kubernetes - Hashicorp Vault - 代理注入(inject)器 - 这有意义吗?

标签 kubernetes kubernetes-helm hashicorp-vault

我有关于 Hashicorp Vault 的基本问题。我想使用 Spring 应用程序将一些 secret (数据库密码)从 Vault 注入(inject)到容器中。

我已经准备好了在 Kubernetes 中使用 Vault 的特定注释,一切正常,将 PASSWORD 变量保存为环境允许我在 application.properties 文件中使用。

template:
metadata:
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "myapp-role"
    vault.hashicorp.com/agent-inject-secret-foo: "secret/creds"
    vault.hashicorp.com/agent-inject-template-foo: |
      {{`{{- with secret "secret/creds" -}}
      PASSWORD={{ .Data.passcode }}
      {{- end }}`}}
  labels:
    app.kubernetes.io/name: {{ $appName }}
    app.kubernetes.io/instance: {{ .Release.Name }}
spec:
  containers:
    - name: {{ $appName }}
      image: "{{ .Values.vvvv.image.repository }}:{{ .Values.vvvv.image.tag }}"
      command: ["/bin/bash", "-c","while read line; do export $line; done < /vault/secrets/foo; /usr/local/tomcat/bin/catalina.sh run"]
      volumeMounts:
        - name: application-properties
          mountPath: /usr/local/tomcat/lib/application.properties
          subPath: application.properties
      ports:
        - name: http
          containerPort: 8080
          protocol: TCP

问题很简单,有道理吗?注入(inject)代理将带有纯文本密码的文件保存在/vault 路径中,因此每个人都可以看到这个 secret ...另一个问题,如何轮换应用程序的凭据?我应该在 spring 应用程序中使用特定的 Controller 吗?

最佳答案

我认为这绝对有道理,因为目的是避免在规范中硬编码凭据。

inject agent saves the file with PLAIN text password in the /vault path, so everybody can see this secret.

即使在裸机服务器或云实例中,凭据也以纯文本形式保存。对于 k8s,它位于容器内。在这两种情况下,您都可以控制谁可以访问您的实例或 k8s pod。只有授权人员才有权访问生产集群中的 pod。

how can I rotate credentials for application

vault 代理注入(inject)器在同一个 Pod 中运行 sidecar 容器和应用程序容器。其目的是定期查找保管库 secret 的任何变化。如果您执行 kubectl describe po <pod-name>你会发现一个 sidecar 容器 vault-agent正在运行。

kubectl get po app-example-deployment-7c4b45cf8-4fkr7
NAME                                     READY   STATUS    RESTARTS   AGE
app-example-deployment-7c4b45cf8-4fkr7   2/2     Running   0          166m

kubectl describe pod app-example-deployment-7c4b45cf8-4fkr7 :

...
vault-agent:
    Container ID:  docker://b6f9df32ed903d684c972401f41e15a8f6b1bec62aa111bfd9c693159af1ff09
    Image:         vault:1.7.0
    Image ID:      docker-pullable://vault@sha256:635cf1c3f9b10fe03aad375f94cc61f63d74a189662165285a8bf1c189ea04b8
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -ec
    Args:
      echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json
    State:          Running
      Started:      Tue, 13 Apr 2021 15:40:10 +0100
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     500m
      memory:  128Mi
    Requests:
      cpu:     250m
      memory:  64Mi
    Environment:
      VAULT_LOG_LEVEL:   info
      VAULT_LOG_FORMAT:  standard
...

部署期间成功从保管库获取 secret 后:

kubectl exec -it app-example-deployment-7c4b45cf8-4fkr7 -c app -- cat /vault/secrets/db-creds
mongodb+srv://testUser:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a1d5c4d2d5f1c0d2d2e1d5c4d2d58c94d9d9d9d98fcccecfc6cec5c38fcfc4d5" rel="noreferrer noopener nofollow">[email protected]</a>/testDb

如果我将 Vault 中的 kv secret 更改为密码设置为“testPass2”,我不需要执行任何操作,如 vault-agent Sidecar 容器会自动为我更新。

kubectl exec -it app-example-deployment-7c4b45cf8-4fkr7 -c app -- cat /vault/secrets/db-creds
mongodb+srv://testUser:<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5e2a3b2d2a0e3f2d2d6c1e2a3b2d2a736b262626267033313039313a3c70303b2a" rel="noreferrer noopener nofollow">[email protected]</a>/testDb

vault-agent sidecar 容器日志,您会看到类似的内容。

kubectl logs app-example-deployment-7c4b45cf8-4fkr7 -c vault-agent --follow
2021-04-13T14:40:10.426Z [INFO]  sink.file: creating file sink
2021-04-13T14:40:10.426Z [INFO]  sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.7.0
             Version Sha: 4e222b85c40a810b74400ee3c54449479e32bb9f

2021-04-13T14:40:10.426Z [INFO]  template.server: starting template server
[INFO] (runner) creating new runner (dry: false, once: false)
2021-04-13T14:40:10.427Z [INFO]  auth.handler: starting auth handler
2021-04-13T14:40:10.427Z [INFO]  auth.handler: authenticating
2021-04-13T14:40:10.427Z [INFO]  sink.server: starting sink server
[INFO] (runner) creating watcher
2021-04-13T14:40:10.437Z [INFO]  auth.handler: authentication successful, sending token to sinks
2021-04-13T14:40:10.437Z [INFO]  auth.handler: starting renewal process
2021-04-13T14:40:10.437Z [INFO]  template.server: template server received new token
[INFO] (runner) stopping
[INFO] (runner) creating new runner (dry: false, once: false)
[INFO] (runner) creating watcher
[INFO] (runner) starting
2021-04-13T14:40:10.437Z [INFO]  sink.file: token written: path=/home/vault/.vault-token
2021-04-13T14:40:10.439Z [INFO]  auth.handler: renewed auth token
[INFO] (runner) rendered "(dynamic)" => "/vault/secrets/db-creds"
2021-04-13T15:23:43.315Z [INFO]  auth.handler: renewed auth token
[INFO] (runner) rendered "(dynamic)" => "/vault/secrets/db-creds"
2021-04-13T16:07:16.191Z [INFO]  auth.handler: renewed auth token

关于kubernetes - Hashicorp Vault - 代理注入(inject)器 - 这有意义吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67029078/

上一篇:python - 如果不解包,如何以最通用的形式输入提示参数和 kwargs?

下一篇:django - 在 Wagtail 中以编程方式创建草稿页面的正确方法是什么?

相关文章:

docker - 无法访问 kubernetes minikube 上的 IP 和 PORT

json - 如何将整个 JSON 字符串传递给 Helm 图表值?

kubernetes - 如何从 Kubernetes ConfigMap 中执行 shell 命令?

hashicorp-vault - Hashicorp Vault 读取凭据 - 无法找到名称为 : db_name 的连接条目

hashicorp-vault - 访问 secret 存储的服务

kubernetes - 如何自动删除 CronJob 创建的已完成的 Kubernetes 作业?

kubernetes - 如何在 prometheus stable Helm Charts values.yaml 文件中添加 sidecar 容器?

kubernetes - 按 pod 名称过滤 Kubernetes API

dictionary - Golang深深地融合了两张 map

terraform - Terraform 可以在控制台输出中屏蔽变量吗?

©2024 IT工具网  联系我们