Vault Backend

Spring Cloud Config Server 还支持 Vault作为后端。

Spring Cloud Config Server also supports Vault as a backend.

Vault 是一个安全访问机密的工具。机密是你希望对其访问进行严格控制的任何内容，例如 API 密钥、密码、证书和其他敏感信息。Vault 为任何机密提供统一的界面，同时提供严格的访问控制并记录详细的审计日志。

Vault is a tool for securely accessing secrets. A secret is anything that to which you want to tightly control access, such as API keys, passwords, certificates, and other sensitive information. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.

有关 Vault 的更多信息，请参阅 Vault quick start guide。

For more information on Vault, see the Vault quick start guide.

若要允许配置服务器使用 Vault 后端，你可以使用 vault 配置文件来运行配置服务器。例如，你可以在配置服务器的 application.properties 中添加 spring.profiles.active=vault。

To enable the config server to use a Vault backend, you can run your config server with the vault profile. For example, in your config server’s application.properties, you can add spring.profiles.active=vault.

默认情况下，Spring Cloud Config Server 使用基于令牌的身份验证从 Vault 中获取配置。Vault 还支持其他身份验证方法，如 AppRole、LDAP、JWT、CloudFoundry、Kubernetes Auth。为了使用除令牌或 X-Config-Token 头文件以外的其他任何身份验证方法，我们需要在类路径中添加 Spring Vault Core，以便配置服务器可以将身份验证委托给该库。请将以下依赖项添加到你的配置服务器应用中。

By default, Spring Cloud Config Server uses Token based Authentication to fetch config from Vault. Vault also supports additional authentication methods like AppRole, LDAP, JWT, CloudFoundry, Kubernetes Auth. In order to use any authentication method other than TOKEN or the X-Config-Token header, we need to have Spring Vault Core on the classpath so that Config Server can delegate authentication to that library. Please add the below dependencies to your Config Server App. Maven (pom.xml)

<dependencies>
	<dependency>
		<groupId>org.springframework.vault</groupId>
		<artifactId>spring-vault-core</artifactId>
	</dependency>
</dependencies>

Gradle (build.gradle)

dependencies {
    implementation "org.springframework.vault:spring-vault-core"
}

默认情况下，配置服务器假定你的 Vault 服务器在 http://127.0.0.1:8200 中运行。它还假定后端名称为 secret 且密钥为 application。这些默认值都可以在配置服务器的 application.properties 中配置。下表描述了可配置的 Vault 属性：

By default, the config server assumes that your Vault server runs at http://127.0.0.1:8200. It also assumes that the name of backend is secret and the key is application. All of these defaults can be configured in your config server’s application.properties. The following table describes configurable Vault properties:

Name	Default Value
host	127.0.0.1
port	8200
scheme	http
backend	secret
defaultKey	application
profileSeparator	,
kvVersion	1
skipSslValidation	false
timeout	5
namespace	null

Name

Default Value

host

127.0.0.1

port

8200

scheme

http

backend

secret

defaultKey

application

profileSeparator

kvVersion

skipSslValidation

false

timeout

namespace

null

前表中的所有属性都必须以 spring.cloud.config.server.vault 为前缀，或放置在复合配置的正确 Vault 部分中。

All of the properties in the preceding table must be prefixed with spring.cloud.config.server.vault or placed in the correct Vault section of a composite configuration.

所有可配置属性均可以在 org.springframework.cloud.config.server.environment.VaultEnvironmentProperties 中找到。

All configurable properties can be found in org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

Vault 0.10.0 引入了版本化的键值后端（k/v 后端版本 2），它公开了与早期版本不同的 API，现在它需要一个 data/ 介于挂载路径和实际上下文路径之间，并将机密包装在 data 对象中。设置 spring.cloud.config.server.vault.kv-version=2 将考虑这一点。

Vault 0.10.0 introduced a versioned key-value backend (k/v backend version 2) that exposes a different API than earlier versions, it now requires a data/ between the mount path and the actual context path and wraps secrets in a data object. Setting spring.cloud.config.server.vault.kv-version=2 will take this into account.

还可以选择支持 Vault Enterprise X-Vault-Namespace 头文件。若要将其发送到 Vault，请设置 namespace 属性。

Optionally, there is support for the Vault Enterprise X-Vault-Namespace header. To have it sent to Vault set the namespace property.

让配置服务器运行，你可以向服务器发出 HTTP 请求，以从 Vault 后端获取值。若要执行此操作，你需要服务器的令牌。

With your config server running, you can make HTTP requests to the server to retrieve values from the Vault backend. To do so, you need a token for your Vault server.

首先，将一些数据放入你的 Vault，如下例所示：

First, place some data in you Vault, as shown in the following example:

$ vault kv put secret/application foo=bar baz=bam
$ vault kv put secret/myapp foo=myappsbar

其次，按如下例所示向配置服务器发出 HTTP 请求以检索值：

Second, make an HTTP request to your config server to retrieve the values, as shown in the following example: $ curl -X "GET" "http://localhost:8888/myapp/default" -H "X-Config-Token: yourtoken"

您应该会看到类似于以下内容的响应：

You should see a response similar to the following:

{
   "name":"myapp",
   "profiles":[
      "default"
   ],
   "label":null,
   "version":null,
   "state":null,
   "propertySources":[
      {
         "name":"vault:myapp",
         "source":{
            "foo":"myappsbar"
         }
      },
      {
         "name":"vault:application",
         "source":{
            "baz":"bam",
            "foo":"bar"
         }
      }
   ]
}

客户端提供必要的身份验证以让 Config Server 与 Vault 通信的默认方式是设置 X-Config-Token 头。但是，您可以省略该头并通过设置与 Spring Cloud Vault 相同的配置属性，在服务器中配置身份验证。要设置的属性是 spring.cloud.config.server.vault.authentication。它应设置为支持的身份验证方法之一。您可能还需要使用与 spring.cloud.vault 文档中相同的属性名，同时使用 spring.cloud.config.server.vault 前缀，来设置特定于所使用身份验证方法的其他属性。请参阅 Spring Cloud Vault Reference Guide 了解更详细的内容。

The default way for a client to provide the necessary authentication to let Config Server talk to Vault is to set the X-Config-Token header. However, you can instead omit the header and configure the authentication in the server, by setting the same configuration properties as Spring Cloud Vault. The property to set is spring.cloud.config.server.vault.authentication. It should be set to one of the supported authentication methods. You may also need to set other properties specific to the authentication method you use, by using the same property names as documented for spring.cloud.vault but instead using the spring.cloud.config.server.vault prefix. See the Spring Cloud Vault Reference Guide for more detail.

如果您省略 X-Config-Token 标头并使用服务器属性来设置身份验证，那么 Config Server 应用程序需要一个对 Spring Vault 的其他依赖项来启用其他身份验证选项。有关如何添加该依赖项，请参阅 Spring Vault Reference Guide。

If you omit the X-Config-Token header and use a server property to set the authentication, the Config Server application needs an additional dependency on Spring Vault to enable the additional authentication options. See the Spring Vault Reference Guide for how to add that dependency.

Multiple Properties Sources

使用 Vault 时，您可以为您的应用提供多个属性源。例如，假设您已将数据写入 Vault 中的以下路径：

When using Vault, you can provide your applications with multiple properties sources. For example, assume you have written data to the following paths in Vault:

secret/myApp,dev
secret/myApp
secret/application,dev
secret/application

写入到 secret/application 的属性可供 [使用配置服务器的所有应用_vault_server] 使用。名为 myApp 的应用可供具有写入到 secret/myApp 和 secret/application 的任何属性使用。当启用 myApp 的 dev 配置文件时，可供它使用的属性将写入到上述所有路径，且列表中第一个路径的属性优先于其他路径。

Properties written to secret/application are available to _vault_server. An application with the name, myApp, would have any properties written to secret/myApp and secret/application available to it. When myApp has the dev profile enabled, properties written to all of the above paths would be available to it, with properties in the first path in the list taking priority over the others.