[英]Using Microservice AppRole to Spring Cloud Config Server and Vault integration
How to connect a Microservice with AppRole[in vault] to Spring Cloud Config Server with Vault backend.如何将带有 AppRole [in vault] 的微服务连接到带有 Vault 后端的 Spring 云配置服务器。
I can see examples using the root token like curl -X GET http://localhost:8888/my-service/default -H "X-Config-Token: s.TmqaRA2lASdNhJZqqZy7y8pX".我可以看到使用根令牌的示例,例如 curl -X GET http://localhost:8888/my-service/default -H "X-Config-Token: s.TmqaRA2lASdNhJZqqZy7y8pX"。 But I could not find any example that use approle to connect spring cloud config service.
但我找不到任何使用 approle 连接 spring 云配置服务的示例。
But I do not want pass root token from micro services to spring cloud config server, instead each service will have app role defined which should be able to connect the spring cloud config which in turn connect to Vault and get data.但我不想将根令牌从微服务传递到 spring 云配置服务器,而是每个服务都定义了应用角色,应该能够连接 spring 云配置,然后连接到 Vault 并获取数据。
I had the same issue when using a Spring Cloud Config Server as a central configuration broker.使用 Spring 云配置服务器作为中央配置代理时,我遇到了同样的问题。
I found the followingGitHub issue which provided a solution.我发现以下GitHub 问题提供了解决方案。 In short you have to add the spring-vault-core dependency to your dependencies in order to add a valid token resolver for the AppRole authentication:
简而言之,您必须将 spring-vault-core 依赖项添加到您的依赖项中,以便为 AppRole 身份验证添加有效的令牌解析器:
Maven: Maven:
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
Gradle: Gradle:
implementation "org.springframework.vault:spring-vault-core"
This should fix the issue directly.这应该可以直接解决问题。 Of course the following configuration has to bet set then:
当然,下面的配置必须下注设置:
spring:
cloud:
config:
server:
vault:
port: 443
host: myvault.domain.com
scheme: https
backend: mybackend
kv-version: 2 #required if secrets engine version is v2 (default: v1/1)
timeout: 5 #seconds
authentication: APPROLE
app-role:
secret-id: 1234567-234567-23456-12341
role-id: 987654-3456-9865-1235
role: my-role-name #optional
app-role-path: approle #optional if non default (default: approle)
After adding the dependency, configuring and starting the service, the following log message appears:添加依赖、配置并启动服务后,出现以下日志消息:
2021-04-30 12:40:31.211 INFO 53327 --- [nio-8888-exec-2] osvaLifecycleAwareSessionManager: Scheduling Token renewal
2021-04-30 12:40:31.211 INFO 53327 --- [nio-8888-exec-2] osvaLifecycleAwareSessionManager:调度令牌更新
The X-Config-Token
header is then not required anymore.然后不再需要
X-Config-Token
header。
For more information regardin the Vault setup, visit:有关 Vault 设置的更多信息,请访问:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.