Hashicorp Vault - Agent Injector - 它有意义吗?

Hashicorp Vault - Agent Injector - does it make sense?

我有关于 Hashicorp Vault 的基本问题。我想使用 Spring 应用程序从 Vault 向容器注入一些秘密(数据库密码)。

我已经为将 Vault 与 Kubernetes 结合使用准备了特定注释,一切正常,将 PASSWORD 变量保存为环境允许我在 application.properties 文件中使用。

template:
metadata:
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "myapp-role"
    vault.hashicorp.com/agent-inject-secret-foo: "secret/creds"
    vault.hashicorp.com/agent-inject-template-foo: |
      {{`{{- with secret "secret/creds" -}}
      PASSWORD={{ .Data.passcode }}
      {{- end }}`}}
  labels:
    app.kubernetes.io/name: {{ $appName }}
    app.kubernetes.io/instance: {{ .Release.Name }}
spec:
  containers:
    - name: {{ $appName }}
      image: "{{ .Values.vvvv.image.repository }}:{{ .Values.vvvv.image.tag }}"
      command: ["/bin/bash", "-c","while read line; do export $line; done < /vault/secrets/foo; /usr/local/tomcat/bin/catalina.sh run"]
      volumeMounts:
        - name: application-properties
          mountPath: /usr/local/tomcat/lib/application.properties
          subPath: application.properties
      ports:
        - name: http
          containerPort: 8080
          protocol: TCP

问题很简单,有道理吗?注入代理在 /vault 路径中使用明文密码保存文件,因此每个人都可以看到这个秘密......另一个问题,我如何轮换应用程序的凭据?我应该在 spring 应用程序中使用特定的控制器吗?

我认为这绝对有意义,因为目的是避免在规范中硬编码凭据。

inject agent saves the file with PLAIN text password in the /vault path, so everybody can see this secret.

即使在裸机服务器或云实例中,凭据也以纯文本形式保存。对于 k8s,它位于容器内。在这两种情况下,您都可以控制谁可以访问您的实例或 k8s pods。只有获得授权的人员才可以访问生产集群中的 pods。

how can I rotate credentials for application

Vault 代理注入器在同一个 pod 中运行一个边车容器和您的应用程序容器。其目的是定期查找保险库机密中的任何更改。如果你执行 kubectl describe po <pod-name> 你会发现一个 sidecar 容器 vault-agent 运行.

kubectl get po app-example-deployment-7c4b45cf8-4fkr7
NAME                                     READY   STATUS    RESTARTS   AGE
app-example-deployment-7c4b45cf8-4fkr7   2/2     Running   0          166m

kubectl describe pod app-example-deployment-7c4b45cf8-4fkr7 :

...
vault-agent:
    Container ID:  docker://b6f9df32ed903d684c972401f41e15a8f6b1bec62aa111bfd9c693159af1ff09
    Image:         vault:1.7.0
    Image ID:      docker-pullable://vault@sha256:635cf1c3f9b10fe03aad375f94cc61f63d74a189662165285a8bf1c189ea04b8
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -ec
    Args:
      echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json
    State:          Running
      Started:      Tue, 13 Apr 2021 15:40:10 +0100
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     500m
      memory:  128Mi
    Requests:
      cpu:     250m
      memory:  64Mi
    Environment:
      VAULT_LOG_LEVEL:   info
      VAULT_LOG_FORMAT:  standard
...

在部署期间从保管库成功获取机密后:

kubectl exec -it app-example-deployment-7c4b45cf8-4fkr7 -c app -- cat /vault/secrets/db-creds
mongodb+srv://testUser:testPass@test-5xxxx.mongodb.net/testDb

如果我在密码设置为“testPass2”的情况下更改 Vault 中的 kv 机密,我无需执行任何操作,因为 vault-agent sidecar 容器会自动为我更新它。

kubectl exec -it app-example-deployment-7c4b45cf8-4fkr7 -c app -- cat /vault/secrets/db-creds
mongodb+srv://testUser:testPass2@test-5xxxx.mongodb.net/testDb

vault-agent sidecar 容器日志中,您会看到类似的内容。

kubectl logs app-example-deployment-7c4b45cf8-4fkr7 -c vault-agent --follow
2021-04-13T14:40:10.426Z [INFO]  sink.file: creating file sink
2021-04-13T14:40:10.426Z [INFO]  sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.7.0
             Version Sha: 4e222b85c40a810b74400ee3c54449479e32bb9f

2021-04-13T14:40:10.426Z [INFO]  template.server: starting template server
[INFO] (runner) creating new runner (dry: false, once: false)
2021-04-13T14:40:10.427Z [INFO]  auth.handler: starting auth handler
2021-04-13T14:40:10.427Z [INFO]  auth.handler: authenticating
2021-04-13T14:40:10.427Z [INFO]  sink.server: starting sink server
[INFO] (runner) creating watcher
2021-04-13T14:40:10.437Z [INFO]  auth.handler: authentication successful, sending token to sinks
2021-04-13T14:40:10.437Z [INFO]  auth.handler: starting renewal process
2021-04-13T14:40:10.437Z [INFO]  template.server: template server received new token
[INFO] (runner) stopping
[INFO] (runner) creating new runner (dry: false, once: false)
[INFO] (runner) creating watcher
[INFO] (runner) starting
2021-04-13T14:40:10.437Z [INFO]  sink.file: token written: path=/home/vault/.vault-token
2021-04-13T14:40:10.439Z [INFO]  auth.handler: renewed auth token
[INFO] (runner) rendered "(dynamic)" => "/vault/secrets/db-creds"
2021-04-13T15:23:43.315Z [INFO]  auth.handler: renewed auth token
[INFO] (runner) rendered "(dynamic)" => "/vault/secrets/db-creds"
2021-04-13T16:07:16.191Z [INFO]  auth.handler: renewed auth token