spring cloud vault配置
- spring cloud vault配置
- 简介
- 1 vault服务端配置及启动
- 1.1 consul启动
- 1.2 vault启动
- 1.2.1 创建配置文件
- 1.2.2 启动vault
- 2 vault Web UI启动
- 3 vault服务端写入测试数据
- 4 client端配置及调试
- 参考
简介
Hashicorp Vault是一个工具,它为开发人员提供了以安全的方式进行安全的存取,比如API 令牌、SSL 证书和口令。它还处理用户的访问控制,具有撤销令牌的能力。除此之外,它还有审计功能,可以用它来跟踪用户。
spring cloud config可用来集中化管理集群配置。本文介绍使用vault来加密管理配置信息,client端用token获取配置,token可以细颗粒度管理配置信息。
所有配置集中存储在vault服务端,root token需要备份好,否则root token丢失,加密的配置也会丢失。
1 vault服务端配置及启动
vault后端配置用consul存储数据。client端用HTTP API 调用vault,可配置证书用https,本文未用https。
1.1 consul启动
下载consul二进制可执行文件并加入系统PATH中,验证:# consul -v
Consul v0.9.2
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)
后台启动:nohup consul agent -server -bootstrap-expect 1 -data-dir /var/data/vault-consul -bind 127.0.0.1 >> /var/log/consul.log 2>&1 &
-data-dir
指定数据存放目录,-bind 127.0.0.1
只能本机访问,日志存放在/var/log/consul.log
中
1.2 vault启动
1.2.1 创建配置文件
# vim sccs-vault.conf
backend "file" {
path = "vault"
}
storage "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
storage "consul"
指定存储方式, listener "tcp"
中address = "0.0.0.0:8200"
配置了任何地址可访问vault,可修改为要指定的IP。
1.2.2 启动vault
下载vault二进制可执行文件并加入系统PATH中,验证:# vault -v
Vault v0.8.0 ('af63d879130d2ee292f09257571d371100a513eb')
后台启动:nohup vault server -config=/var/data/sccs-vault.conf >> /var/log/vault.log 2>&1 &
# export VAULT_ADDR='http://127.0.0.1:8200'
# vault status
初始化,注意保管好Initial Root Token
:# vault init
Unseal Key 1: /B9JpWDtQsQdUcqz1fvI1zfr8dOhhICnxxxxxxxxxxxx
Unseal Key 2: 9pw/+8w2cvfZCVrMlStTdTfdMiWs2ll5xxxxxxxxxxxx
Unseal Key 3: swsHnjEw6JAoNCdlfnhH7wpF7neeg85Fxxxxxxxxxxxx
Unseal Key 4: tnPWcJotb1DZUz9ujpw7VBA0Gpnh8GPlxxxxxxxxxxxx
Unseal Key 5: VA8UgvAgSUAX6im/P70pfM81FxGsKjd/xxxxxxxxxxxx
Initial Root Token: d9c43f56-5db0-c7fe-be83-xxxxxxxxxxxx
Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.
Vault does not store the master key. Without at least 3 keys,
your vault will remain permanently sealed.
用5个Key中的任意3个激活:
# vault unseal /B9JpWDtQsQdUcqz1fvI1zfr8dOhhICnxxxxxxxxxxxx
# vault unseal 9pw/+8w2cvfZCVrMlStTdTfdMiWs2ll5xxxxxxxxxxxx
# vault unseal swsHnjEw6JAoNCdlfnhH7wpF7neeg85Fxxxxxxxxxxxx
再次查看状态:
# vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
Version: 0.8.0
Cluster Name: vault-cluster-xxxxxxxx
Cluster ID: b85b198d-5d47-021b-6533-xxxxxxxxxxxx
High-Availability Enabled: true
Mode: active
Leader Cluster Address: https://127.0.0.1:8201
# export VAULT_TOKEN=(Root token)
HTTP API访问测试:# curl http://127.0.0.1:8200/v1/sys/init
{"initialized":true}
2 vault Web UI启动
详情参看 https://github.com/djenriquez/vault-ui
在docker中启动vault Web UI:
docker run -d \
-p 58000:8000 \
-e VAULT_URL_DEFAULT=http://<VAULT SERVER IP>:8200 \
-e VAULT_AUTH_DEFAULT=TOKEN \
--name vault-ui \
djenriquez/vault-ui
注意修改<VAULT SERVER IP>
通过http://<DOCKER SERVER IP>:58000
就可访问
3 vault服务端写入测试数据
使用Initial Root Token
登录Web UI
- Secret Backends->secret->NEW SECRET 中添加要被加密的内容再保存,如:
path: secret/app01/dev
{
"username": "dev01",
"password": "dev01"
}
- System->Policies->ADD POLICY 中添加访问策略,对某个secrect的只读,如:
Name: app01-dev-r
{
"path": {
"secret/app01/dev": {
"capabilities": [
"read"
]
}
}
}
- Auth Backends->token->NEW TOKEN 中根据策略添加token, 最终实现用该token只能读某个特定的secrect,如:
Token display name: app01-dev-r
Renewable: false
Assign Policies->Selected policies->app01-dev-r
注意关闭Renewale。选中的策略中只有指定的策略。
点击CREATE创建token,注意复制保存该token,否则只能重新创建生成。
4 client端配置及调试
客户端用spring boot框架
bootstrap.yml 优先级高于application.yml
bootstrap.yml若配置了从vault中读取配置,则vault中相同变量名会覆盖本地bootstrap.yml和application.yml
pom.xml
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.4.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
<version>{spring-cloud-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
读取vault与bootstrap.yml配置的对应关系:
/secret/{application}/{profile}
/secret/{application}
/secret/{defaultContext}/{profile}
/secret/{defaultContext}
bootstrap.yml
spring:
application:
#name: client-01
name: app01
profiles:
active:
- dev
#- test
cloud:
vault:
host: <VAULT SERVER IP>
port: 8200
scheme: http
connection-timeout: 5000
read-timeout: 15000
config:
order: -10
lifecycle:
enabled: false
authentication: TOKEN
## app01-dev-r ##
token: 1d15fc02-c90c-cf12-xxxxxxxxxxxx
注意修改<VAULT SERVER IP>
为之前创建的vault服务地址
此配置会用token读取http://<VAULT SERVER IP>:8200/v1/secret/app01/dev
中的配置
默认spring.cloud.vault.config.lifecycle.enabled=true
,会定时刷新token,需要刷新权限。此处禁用刷新。
用curl测试该token的有效性。jq用于将返回结果转为json,没有需安装jqapt-get install -y jq
# curl \
-H "X-Vault-Token: 1d15fc02-c90c-cf12-xxxxxxxxxxxx" \
-X GET \
http://127.0.0.1:8200/v1/secret/app01/dev |jq .data
spring boot 启动类
@SpringBootApplication
@RestController
@EnableAutoConfiguration
@ConfigurationProperties
public class Application {
//@Value("${username}")
String username;
//@Value("${password}")
String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
@PostConstruct
private void postConstruct() {
System.out.println("##########################");
System.out.println(username);
System.out.println(password);
System.out.println("##########################");
}
@RequestMapping("/")
public String home() {
return "Hello " +username+ "!";
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
添加 @EnableAutoConfiguration, @ConfigurationProperties注解和get, set方法即可自动注入配置。
也可使用 @Value("${username}") 注入。
启动后即可看到读取到的vault配置:
##########################
dev01
dev01
##########################
参考
- Spring Vault GA 1.0发布
http://www.infoq.com/cn/news/2017/05/spring-vault-ga - consul源码
https://github.com/HashiCorp/consul - vault源码
https://github.com/hashicorp/vault - vault UI
https://github.com/djenriquez/vault-ui - spring-cloud-vault
https://github.com/spring-cloud/spring-cloud-vault - spring-cloud-vault example
https://github.com/mp911de/spring-cloud-vault-config-samples/blob/master/spring-cloud-vault/hello-world/src/main/java/example/helloworld/HelloWorldApplication.java