將資料儲存在外部密鑰管理工具中
本指南說明如何在外部密鑰儲存服務 Hashicorp Vault 中儲存及管理下列類型的資訊,而非在 overrides.yaml 檔案中。
- AX Hash Salt
- Redis 密碼
- 加密金鑰
如要在保管箱中儲存其他類型的資訊,請參閱:
先決條件
- Kubernetes 密鑰儲存庫 CSI 驅動程式。您可以按照「Secrets Store CSI 驅動程式:安裝」一文中的操作說明進行安裝。如需支援的版本,請參閱「Apigee hybrid 支援的平台和版本:Secret Store CSI 驅動程式」。
- Vault CSI 供應器。您可以按照「安裝 Vault CSI 供應器」一文的操作說明進行安裝。如需支援的版本,請參閱「Apigee hybrid 支援的平台和版本:Vault」。
程序
-
建立 Vault 密鑰、政策和角色。
- 請使用 Vault UI 或 API 建立密鑰,並授予 Apigee Kubernetes 服務帳戶讀取這些密鑰的權限,如本文所述。機密資料必須包含一個鍵和一或多個值,如下表所示:
密鑰 機密資料 secret/data/apigee/axhashsalt
{ "ax-hash-salt": "AX_HASH_SALT_VALUE" }
secret/data/apigee/redis
{ "redis-password": "REDIS_PASSWORD_VALUE" }
secret/data/apigee/orgencryptionkeys
{ "kmsEncryptionKey": "KMS_ENCRYPTION_KEY_VALUE" "kvmEncryptionKey": "KVM_ENCRYPTION_KEY_VALUE" "contractEncryptionKey": "CONTRACT_ENCRYPTION_KEY_VALUE" }
secret/data/apigee/envencryptionkeys
{ "cacheEncryptionKey": "CACHE_ENCRYPTION_KEY_VALUE" "kvmEncryptionKey": "KVM_ENCRYPTION_KEY_VALUE" "envKvmEncryptionKey": "ENV_KVM_ENCRYPTION_KEY_VALUE" "kmsEncryptionKey": "KMS_ENCRYPTION_KEY_VALUE" }
- 在 Vault 中建立可授予密鑰存取權的政策:
cat axhashsalt-auth-policy.txt path "secret/data/apigee/axhashsalt" { capabilities = ["read"] }
cat redis-auth-policy.txt path "secret/data/apigee/redis" { capabilities = ["read"] }
cat orgencryptionkeys-auth-policy.txt path "secret/data/apigee/orgencryptionkeys" { capabilities = ["read"] }
cat envencryptionkeys-auth-policy.txt path "secret/data/apigee/envencryptionkeys" { capabilities = ["read"] }
vault policy write apigee-axhashsalt-auth axhashsalt-auth-policy.txt
vault policy write apigee-redis-auth redis-auth-policy.txt
vault policy write apigee-orgencryptionkeys-auth orgencryptionkeys-auth-policy.txt
vault policy write apigee-envencryptionkeys-auth envencryptionkeys-auth-policy.txt
- 建立名為
generate-encoded-sas.sh
的指令碼,並在其中加入下列內容:# generate-encoded-sas.sh ORG=$APIGEE_ORG # Apigee organization name ENVS=$APIGEE_ENV_LIST # comma separated env names, for example: dev,prod ORG_SHORT_NAME=$(echo $ORG | head -c 15) ENCODE=$(echo -n $ORG | shasum -a 256 | head -c 7) ORG_ENCODE=$(echo "$ORG_SHORT_NAME-$ENCODE") NAMES="apigee-manager,apigee-redis-default,apigee-redis-envoy-default,apigee-mart-${ORG_ENCODE},apigee-mint-task-scheduler-${ORG_ENCODE}" for ENV in ${ENVS//,/ } do ENV_SHORT_NAME=$(echo $ENV | head -c 15) ENCODE=$(echo -n $ORG:$ENV | shasum -a 256 | head -c 7) ENV_ENCODE=$(echo "$ORG_SHORT_NAME-$ENV_SHORT_NAME-$ENCODE") NAMES+=,apigee-runtime-${ENV_ENCODE},apigee-synchronizer-${ENV_ENCODE} done echo $NAMES
- 執行指令碼,產生服務帳戶名稱清單,以便將政策繫結至:
chmod +x ./generate-encoded-sas.sh
./generate-encoded-sas.sh
輸出內容應列出已編碼的服務帳戶名稱。
- 使用政策建立 Vault 角色,並繫結必要的 Apigee 服務帳戶。
vault write auth/kubernetes/role/apigee-axhashsalt \ bound_service_account_names=BOUND_SA_NAMES \ bound_service_account_namespaces=APIGEE_NAMESPACE \ policies=apigee-axhashsalt-auth \ ttl=1m
vault write auth/kubernetes/role/apigee-redis \ bound_service_account_names=BOUND_SA_NAMES \ bound_service_account_namespaces=APIGEE_NAMESPACE \ policies=apigee-redis-auth \ ttl=1m
vault write auth/kubernetes/role/apigee-orgencryptionkeys \ bound_service_account_names=BOUND_SA_NAMES \ bound_service_account_namespaces=APIGEE_NAMESPACE \ policies=apigee-orgencryptionkeys-auth \ ttl=1m
vault write auth/kubernetes/role/apigee-envencryptionkeys \ bound_service_account_names=BOUND_SA_NAMES \ bound_service_account_namespaces=APIGEE_NAMESPACE \ policies=apigee-envencryptionkeys-auth \ ttl=1m
- 請使用 Vault UI 或 API 建立密鑰,並授予 Apigee Kubernetes 服務帳戶讀取這些密鑰的權限,如本文所述。機密資料必須包含一個鍵和一或多個值,如下表所示:
- 建立
SecretProviderClass
物件。- 透過
SecretProviderClass
資源新增下列密鑰。這些資源會告訴 CSI 驅動程式,在要求密鑰時要與哪些供應器通訊。下表列出 Apigee Hybrid 預期的檔案名稱 (objectNames
):密鑰 預期的密鑰檔案名稱 AX Hash Salt ax-hash-salt
Redis redis-password
機構加密金鑰 kmsEncryptionKey
kvmEncryptionKey
contractEncryptionKey
Env 加密金鑰 kmsEncryptionKey
kvmEncryptionKey
envKvmEncryptionKey
cacheEncryptionKey
- 請使用下列
SecretProviderClass
範本設定這些資源:# axhashsalt-spc.yaml apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-axhashsalt-spc spec: provider: vault parameters: roleName: apigee-axhashsalt vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "ax-hash-salt" secretPath: "" secretKey: ""
# redis-spc.yaml apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-redis-spc spec: provider: vault parameters: roleName: apigee-redis vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "redis-password" secretPath: "" secretKey: ""
# orgencryptionkeys-spc.yaml apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-orgencryptionkeys-spc spec: provider: vault parameters: roleName: apigee-orgencryptionkeys vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "kmsEncryptionKey" secretPath: "" secretKey: "" - objectName: "kvmEncryptionKey" secretPath: "" secretKey: "" - objectName: "contractEncryptionKey" secretPath: "" secretKey: ""
# envencryptionkeys-spc.yaml apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: apigee-envencryptionkeys-spc spec: provider: vault parameters: roleName: apigee-envencryptionkeys vaultAddress: VAULT_ADDRESS # "objectName" is an alias used within the SecretProviderClass to reference # that specific secret. This will also be the filename containing the secret. # Apigee Hybrid expects these exact values so they must not be changed. # "secretPath" is the path in Vault where the secret should be retrieved. # "secretKey" is the key within the Vault secret response to extract a value from. objects: | - objectName: "cacheEncryptionKey" secretPath: "" secretKey: "" - objectName: "kvmEncryptionKey" secretPath: "" secretKey: "" - objectName: "envKvmEncryptionKey" secretPath: "" secretKey: "" - objectName: "kmsEncryptionKey" secretPath: "" secretKey: ""
VAULT_ADDRESS 是 Vault 伺服器執行的端點。如果 Vault 與 Apigee 在同一個叢集和命名空間中執行,格式通常會是
http://vault.APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT
。 - 將上述
SecretProviderClasses
套用至APIGEE_NAMESPACE
命名空間:kubectl -n APIGEE_NAMESPACE apply -f axhashsalt-spc.yaml
kubectl -n APIGEE_NAMESPACE apply -f redis-spc.yaml
kubectl -n APIGEE_NAMESPACE apply -f orgencryptionkeys-spc.yaml
kubectl -n APIGEE_NAMESPACE apply -f envencryptionkeys-spc.yaml
- 透過
- 為 AX 雜湊鹽啟用外部機密資料。
- 在
overrides.yaml
檔案中新增下列設定,啟用 AX 雜湊鹽值的使用外部密鑰:axHashSaltSecretProviderClass: apigee-axhashsalt-spc
- 升級
org
Helm 圖表,套用變更:helm upgrade org apigee-org/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml
- 在
- 為 Redis 密碼啟用外部機密資料。
- 在
overrides.yaml
檔案中新增下列設定,啟用 Redis 密碼的外部密鑰使用方式:redis: auth: secretProviderClass: apigee-redis-spc
- 接著,請按照以下順序升級
operator
和redis
圖表,以便套用變更:helm upgrade operator apigee-operator/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml
helm upgrade redis apigee-redis/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml
- 在
- 為加密金鑰啟用外部密鑰
- 在
overrides.yaml
檔案中新增下列設定,啟用機構層級加密金鑰的外部密鑰使用權限:encryptionKeySecretProviderClass: apigee-orgencryptionkeys-spc
- 升級
org
Helm 圖表來套用變更:helm upgrade org apigee-org/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml
- 在每個環境的
overrides.yaml
檔案中,為環境專屬的加密金鑰新增下列設定:envs: - name: ENV_NAME encryptionKeySecretProviderClass: apigee-envencryptionkeys-spc
- 針對每個環境升級
env
Helm 圖表一次,即可套用變更:helm upgrade ENV_NAME apigee-env/ \ --namespace APIGEE_NAMESPACE \ --set env=ENV_NAME \ -f overrides.yaml
- 在
復原
AX Hash Salt
- 在
overrides.yaml
檔案中,移除啟用 AX 雜湊鹽值外部機密用法的設定:# Comment out or delete the following line: # axHashSaltSecretProviderClass: apigee-axhashsalt-spc
- 升級
org
Helm 圖表,套用變更:helm upgrade org apigee-org/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml
Redis 密碼
- 在
overrides.yaml
檔案中,移除啟用外部密鑰來使用 Redis 密碼的設定:redis: auth: # Comment out or delete the following line: # secretProviderClass: apigee-redis-spc
- 接著,請按照以下順序升級
redis
和operator
圖表,以便套用變更:helm upgrade redis apigee-redis/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml
helm upgrade operator apigee-operator/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml
加密金鑰
- 在
overrides.yaml
檔案中,移除啟用外部密鑰使用 env 加密金鑰的設定:envs: - name: ENV_NAME # Comment out or delete the following line: # encryptionKeySecretProviderClass: apigee-envencryptionkeys-spc
- 針對每個環境升級
env
Helm 圖表一次,即可套用變更:helm upgrade ENV_NAME apigee-env/ \ --namespace APIGEE_NAMESPACE \ --set env=ENV_NAME \ -f overrides.yaml
- 在
overrides.yaml
檔案中,移除啟用外部機密金鑰使用機構加密金鑰的設定:# Comment out or delete the following line: # encryptionKeySecretProviderClass: apigee-orgencryptionkeys-spc
- 然後升級
org
Helm 資訊套件:helm upgrade org apigee-org/ \ --namespace APIGEE_NAMESPACE \ -f overrides.yaml