.0.1:8401", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
C:\apps\HashiCorp>vault kv get secret/my-secrets
=============== Data ===============
Key Value
--- -----
spring.datasource.password yadayadayada
spring.datasource.username cobar
bootstrap.yml
server:
port: 8888
spring:
application:
name: config-server
cloud:
config:
allowOverride: true
server:
jdbc:
sql: SELECT prop_key, prop_value from CloudProperties where application=? and profile=? and label=?
order: 2
#https://cloud.spring.io/spring-cloud-config/reference/html/#vault-backend
vault:
scheme: http
host: localhost
port: 8400
defaultKey: my-secrets
order: 1
application.yml
spring:
main:
banner-mode: off
allow-bean-definition-overriding: true
datasource:
url: jdbc:mysql://localhost/bootdb?createDatabaseIfNotExist=true&autoReconnect=true&useSSL=false
#username: cobar
#password: yadayadayada
driverClassName: com.mysql.jdbc.Driver
hikari:
connection-timeout: 60000
maximum-pool-size: 5
cloud:
vault:
scheme: http
host: localhost
port: 8400
defaultKey: my-secrets
token: root.RIJQjZ4jRZUS8mskzfCON88K
没有从保险库中检索到 spring.datasource 用户名和密码。
2021-12-01 12:43:39.927 INFO 5992 --- [ restartedMain]: The following profiles are active: jdbc,vault
2021-12-01 12:43:46.123 ERROR 5992 --- [ restartedMain] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Exception during pool initialization.
Login failed for user ''. ClientConnectionId:a32
【问题讨论】:
【参考方案1】:将属性从引导程序移动到应用程序上下文。
调用 Vault 端点以获取机密并使用这些将数据源配置为 JDBC 后端。
@Slf4j
@SpringBootApplication
@EnableConfigServer
public class ConfigServerApplication
public static final String VAULT_URL_FRMT = "%s://%s:%s/v1/secret/%s";
@Autowired
private Environment env;
public static void main(String[] args)
SpringApplication app = new SpringApplication(ConfigServerApplication.class);
app.addListeners(new ApplicationPidFileWriter());
app.addListeners(new WebServerPortFileWriter());
app.run(args);
@Order(1)
@Bean("restTemplate")
public RestTemplate restTemplate()
return new RestTemplate();
@Configuration
public class JdbcConfig
@Autowired
private RestTemplate restTemplate;
@Bean
public DataSource getDataSource()
Secrets secrets = findSecrets();
DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create();
dataSourceBuilder.url(secrets.getData().get("spring.datasource.url"));
dataSourceBuilder.username(secrets.getData().get("spring.datasource.username"));
dataSourceBuilder.password(secrets.getData().get("spring.datasource.password"));
return dataSourceBuilder.build();
private Secrets findSecrets()
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.set("X-Vault-Token", env.getProperty("spring.cloud.vault.token"));
HttpEntity request = new HttpEntity(httpHeaders);
String url = String.format(VAULT_URL_FRMT,
env.getProperty("spring.cloud.vault.scheme"),
env.getProperty("spring.cloud.vault.host"),
env.getProperty("spring.cloud.vault.port"),
env.getProperty("spring.cloud.vault.defaultKey")
);
return restTemplate.exchange(url, HttpMethod.GET, request, Secrets.class, 1).getBody();
@Getter
@Setter
public class Secrets implements Serializable
private String request_id;
private String lease_id;
private boolean renewable;
private Duration lease_duration;
private Map<String, String> data;
现在您有了一个带有 JDBC 后端的云配置,您可以将数据库属性保密。
【讨论】:
以上是关于Spring Cloud Config - Vault 和 JDBC 后端在 Vault 中具有 JDBC 凭据的主要内容,如果未能解决你的问题,请参考以下文章
无法通过 spring.cloud.config.enabled:false 禁用 Spring Cloud Config
0701-spring cloud config-简介Config Server开发Config Client开发
问题 spring-cloud-config 和 spring-cloud-bus
spring-cloud-config——Quick Start