spring cloud vault配置

spring cloud vault配置

• spring cloud vault配置
  • 简介
  • 1 vault服务端配置及启动
    • 1.1 consul启动
    • 1.2 vault启动
      • 1.2.1 创建配置文件
      • 1.2.2 启动vault
  • 2 vault Web UI启动
  • 3 vault服务端写入测试数据
  • 4 client端配置及调试
  • 参考

 

简介

Hashicorp Vault是一个工具，它为开发人员提供了以安全的方式进行安全的存取，比如API 令牌、SSL 证书和口令。它还处理用户的访问控制，具有撤销令牌的能力。除此之外，它还有审计功能，可以用它来跟踪用户。

spring cloud config可用来集中化管理集群配置。本文介绍使用vault来加密管理配置信息，client端用token获取配置，token可以细颗粒度管理配置信息。

所有配置集中存储在vault服务端，root token需要备份好，否则root token丢失，加密的配置也会丢失。

1 vault服务端配置及启动

vault后端配置用consul存储数据。client端用HTTP API 调用vault，可配置证书用https，本文未用https。

1.1 consul启动

下载consul二进制可执行文件并加入系统PATH中，验证：
# consul -v
Consul v0.9.2
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

后台启动：
nohup consul agent -server -bootstrap-expect 1 -data-dir /var/data/vault-consul -bind 127.0.0.1 >> /var/log/consul.log 2>&1 &

-data-dir指定数据存放目录，-bind 127.0.0.1只能本机访问，日志存放在/var/log/consul.log中

1.2 vault启动

1.2.1 创建配置文件

# vim sccs-vault.conf

backend "file" {
 path = "vault"
}

storage "consul" {
 address = "127.0.0.1:8500"
 path = "vault"
}

listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}

storage "consul"指定存储方式， listener "tcp"中address = "0.0.0.0:8200"配置了任何地址可访问vault，可修改为要指定的IP。

1.2.2 启动vault

下载vault二进制可执行文件并加入系统PATH中，验证：
# vault -v
Vault v0.8.0 ('af63d879130d2ee292f09257571d371100a513eb')

后台启动：
nohup vault server -config=/var/data/sccs-vault.conf >> /var/log/vault.log 2>&1 &

# export VAULT_ADDR='http://127.0.0.1:8200'
# vault status

初始化，注意保管好Initial Root Token:
# vault init

Unseal Key 1: /B9JpWDtQsQdUcqz1fvI1zfr8dOhhICnxxxxxxxxxxxx
Unseal Key 2: 9pw/+8w2cvfZCVrMlStTdTfdMiWs2ll5xxxxxxxxxxxx
Unseal Key 3: swsHnjEw6JAoNCdlfnhH7wpF7neeg85Fxxxxxxxxxxxx
Unseal Key 4: tnPWcJotb1DZUz9ujpw7VBA0Gpnh8GPlxxxxxxxxxxxx
Unseal Key 5: VA8UgvAgSUAX6im/P70pfM81FxGsKjd/xxxxxxxxxxxx
Initial Root Token: d9c43f56-5db0-c7fe-be83-xxxxxxxxxxxx

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your vault will remain permanently sealed.

用5个Key中的任意3个激活：

# vault unseal /B9JpWDtQsQdUcqz1fvI1zfr8dOhhICnxxxxxxxxxxxx
# vault unseal 9pw/+8w2cvfZCVrMlStTdTfdMiWs2ll5xxxxxxxxxxxx
# vault unseal swsHnjEw6JAoNCdlfnhH7wpF7neeg85Fxxxxxxxxxxxx

再次查看状态：

# vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:  
Version: 0.8.0
Cluster Name: vault-cluster-xxxxxxxx
Cluster ID: b85b198d-5d47-021b-6533-xxxxxxxxxxxx

High-Availability Enabled: true
       Mode: active
       Leader Cluster Address: https://127.0.0.1:8201

# export VAULT_TOKEN=(Root token)

HTTP API访问测试:
# curl http://127.0.0.1:8200/v1/sys/init
{"initialized":true}

2 vault Web UI启动

详情参看 https://github.com/djenriquez/vault-ui
在docker中启动vault Web UI：

docker run -d \
-p 58000:8000 \
-e VAULT_URL_DEFAULT=http://<VAULT SERVER IP>:8200 \
-e VAULT_AUTH_DEFAULT=TOKEN \
--name vault-ui \
djenriquez/vault-ui

注意修改<VAULT SERVER IP>
通过http://<DOCKER SERVER IP>:58000就可访问

3 vault服务端写入测试数据

使用Initial Root Token登录Web UI

• Secret Backends->secret->NEW SECRET 中添加要被加密的内容再保存，如:

path: secret/app01/dev

{
  "username": "dev01",
  "password": "dev01"
}

• System->Policies->ADD POLICY 中添加访问策略，对某个secrect的只读，如：

Name: app01-dev-r

{
  "path": {
    "secret/app01/dev": {
      "capabilities": [
        "read"
      ]
    }
  }
}

• Auth Backends->token->NEW TOKEN 中根据策略添加token， 最终实现用该token只能读某个特定的secrect，如：

Token display name: app01-dev-r
Renewable: false
Assign Policies->Selected policies->app01-dev-r

注意关闭Renewale。选中的策略中只有指定的策略。
点击CREATE创建token，注意复制保存该token，否则只能重新创建生成。

4 client端配置及调试

客户端用spring boot框架
bootstrap.yml 优先级高于application.yml
bootstrap.yml若配置了从vault中读取配置，则vault中相同变量名会覆盖本地bootstrap.yml和application.yml

pom.xml

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.5.4.RELEASE</version>
    <relativePath /> <!-- lookup parent from repository -->
</parent>

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-vault-config</artifactId>
        <version>{spring-cloud-version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

读取vault与bootstrap.yml配置的对应关系：

/secret/{application}/{profile}
/secret/{application}
/secret/{defaultContext}/{profile}
/secret/{defaultContext}

bootstrap.yml

spring: 
  application:
    #name: client-01
    name: app01
  profiles:
    active:
    - dev
    #- test
  cloud: 
    vault:
      host: <VAULT SERVER IP> 
      port: 8200
      scheme: http
      connection-timeout: 5000
      read-timeout: 15000
      config:
          order: -10
          lifecycle: 
            enabled: false
      authentication: TOKEN
      ## app01-dev-r ##
      token: 1d15fc02-c90c-cf12-xxxxxxxxxxxx

注意修改<VAULT SERVER IP>为之前创建的vault服务地址
此配置会用token读取http://<VAULT SERVER IP>:8200/v1/secret/app01/dev中的配置

默认spring.cloud.vault.config.lifecycle.enabled=true，会定时刷新token，需要刷新权限。此处禁用刷新。

用curl测试该token的有效性。jq用于将返回结果转为json，没有需安装jq
apt-get install -y jq

# curl \
    -H "X-Vault-Token: 1d15fc02-c90c-cf12-xxxxxxxxxxxx" \
    -X GET \
    http://127.0.0.1:8200/v1/secret/app01/dev |jq .data

spring boot 启动类

@SpringBootApplication
@RestController
@EnableAutoConfiguration
@ConfigurationProperties
public class Application {
    
    //@Value("${username}")
    String username;
    //@Value("${password}")
    String password;

    public String getUsername() {
      return username;
    }
    public void setUsername(String username) {
      this.username = username;
    }
    public String getPassword() {
      return password;
    }
    public void setPassword(String password) {
      this.password = password;
    }
    
    @PostConstruct
    private void postConstruct() {
    	System.out.println("##########################");
    	System.out.println(username);
    	System.out.println(password);
    	System.out.println("##########################");
    }
	
    @RequestMapping("/")
    public String home() {
        return "Hello " +username+ "!";
    }

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

添加 @EnableAutoConfiguration, @ConfigurationProperties注解和get, set方法即可自动注入配置。
也可使用 @Value("${username}") 注入。

启动后即可看到读取到的vault配置：

##########################
dev01
dev01
##########################

参考

• Spring Vault GA 1.0发布
  http://www.infoq.com/cn/news/2017/05/spring-vault-ga
• consul源码
  https://github.com/HashiCorp/consul
• vault源码
  https://github.com/hashicorp/vault
• vault UI
  https://github.com/djenriquez/vault-ui
• spring-cloud-vault
  https://github.com/spring-cloud/spring-cloud-vault
• spring-cloud-vault example
  https://github.com/mp911de/spring-cloud-vault-config-samples/blob/master/spring-cloud-vault/hello-world/src/main/java/example/helloworld/HelloWorldApplication.java

转载于:https://my.oschina.net/u/3010328/blog/1512343