Files
spring-cloud-static/spring-cloud-kubernetes/1.0.0.M2/multi/multi__secrets_propertysource.html
2018-12-03 12:41:26 +01:00

58 lines
13 KiB
HTML

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>3.&nbsp;Secrets PropertySource</title><link rel="stylesheet" type="text/css" href="css/manual-multipage.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="multi_spring-cloud-kubernetes.html" title="Spring Cloud Kubernetes"><link rel="up" href="multi__kubernetes_propertysource_implementations.html" title="Part&nbsp;II.&nbsp;Kubernetes PropertySource implementations"><link rel="prev" href="multi__configmap_propertysource.html" title="2.&nbsp;ConfigMap PropertySource"><link rel="next" href="multi__propertysource_reload.html" title="4.&nbsp;PropertySource Reload"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">3.&nbsp;Secrets PropertySource</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="multi__configmap_propertysource.html">Prev</a>&nbsp;</td><th width="60%" align="center">Part&nbsp;II.&nbsp;Kubernetes PropertySource implementations</th><td width="20%" align="right">&nbsp;<a accesskey="n" href="multi__propertysource_reload.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a name="_secrets_propertysource" href="#_secrets_propertysource"></a>3.&nbsp;Secrets PropertySource</h2></div></div></div><p>Kubernetes has the notion of [Secrets](<a class="link" href="https://kubernetes.io/docs/concepts/configuration/secret/" target="_top">https://kubernetes.io/docs/concepts/configuration/secret/</a>) for storing
sensitive data such as password, OAuth tokens, etc. This project provides integration with <code class="literal">Secrets</code> to make secrets
accessible by Spring Boot applications. This feature can be explicitly enabled/disabled using the <code class="literal">spring.cloud.kubernetes.secrets.enabled</code> property.</p><p>The <code class="literal">SecretsPropertySource</code> when enabled will lookup Kubernetes for <code class="literal">Secrets</code> from the following sources:
1. reading recursively from secrets mounts
2. named after the application (as defined by <code class="literal">spring.application.name</code>)
3. matching some labels</p><p>Please note that by default, consuming Secrets via API (points 2 and 3 above) <span class="strong"><strong>is not enabled</strong></span> for security reasons
and it is recommend that containers share secrets via mounted volumes.</p><p>If the secrets are found their data is made available to the application.</p><p><span class="strong"><strong>Example:</strong></span></p><p>Let&#8217;s assume that we have a spring boot application named <code class="literal">demo</code> that uses properties to read its database
configuration. We can create a Kubernetes secret using the following command:</p><pre class="screen">oc create secret generic db-secret --from-literal=username=user --from-literal=password=p455w0rd</pre><p>This would create the following secret (shown using <code class="literal">oc get secrets db-secret -o yaml</code>):</p><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">apiVersion</span>: v1
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">data</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password</span>: cDQ1NXcwcmQ=
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username</span>: dXNlcg==
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">kind</span>: Secret
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">metadata</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> creationTimestamp</span>: <span class="hl-number">2017</span>-<span class="hl-number">07</span>-<span class="hl-number">04</span>T09:<span class="hl-number">15</span>:<span class="hl-number">57</span>Z
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> name</span>: db-secret
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> namespace</span>: default
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> resourceVersion</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-string">"357496"</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> selfLink</span>: /api/v1/namespaces/default/secrets/db-secret
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> uid</span>: <span class="hl-number">63</span>c89263-<span class="hl-number">6099</span>-<span class="hl-number">11e7</span>-b3da-<span class="hl-number">76d</span>6186905a8
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">type</span>: Opaque</pre><p>Note that the data contains Base64-encoded versions of the literal provided by the create command.</p><p>This secret can then be used by your application for example by exporting the secret&#8217;s value as environment variables:</p><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">apiVersion</span>: v1
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">kind</span>: Deployment
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">metadata</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> name</span>: ${project.artifactId<span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">}</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spec</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> template</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> spec</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> containers</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> - env</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> - name</span>: DB_USERNAME
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> valueFrom</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> secretKeyRef</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> name</span>: db-secret
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> key</span>: username
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> - name</span>: DB_PASSWORD
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> valueFrom</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> secretKeyRef</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> name</span>: db-secret
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> key</span>: password</pre><p>You can select the Secrets to consume in a number of ways:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p class="simpara">By listing the directories where secrets are mapped:
<code class="literal">`
-Dspring.cloud.kubernetes.secrets.paths=/etc/secrets/db-secret,etc/secrets/postgresql
</code>`</p><pre class="literallayout">If you have all the secrets mapped to a common root, you can set them like:</pre><pre class="literallayout">```
-Dspring.cloud.kubernetes.secrets.paths=/etc/secrets
```</pre></li><li class="listitem">By setting a named secret:
<code class="literal">`
-Dspring.cloud.kubernetes.secrets.name=db-secret
</code>`</li><li class="listitem">By defining a list of labels:
<code class="literal">`
-Dspring.cloud.kubernetes.secrets.labels.broker=activemq
-Dspring.cloud.kubernetes.secrets.labels.db=postgresql
</code>`</li></ol></div><div class="table"><a name="d0e423" href="#d0e423"></a><p class="title"><b>Table&nbsp;3.1.&nbsp;Properties:</b></p><div class="table-contents"><table class="table" summary="Properties:" style="border-collapse: collapse;border-top: 1px solid ; border-bottom: 1px solid ; border-left: 1px solid ; border-right: 1px solid ; "><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"></colgroup><thead><tr><th style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top">Name</th><th style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top">Type</th><th style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top">Default</th><th style="border-bottom: 1px solid ; " align="left" valign="top">Description</th></tr></thead><tfoot><tr><th style="border-right: 1px solid ; " align="left" valign="top"><p>spring.cloud.kubernetes.secrets.enableApi</p></th><th style="border-right: 1px solid ; " align="left" valign="top"><p>Boolean</p></th><th style="border-right: 1px solid ; " align="left" valign="top"><p>false</p></th><th style="" align="left" valign="top"><p>Enable/Disable consuming secrets via APIs (examples 2 and 3)</p></th></tr></tfoot><tbody><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>spring.cloud.kubernetes.secrets.enabled</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Boolean</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>true</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Enable Secrets PropertySource</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>spring.cloud.kubernetes.secrets.name</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>String</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>${spring.application.name}</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Sets the name of the secret to lookup</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>spring.cloud.kubernetes.secrets.namespace</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>String</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Client namespace</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Sets the Kubernetes namespace where to lookup</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>spring.cloud.kubernetes.secrets.labels</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Map</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>null</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Sets the labels used to lookup secrets</p></td></tr><tr><td style="border-right: 1px solid ; " align="left" valign="top"><p>spring.cloud.kubernetes.secrets.paths</p></td><td style="border-right: 1px solid ; " align="left" valign="top"><p>List</p></td><td style="border-right: 1px solid ; " align="left" valign="top"><p>null</p></td><td style="" align="left" valign="top"><p>Sets the paths where secrets are mounted (example 1)</p></td></tr></tbody></table></div></div><br class="table-break"><p><span class="strong"><strong>Notes:</strong></span>
- The property <code class="literal">spring.cloud.kubernetes.secrets.labels</code> behaves as defined by
<a class="link" href="https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Configuration-Binding#map-based-binding" target="_top">Map-based binding</a>.
- The property <code class="literal">spring.cloud.kubernetes.secrets.paths</code> behaves as defined by
<a class="link" href="https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Configuration-Binding#collection-based-binding" target="_top">Collection-based binding</a>.
- Access to secrets via API may be restricted for security reasons, the preferred way is to mount secret to the POD.</p><p>Example of application using secrets (though it hasn&#8217;t been updated to use the new <code class="literal">spring-cloud-kubernetes</code> project):
<a class="link" href="https://github.com/fabric8-quickstarts/spring-boot-camel-config" target="_top">spring-boot-camel-config</a></p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="multi__configmap_propertysource.html">Prev</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="multi__kubernetes_propertysource_implementations.html">Up</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="multi__propertysource_reload.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">2.&nbsp;ConfigMap PropertySource&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="multi_spring-cloud-kubernetes.html">Home</a></td><td width="40%" align="right" valign="top">&nbsp;4.&nbsp;PropertySource Reload</td></tr></table></div></body></html>