我有关于 Hashicorp Vault 的基本问题。我想使用 Spring 应用程序将一些 secret (数据库密码)从 Vault 注入(inject)到容器中。
我已经准备好了在 Kubernetes 中使用 Vault 的特定注释,一切正常,将 PASSWORD 变量保存为环境允许我在 application.properties 文件中使用。
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "myapp-role"
vault.hashicorp.com/agent-inject-secret-foo: "secret/creds"
vault.hashicorp.com/agent-inject-template-foo: |
{{`{{- with secret "secret/creds" -}}
PASSWORD={{ .Data.passcode }}
{{- end }}`}}
labels:
app.kubernetes.io/name: {{ $appName }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
containers:
- name: {{ $appName }}
image: "{{ .Values.vvvv.image.repository }}:{{ .Values.vvvv.image.tag }}"
command: ["/bin/bash", "-c","while read line; do export $line; done < /vault/secrets/foo; /usr/local/tomcat/bin/catalina.sh run"]
volumeMounts:
- name: application-properties
mountPath: /usr/local/tomcat/lib/application.properties
subPath: application.properties
ports:
- name: http
containerPort: 8080
protocol: TCP
问题很简单,有道理吗?注入(inject)代理将带有纯文本密码的文件保存在/vault 路径中,因此每个人都可以看到这个 secret ...另一个问题,如何轮换应用程序的凭据?我应该在 spring 应用程序中使用特定的 Controller 吗?
最佳答案
我认为这绝对有道理,因为目的是避免在规范中硬编码凭据。
inject agent saves the file with PLAIN text password in the /vault path, so everybody can see this secret.
即使在裸机服务器或云实例中,凭据也以纯文本形式保存。对于 k8s,它位于容器内。在这两种情况下,您都可以控制谁可以访问您的实例或 k8s pod。只有授权人员才有权访问生产集群中的 pod。
how can I rotate credentials for application
vault 代理注入(inject)器在同一个 Pod 中运行 sidecar 容器和应用程序容器。其目的是定期查找保管库 secret 的任何变化。如果您执行 kubectl describe po <pod-name>
你会发现一个 sidecar 容器 vault-agent
正在运行。
kubectl get po app-example-deployment-7c4b45cf8-4fkr7
NAME READY STATUS RESTARTS AGE
app-example-deployment-7c4b45cf8-4fkr7 2/2 Running 0 166m
kubectl describe pod app-example-deployment-7c4b45cf8-4fkr7
:
...
vault-agent:
Container ID: docker://b6f9df32ed903d684c972401f41e15a8f6b1bec62aa111bfd9c693159af1ff09
Image: vault:1.7.0
Image ID: docker-pullable://vault@sha256:635cf1c3f9b10fe03aad375f94cc61f63d74a189662165285a8bf1c189ea04b8
Port: <none>
Host Port: <none>
Command:
/bin/sh
-ec
Args:
echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json
State: Running
Started: Tue, 13 Apr 2021 15:40:10 +0100
Ready: True
Restart Count: 0
Limits:
cpu: 500m
memory: 128Mi
Requests:
cpu: 250m
memory: 64Mi
Environment:
VAULT_LOG_LEVEL: info
VAULT_LOG_FORMAT: standard
...
部署期间成功从保管库获取 secret 后:
kubectl exec -it app-example-deployment-7c4b45cf8-4fkr7 -c app -- cat /vault/secrets/db-creds
mongodb+srv://testUser:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a1d5c4d2d5f1c0d2d2e1d5c4d2d58c94d9d9d9d98fcccecfc6cec5c38fcfc4d5" rel="noreferrer noopener nofollow">[email protected]</a>/testDb
如果我将 Vault 中的 kv secret 更改为密码设置为“testPass2”,我不需要执行任何操作,如 vault-agent
Sidecar 容器会自动为我更新。
kubectl exec -it app-example-deployment-7c4b45cf8-4fkr7 -c app -- cat /vault/secrets/db-creds
mongodb+srv://testUser:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5e2a3b2d2a0e3f2d2d6c1e2a3b2d2a736b262626267033313039313a3c70303b2a" rel="noreferrer noopener nofollow">[email protected]</a>/testDb
在 vault-agent
sidecar 容器日志,您会看到类似的内容。
kubectl logs app-example-deployment-7c4b45cf8-4fkr7 -c vault-agent --follow
2021-04-13T14:40:10.426Z [INFO] sink.file: creating file sink
2021-04-13T14:40:10.426Z [INFO] sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
==> Vault agent started! Log data will stream in below:
==> Vault agent configuration:
Cgo: disabled
Log Level: info
Version: Vault v1.7.0
Version Sha: 4e222b85c40a810b74400ee3c54449479e32bb9f
2021-04-13T14:40:10.426Z [INFO] template.server: starting template server
[INFO] (runner) creating new runner (dry: false, once: false)
2021-04-13T14:40:10.427Z [INFO] auth.handler: starting auth handler
2021-04-13T14:40:10.427Z [INFO] auth.handler: authenticating
2021-04-13T14:40:10.427Z [INFO] sink.server: starting sink server
[INFO] (runner) creating watcher
2021-04-13T14:40:10.437Z [INFO] auth.handler: authentication successful, sending token to sinks
2021-04-13T14:40:10.437Z [INFO] auth.handler: starting renewal process
2021-04-13T14:40:10.437Z [INFO] template.server: template server received new token
[INFO] (runner) stopping
[INFO] (runner) creating new runner (dry: false, once: false)
[INFO] (runner) creating watcher
[INFO] (runner) starting
2021-04-13T14:40:10.437Z [INFO] sink.file: token written: path=/home/vault/.vault-token
2021-04-13T14:40:10.439Z [INFO] auth.handler: renewed auth token
[INFO] (runner) rendered "(dynamic)" => "/vault/secrets/db-creds"
2021-04-13T15:23:43.315Z [INFO] auth.handler: renewed auth token
[INFO] (runner) rendered "(dynamic)" => "/vault/secrets/db-creds"
2021-04-13T16:07:16.191Z [INFO] auth.handler: renewed auth token
关于kubernetes - Hashicorp Vault - 代理注入(inject)器 - 这有意义吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67029078/