英文:
RSA private key in secrets file in a centralized configurations
问题
在我的应用程序中,我将RSA私钥放在application.yml中,以字符串形式读取。
我想将它放在一个秘密文件中,并从秘密文件中读取,其中包含我的所有集中配置。
我的要求是,我想将它作为字符串从秘密文件中读取,而不是从.pem文件中读取。
在application.yml中,通常我是如何使用中央配置的。
logging:
level:
org:
springframework: ${LOG_LEVEL:INFO}
所以我们将LOG_LEVEL=INFO放在集中配置中,这由Docker和EKS用于部署应用程序。同样,我们有一个秘密文件来存储密码、密钥等。
两个问题:
- 如何在
application.yml中使用变量和默认值放置私钥? - 如何将密钥放在集中配置的秘密文件中?
在application.yml中,可以像这样使用工作的RSA密钥,但要外部化它,我需要一个Spring Boot可以读取的变量。
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
密钥数据
-----END RSA PRIVATE KEY-----
我尝试将其放在变量中,就像我们为日志所做的那样,但那不起作用。
privateKey: ${PRIVATE_KEY:|
-----BEGIN RSA PRIVATE KEY-----
密钥数据
-----END RSA PRIVATE KEY-----}
有没有一种方法可以在application.yml中将私钥作为字符串使用并将其集中化呢?
如果您需要更多信息,请告诉我。
英文:
I am creating an application where I am placing the RSA private key in application.yml to be read as a string.
I want to put it in a secrets file and read it from a secret file where my all centralized configurations are available.
My Requirement is, I want to read it from secret file as a string and not from .pem file
In application.yml, generally how am I using the central config.
logging:
level:
org:
springframework: ${LOG_LEVEL:INFO}
So we put the LOG_LEVEL=INFO in centralized config which is used by docker and EKS to deploy the application.
Similarly, we have a secrets file to keep the passwords, keys, etc.
Two questions:-
1. How can I put private keys in application.yml with a variable and
default value?
2. How can I put the key in the secrets file in the centralized config?
Working RSA key in application.yml without variable and default value but to externalize it I need variable which spring boot can read.
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
Key data
-----END RSA PRIVATE KEY-----
I tried to do put it in a variable as we do for logs but that doesn't work.
privateKey: ${PRIVATE_KEY:|
-----BEGIN RSA PRIVATE KEY-----
Key data
-----END RSA PRIVATE KEY-----}
Is there a way we can use the private key as a string in application.yml and centralize it too.
Let me know if you need more information.
答案1
得分: 0
也许不是最佳方法,但一个干净的解决方案是使用Spring Boot的性能分析。这样就不需要创建环境变量,但有一个缺点是生产环境的私钥可能会在代码库中被访问到。
firebase:
service-account:
private-key: |
-----BEGIN PRIVATE KEY-----
...
ZD/MoHk8ClDoiveLXZQt/A==
-----END PRIVATE KEY-----
生产环境配置
spring:
config:
activate:
on-profile: prod
firebase:
service-account:
private-key: |
-----BEGIN PRIVATE KEY-----
...
fhZupTPZ8G/StKw0YXuDDaYQ
-----END PRIVATE KEY-----
英文:
Maybe not best but a clean solution is to use profiling of Spring Boot. This way no need to create environment variables but there is a down side. The prod private key can be accessible from repo.
firebase:
service-account:
private-key: |
-----BEGIN PRIVATE KEY-----
...
ZD/MoHk8ClDoiveLXZQt/A==
-----END PRIVATE KEY-----
---
### Prod Profile
spring:
config:
activate:
on-profile: prod
firebase:
service-account:
private-key: |
-----BEGIN PRIVATE KEY-----
...
fhZupTPZ8G/StKw0YXuDDaYQ
-----END PRIVATE KEY-----
答案2
得分: -1
以下是翻译好的内容:
我正在使用Python,并将密钥存储在configmap和secrets中。以JSON格式加载密钥。以前在从secret获取密钥时,我遇到了/n和空格的问题,这些都是自动添加和管理的。
在Python的config.py中,我正在将其替换为/n并加载JSON。
例如:
app.config['CLIENT_SECRET'] = json.loads(os.environ.get("CLIENT_SECRET").replace("\\'", ""))
这里是configmap的测试示例密钥:
CLIENT_SECRET: '{ "type": "service_account", "project_id": "test-check-x", "private_key_id": "b0a8b2860c4646db85c7625c3610e4dafd9rr495", "private_key": "-----BEGIN PRIVATE KEY-----\nNGGEvAIBRTANBgkqhkiG9w0BAQEFCCSCBKYwggSiAgEAAoIBAQC2rC4PLop8907yt\nHqFb9BmmetaCwGCDC30XP7zxamyOCnkSVdHfMmVTphR9iajDU1/6PJVTHm5ANeww\n2x6RGn0/Y6Krc63oBuqUTE8ZNemmRef7u1D/EYpizGP8TNrI4wYrChdfdfdKl4V4AI8C\ndpVwQkHPaEtJpDjRiID9Xt3+xbR0RNJg4ueuyie6nBXHQmx+g9ox0DFOj+s79VEB\nQOkqjKQuutHGhPtvomCLqfO+f1NTMXVhePq3gFawuTM0IZ9SF084EsJrKNxsi1yr\nUA8jaHAPckk8boSllFXHHpoU80AahrWd+bd+PdrfSjj95I1cgPYcLYbB7Wu7n1zo\n0SJD1EQLAgMBAAECggEAFGtB/sUctS3LG62H1efUPNgQRa9MBSScnU5XnW4K/QRO\nAkRWNapuycnkmNcGu/FZkiGBgzd+QBkxnJ3HA0CVwtHYAMLpK+gnV9+rxnf7SnBt\nUlCJk5QaBu8tN1TpQ86fWuJBUlmGPCK72Zz4bq2eqO4nNEUcwMyPC+4LHIvBnygh\n/TpM/1SDcgzQGqLCE1cpX4PXyU5P9mSBY9IOrI7gkhKvhVBFEGgVzyzwHBmIfSFJ\nZqtJW/lbfqTt/gm00c4w6jiRROfaWXVif70y2XkCFIdftE5at8Ldfc//oRkCnOxt\niOag1SKN/fX1tmSGBtu3pl7kkF92lMEfiP7Ewvu9SQKBgQDvtRRSnQxniMwBTLib\nNYinH0KB89jEjVDh7RoDx76mdu+2U7RaX4xxCkY3Z/y5lVoCUue+t/14uNRLgQPW\njumKnBOBvT2r7G0C/uwcQbhi1MTK0zoVbrx6MJ8R3gE+6HWEG8J/1+UgyMbGo3aB\nFNe8wja65SEBA/IC6xcFlaMcvwKBgQDDFrFNOOuzUJ06jcBppQISDGs012jdD+Qr\nsTGPetD68oQxhcNHQ44tCRqbmq2iDA7I5YRikabtHIOVIs0rblSXOVEr3sS3kOnU\nGGIKhykDnK8vs4g4t+N/WrZeoD/Ez9Vlpc7VHITnx1/9AVJqJGXvmfco495DmBXC\nSbwZzN5PtQKBgEPxf6ErAqkWDT0REgJsWh+ErMVI6NhNde+T1RvdMhzc+XUkpKo5\nCwW/c8egofG4c5rVBPr6C858FTCRkRTvzSKMurq7eQ+SJBQFTcd0mV7qEB2tYXlR\nufqobW4TDydVnHmlpKu39iokvrLvAlf0IHJQWlL/Pyuagq5xFEVw9JrhAoGAIoiU\n0BegWXiOrHvFMK495JYAMDVlYaRbfoR6Qmy6K4Hcdqu3+phxxXUUGbFSxRmfUF6Y\nhZ5Ezzo57J9hdCuum6pQvRRM/DWRvrKmQDjWwMXumOIN3gRnJ/cVy0BQqXUk0D5+\nk2jd+e1oB3BBd3qD9NrrTnivsoVsbJ0CyApk2/UCgYAtcCnsnkySdDee4IwV7Ns+\nSqKExRX6xt69JrNlCExyTF35+ZyZMrDZR6wxUIVPWn//vVNA9KQiRgfOlCRjvbxe\nl5fRS2auOH1/DztMFUWGhuNXTjlLNgZRKhuJF4txUzdHJnoIXL/8bfMCKYCxZKbmf\nC7huNhJNf+btG27zr8MD7Q==\n-----END PRIVATE KEY-----\n", "client_email": "script-test@test-checck-x.iam.gserviceaccount.com", "client_id": "11425276876957878", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/script-test%40test-chec-x.iam.gserviceaccount.com" }'
我对Spring Boot的了解不多,但这种方法对我来
英文:
I am using python and storing keys in configmap and secrets. Loading keys in JSON format. Previously when i was fetching keys from secret i was facing issue of /n and white spaces which added and manage automatically.
In python config.py i am replacing it with /n and loading JSON.
For example :
app.config['CLIENT_SECRET'] = json.loads(os.environ.get("CLIENT_SECRET").replace("\'", ""))
here test example key for configmap :
CLIENT_SECRET: '{"type": "service_account", "project_id": "test-check-x", "private_key_id": "b0a8b2860c4646db85c7625c3610e4dafd9rr495", "private_key": "-----BEGIN PRIVATE KEY-----\nNGGEvAIBRTANBgkqhkiG9w0BAQEFCCSCBKYwggSiAgEAAoIBAQC2rC4PLop8907yt\nHqFb9BmmetaCwGCDC30XP7zxamyOCnkSVdHfMmVTphR9iajDU1/6PJVTHm5ANeww\n2x6RGn0/Y6Krc63oBuqUTE8ZNemmRef7u1D/EYpizGP8TNrI4wYrChdfdfdKl4V4AI8C\ndpVwQkHPaEtJpDjRiID9Xt3+xbR0RNJg4ueuyie6nBXHQmx+g9ox0DFOj+s79VEB\nQOkqjKQuutHGhPtvomCLqfO+f1NTMXVhePq3gFawuTM0IZ9SF084EsJrKNxsi1yr\nUA8jaHAPckk8boSllFXHHpoU80AahrWd+bd+PdrfSjj95I1cgPYcLYbB7Wu7n1zo\n0SJD1EQLAgMBAAECggEAFGtB/sUctS3LG62H1efUPNgQRa9MBSScnU5XnW4K/QRO\nAkRWNapuycnkmNcGu/FZkiGBgzd+QBkxnJ3HA0CVwtHYAMLpK+gnV9+rxnf7SnBt\nUlCJk5QaBu8tN1TpQ86fWuJBUlmGPCK72Zz4bq2eqO4nNEUcwMyPC+4LHIvBnygh\n/TpM/1SDcgzQGqLCE1cpX4PXyU5P9mSBY9IOrI7gkhKvhVBFEGgVzyzwHBmIfSFJ\nZqtJW/lbfqTt/gm00c4w6jiRROfaWXVif70y2XkCFIdftE5at8Ldfc//oRkCnOxt\niOag1SKN/fX1tmSGBtu3pl7kkF92lMEfiP7Ewvu9SQKBgQDvtRRSnQxniMwBTLib\nNYinH0KB89jEjVDh7RoDx76mdu+2U7RaX4xxCkY3Z/y5lVoCUue+t/14uNRLgQPW\njumKnBOBvT2r7G0C/uwcQbhi1MTK0zoVbrx6MJ8R3gE+6HWEG8J/1+UgyMbGo3aB\nFNe8wja65SEBA/IC6xcFlaMcvwKBgQDDFrFNOOuzUJ06jcBppQISDGs012jdD+Qr\nsTGPetD68oQxhcNHQ44tCRqbmq2iDA7I5YRikabtHIOVIs0rblSXOVEr3sS3kOnU\nGGIKhykDnK8vs4g4t+N/WrZeoD/Ez9Vlpc7VHITnx1/9AVJqJGXvmfco495DmBXC\nSbwZzN5PtQKBgEPxf6ErAqkWDT0REgJsWh+ErMVI6NhNde+T1RvdMhzc+XUkpKo5\nCwW/c8egofG4c5rVBPr6C858FTCRkRTvzSKMurq7eQ+SJBQFTcd0mV7qEB2tYXlR\nufqobW4TDydVnHmlpKu39iokvrLvAlf0IHJQWlL/Pyuagq5xFEVw9JrhAoGAIoiU\n0BegWXiOrHvFMK495JYAMDVlYaRbfoR6Qmy6K4Hcdqu3+phxxXUUGbFSxRmfUF6Y\nhZ5Ezzo57J9hdCuum6pQvRRM/DWRvrKmQDjWwMXumOIN3gRnJ/cVy0BQqXUk0D5+\nk2jd+e1oB3BBd3qD9NrrTnivsoVsbJ0CyApk2/UCgYAtcCnsnkySdDee4IwV7Ns+\nSqKExRX6xt69JrNlCExyTF35+ZyZMrDZR6wxUIVPWn//vVNA9KQiRgfOlCRjvbxe\nl5fRS2auOH1/DztMFUWGhuNXTjlLNgZRKhuJF4txUzdHJnoIXL/8bfMCKYCxZKbmf\nC7huNhJNf+btG27zr8MD7Q==\n-----END PRIVATE KEY-----\n", "client_email": "script-test@test-checck-x.iam.gserviceaccount.com", "client_id": "11425276876957878", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/script-test%40test-chec-x.iam.gserviceaccount.com"}'
i have not much idea of spring boot but it's working well for me this way.
专注分享java语言的经验与见解,让所有开发者获益!
评论