Secrets PropertySource
Kubernetes 有 Secrets 的概念,用于存储敏感数据,如密码、OAuth 令牌等。此项目提供与 Secrets 的集成,以使 Spring Boot 应用程序可以访问 Secrets。您可以通过设置 spring.cloud.kubernetes.secrets.enabled 属性显式启用或禁用此功能。
Kubernetes has the notion of Secrets for storing
sensitive data such as passwords, OAuth tokens, and so on. This project provides integration with Secrets to make secrets
accessible by Spring Boot applications. You can explicitly enable or disable This feature by setting the spring.cloud.kubernetes.secrets.enabled property.
启用后,Fabric8SecretsPropertySource 从以下来源查找 Kubernetes 的 Secrets:
When enabled, the Fabric8SecretsPropertySource looks up Kubernetes for Secrets from the following sources:
-
Reading recursively from secrets mounts
-
Named after the application (as defined by
spring.application.name) -
Matching some labels
注意:
Note:
由于安全原因,默认情况下 未启用 通过 API(上述第 2 点和第 3 点)使用 Secrets。secret 上的“列表”权限允许客户端检查指定命名空间中的 secret 值。此外,我们建议容器通过挂载卷共享 secret。
By default, consuming Secrets through the API (points 2 and 3 above) is not enabled for security reasons. The permission 'list' on secrets allows clients to inspect secrets values in the specified namespace. Further, we recommend that containers share secrets through mounted volumes.
如果您启用通过 API 使用 Secrets,我们建议您使用授权策略(例如 RBAC)限制对 Secrets 的访问。有关通过 API 使用 Secrets 时的风险和最佳实践的更多信息,请参阅 this doc。
If you enable consuming Secrets through the API, we recommend that you limit access to Secrets by using an authorization policy, such as RBAC. For more information about risks and best practices when consuming Secrets through the API refer to this doc.
如果找到 secret,则其数据将提供给应用程序。
If the secrets are found, their data is made available to the application.
假设我们有一个名为 demo 的 Spring Boot 应用程序,它使用属性来读取其数据库配置。我们可以使用以下命令创建 Kubernetes secret:
Assume that we have a spring boot application named demo that uses properties to read its database
configuration. We can create a Kubernetes secret by using the following command:
kubectl create secret generic db-secret --from-literal=username=user --from-literal=password=p455w0rd上述命令将创建以下 secret(您可以使用 kubectl get secrets db-secret -o yaml 查看):
The preceding command would create the following secret (which you can see by using kubectl get secrets db-secret -o yaml):
apiVersion: v1
data:
password: cDQ1NXcwcmQ=
username: dXNlcg==
kind: Secret
metadata:
creationTimestamp: 2017-07-04T09:15:57Z
name: db-secret
namespace: default
resourceVersion: "357496"
selfLink: /api/v1/namespaces/default/secrets/db-secret
uid: 63c89263-6099-11e7-b3da-76d6186905a8
type: Opaque请注意,数据包含 create 命令提供的文本的 Base64 编码版本。
Note that the data contains Base64-encoded versions of the literal provided by the create command.
然后,您的应用程序可以使用此 secret,例如,通过将 secret 的值导出为环境变量:
Your application can then use this secret — for example, by exporting the secret’s value as environment variables:
apiVersion: v1
kind: Deployment
metadata:
name: ${project.artifactId}
spec:
template:
spec:
containers:
- env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password您可以通过多种方式选择要使用的 Secrets:
You can select the Secrets to consume in a number of ways:
-
By listing the directories where secrets are mapped:[source, bash]
-Dspring.cloud.kubernetes.secrets.paths=/etc/secrets/db-secret,etc/secrets/postgresql
如果您将所有 secret 映射到一个公共根,可以像这样设置:
If you have all the secrets mapped to a common root, you can set them like:
-Dspring.cloud.kubernetes.secrets.paths=/etc/secrets-
By setting a named secret:[source, bash]
-Dspring.cloud.kubernetes.secrets.name=db-secret
-
By defining a list of labels:[source, bash]
-Dspring.cloud.kubernetes.secrets.labels.broker=activemq -Dspring.cloud.kubernetes.secrets.labels.db=postgresql
与 ConfigMap 一样,您还可以进行更高级的配置,在该配置中,您可以使用多个 Secret 实例。spring.cloud.kubernetes.secrets.sources 列表可以实现这一点。例如,您可以定义以下 Secret 实例:
As the case with ConfigMap, more advanced configuration is also possible where you can use multiple Secret
instances. The spring.cloud.kubernetes.secrets.sources list makes this possible.
For example, you could define the following Secret instances:
spring:
application:
name: cloud-k8s-app
cloud:
kubernetes:
secrets:
name: default-name
namespace: default-namespace
sources:
# Spring Cloud Kubernetes looks up a Secret named s1 in namespace default-namespace
- name: s1
# Spring Cloud Kubernetes looks up a Secret named default-name in namespace n2
- namespace: n2
# Spring Cloud Kubernetes looks up a Secret named s3 in namespace n3
- namespace: n3
name: s3在前面的示例中,如果未设置 spring.cloud.kubernetes.secrets.namespace,将在应用程序运行的命名空间中查找名为 s1 的 Secret。请参阅 namespace-resolution 更好地了解如何解析应用程序的命名空间。
In the preceding example, if spring.cloud.kubernetes.secrets.namespace had not been set,
the Secret named s1 would be looked up in the namespace that the application runs.
See namespace-resolution to get a better understanding of how the namespace
of the application is resolved.
xref:property-source-config/configmap-propertysource.adoc#config-map-fail-fast[Similar to the ConfigMaps); 如果您希望应用程序在无法加载 Secrets 属性源时无法启动,您可以设置 spring.cloud.kubernetes.secrets.fail-fast=true。
Similar to the ConfigMaps; if you want your application to fail to start
when it is unable to load Secrets property sources, you can set spring.cloud.kubernetes.secrets.fail-fast=true.
也可以对 Secret 属性源启用重试 like the ConfigMaps。与 ConfigMap 属性源一样,首先需要设置 spring.cloud.kubernetes.secrets.fail-fast=true。然后您需要将 spring-retry 和 spring-boot-starter-aop 添加到您的类路径中。Secret 属性源的重试行为可以通过设置 spring.cloud.kubernetes.secrets.retry.* 属性来配置。
It is also possible to enable retry for Secret property sources like the ConfigMaps.
As with the ConfigMap property sources, first you need to set spring.cloud.kubernetes.secrets.fail-fast=true.
Then you need to add spring-retry and spring-boot-starter-aop to your classpath.
Retry behavior of the Secret property sources can be configured by setting the spring.cloud.kubernetes.secrets.retry.*
properties.
|
如果您已在类路径中出于某种原因拥有 |
|
If you already have |
由于源自 Secrets 的数据通常被视为敏感数据,执行器端点 /env 和 /configprops 可以净化数据,使其不会以纯文本形式显示。要实现此目的,您需要设置:
Since data coming from Secrets is usually treated as sensitive, endpoints of the actuator /env and /configprops can be made to sanitize data, so that it is not displayed in plain text. In order to do that, you need to set:
spring.cloud.kubernetes.sanitize.secrets=true此设置自 3.0.6 及更高版本开始支持。
This setting is supported since 3.0.6 and upwards.
| Name | Type | Default | Description |
|---|---|---|---|
|
|
|
Enable Secrets |
|
|
|
Sets the name of the secret to look up |
|
|
Client namespace |
Sets the Kubernetes namespace where to look up |
|
|
|
Sets the labels used to lookup secrets |
|
|
|
Sets the paths where secrets are mounted (example 1) |
|
|
|
Enables or disables consuming secrets through APIs (examples 2 and 3) |
|
|
|
Enable or disable failing the application start-up when an error occurred while loading a |
|
|
|
Enable or disable secrets retry. |
|
|
|
Initial retry interval in milliseconds. |
|
|
|
Maximum number of attempts. |
|
|
|
Maximum interval for backoff. |
|
|
|
Multiplier for next interval. |
备注:
Notes:
-
The
spring.cloud.kubernetes.secrets.labelsproperty behaves as defined by Map-based binding. -
The
spring.cloud.kubernetes.secrets.pathsproperty behaves as defined by Collection-based binding. -
Access to secrets through the API may be restricted for security reasons. The preferred way is to mount secrets to the Pod.
您可以在 spring-boot-camel-config 找到使用 Secrets(尽管尚未更新为使用新的 spring-cloud-kubernetes 项目)的应用程序示例。
You can find an example of an application that uses secrets (though it has not been updated to use the new spring-cloud-kubernetes project) at
spring-boot-camel-config