在已经提出的解决方案中,我可以添加一个选项来配置外部PropertySource,例如Vault。
配置Vault服务器PropertySource(仅适用于DEV,不适用于PROD)
写秘密PropertySource
验证机密PropertySource
将以下依赖项添加到您的Spring Boot项目中:
org.springframework.cloud
spring-cloud-starter-vault-config
添加保管库配置属性:
spring.cloud.vault.host=localhost
spring.cloud.vault.port=8200
spring.cloud.vault.scheme=http
spring.cloud.vault.authentication=token
spring.cloud.vault.token=${VAULT_TOKEN}
传递PropertySource作为环境变量。
请参阅此处的文档。
有一个Spring Vault项目,该项目也可用于访问,存储和撤消机密。
依赖关系:
org.springframework.vault
spring-vault-core
配置保管库模板:
@Configuration
class VaultConfiguration extends AbstractVaultConfiguration {
@Override
public VaultEndpoint vaultEndpoint() {
return new VaultEndpoint();
}
@Override
public ClientAuthentication clientAuthentication() {
return new TokenAuthentication("…");
}
}
注入并使用VaultTemplate:
public class Example {
@Autowired
private VaultOperations operations;
public void writeSecrets(String userId, String password) {
Map data = new HashMap();
data.put("password", password);
operations.write(userId, data);
}
public Person readSecrets(String userId) {
VaultResponseSupport response = operations.read(userId, Person.class);
return response.getBody();
}
}
使用保管库PropertySource:
@VaultPropertySource(value = "aws/creds/s3",
propertyNamePrefix = "aws."
renewal = Renewal.RENEW)
public class Config {
}
用法示例:
public class S3Client {
// inject the actual values
@Value("${aws.access_key}")
private String awsAccessKey;
@Value("${aws.secret_key}")
private String awsSecretKey;
public InputStream getFileFromS3(String filenname) {
// …
}
}