我正在使用Spring Vault从Kubernetes中运行的Spring Boot应用访问Vault。
版本
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
<version>2.1.3.RELEASE</version>
</dependency>
配置
vault:
uri: https://xxx.xxx.com:8200
authentication: KUBERNETES
kubernetes:
role: abc
kubernetes-path: path/to/k8s
service_account_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
错误
o.s.v.a.VaultLoginException: Cannot login using Kubernetes: invalid role name \"abc\";
当我尝试使用具有相同角色和令牌的curl登录时,成功了:
VAULT_LOGIN="{\"role\":\"$SA_ROLE\", \"jwt\":\"$SA_JWT_TOKEN\"}"
curl --request POST --data "$VAULT_LOGIN" https://xxx.xxx.com:8200/v1/auth/path/to/k8s/login
答案 0 :(得分:0)
这是Spring Vault中的错误。它不支持自定义身份验证后端路径。请在这里找到问题:https://github.com/spring-projects/spring-vault/issues/462
作为一种解决方法,我们可以通过覆盖kubeAuthentication方法来解决此问题。
@Override
protected ClientAuthentication kubeAuthentication() {
String role = getEnvironment().getProperty("vault.kubernetes.role");
Assert.hasText(role, "Vault Kubernetes authentication: role must not be empty");
String tokenFile = getEnvironment().getProperty("vault.kubernetes.service-account-token-file");
if (!StringUtils.hasText(tokenFile)) {
tokenFile = KubernetesServiceAccountTokenFile.DEFAULT_KUBERNETES_SERVICE_ACCOUNT_TOKEN_FILE;
}
KubernetesJwtSupplier jwtSupplier = new KubernetesServiceAccountTokenFile(
tokenFile);
String path = getEnvironment().getProperty("vault.kubernetes.kubernetes-path");
KubernetesAuthenticationOptions authenticationOptions = KubernetesAuthenticationOptions
.builder() //
.role(role) //
.path(path)
.jwtSupplier(jwtSupplier) //
.build();
return new KubernetesAuthentication(authenticationOptions, restOperations());
}