本頁面由 Cloud Translation API 翻譯而成。

將資料儲存在外部機密金鑰管理工具中

將資料儲存在外部密鑰管理工具中

本指南說明如何在外部密鑰儲存服務 Hashicorp Vault 中儲存及管理下列類型的資訊，而非在 overrides.yaml 檔案中。

AX Hash Salt
Redis 密碼
加密金鑰

如要在保管箱中儲存其他類型的資訊，請參閱：

先決條件

Kubernetes 密鑰儲存庫 CSI 驅動程式。您可以按照「Secrets Store CSI 驅動程式：安裝」一文中的操作說明進行安裝。如需支援的版本，請參閱「Apigee hybrid 支援的平台和版本：Secret Store CSI 驅動程式」。
Vault CSI 供應器。您可以按照「安裝 Vault CSI 供應器」一文的操作說明進行安裝。如需支援的版本，請參閱「Apigee hybrid 支援的平台和版本：Vault」。

程序

建立 Vault 密鑰、政策和角色。

請使用 Vault UI 或 API 建立密鑰，並授予 Apigee Kubernetes 服務帳戶讀取這些密鑰的權限，如本文所述。機密資料必須包含一個鍵和一或多個值，如下表所示：

密鑰	機密資料
`secret/data/apigee/axhashsalt`	{ "ax-hash-salt": "`AX_HASH_SALT_VALUE`" }
`secret/data/apigee/redis`	{ "redis-password": "`REDIS_PASSWORD_VALUE`" }
`secret/data/apigee/orgencryptionkeys`	{ "kmsEncryptionKey": "`KMS_ENCRYPTION_KEY_VALUE`" "kvmEncryptionKey": "`KVM_ENCRYPTION_KEY_VALUE`" "contractEncryptionKey": "`CONTRACT_ENCRYPTION_KEY_VALUE`" } 重要事項：`contractEncryptionKey` 值必須是長度為 16、24 或 32 個字元的 Base64 編碼字串。詳情請參閱「資料加密」。
`secret/data/apigee/envencryptionkeys`	{ "cacheEncryptionKey": "`CACHE_ENCRYPTION_KEY_VALUE`" "kvmEncryptionKey": "`KVM_ENCRYPTION_KEY_VALUE`" "envKvmEncryptionKey": "`ENV_KVM_ENCRYPTION_KEY_VALUE`" "kmsEncryptionKey": "`KMS_ENCRYPTION_KEY_VALUE`" }

在 Vault 中建立可授予密鑰存取權的政策：

cat axhashsalt-auth-policy.txt
path "secret/data/apigee/axhashsalt" {
  capabilities = ["read"]
}
cat redis-auth-policy.txt
path "secret/data/apigee/redis" {
  capabilities = ["read"]
}
cat orgencryptionkeys-auth-policy.txt
path "secret/data/apigee/orgencryptionkeys" {
  capabilities = ["read"]
}
cat envencryptionkeys-auth-policy.txt
path "secret/data/apigee/envencryptionkeys" {
  capabilities = ["read"]
}

vault policy write apigee-axhashsalt-auth axhashsalt-auth-policy.txt
vault policy write apigee-redis-auth redis-auth-policy.txt
vault policy write apigee-orgencryptionkeys-auth orgencryptionkeys-auth-policy.txt
vault policy write apigee-envencryptionkeys-auth envencryptionkeys-auth-policy.txt

建立名為 generate-encoded-sas.sh 的指令碼，並在其中加入下列內容：

# generate-encoded-sas.sh

ORG=$APIGEE_ORG            # Apigee organization name
ENVS=$APIGEE_ENV_LIST      # comma separated env names, for example: dev,prod

ORG_SHORT_NAME=$(echo $ORG | head -c 15)
ENCODE=$(echo -n $ORG | shasum -a 256 | head -c 7)
ORG_ENCODE=$(echo "$ORG_SHORT_NAME-$ENCODE")
NAMES="apigee-manager,apigee-redis-default,apigee-redis-envoy-default,apigee-mart-${ORG_ENCODE},apigee-mint-task-scheduler-${ORG_ENCODE}"

for ENV in ${ENVS//,/ }
do
  ENV_SHORT_NAME=$(echo $ENV | head -c 15)
  ENCODE=$(echo -n $ORG:$ENV | shasum -a 256 | head -c 7)
  ENV_ENCODE=$(echo "$ORG_SHORT_NAME-$ENV_SHORT_NAME-$ENCODE")
  NAMES+=,apigee-runtime-${ENV_ENCODE},apigee-synchronizer-${ENV_ENCODE}
done

echo $NAMES

執行指令碼，產生服務帳戶名稱清單，以便將政策繫結至：
```
chmod +x ./generate-encoded-sas.sh
./generate-encoded-sas.sh
```
輸出內容應列出已編碼的服務帳戶名稱。

使用政策建立 Vault 角色，並繫結必要的 Apigee 服務帳戶。

vault write auth/kubernetes/role/apigee-axhashsalt \
	bound_service_account_names=BOUND_SA_NAMES \
	bound_service_account_namespaces=APIGEE_NAMESPACE \
	policies=apigee-axhashsalt-auth \
	ttl=1m

vault write auth/kubernetes/role/apigee-redis \
	bound_service_account_names=BOUND_SA_NAMES \
	bound_service_account_namespaces=APIGEE_NAMESPACE \
	policies=apigee-redis-auth \
	ttl=1m

vault write auth/kubernetes/role/apigee-orgencryptionkeys \
	bound_service_account_names=BOUND_SA_NAMES \
	bound_service_account_namespaces=APIGEE_NAMESPACE \
	policies=apigee-orgencryptionkeys-auth \
	ttl=1m

vault write auth/kubernetes/role/apigee-envencryptionkeys \
	bound_service_account_names=BOUND_SA_NAMES \
	bound_service_account_namespaces=APIGEE_NAMESPACE \
	policies=apigee-envencryptionkeys-auth \
	ttl=1m

建立 SecretProviderClass 物件。

透過 SecretProviderClass 資源新增下列密鑰。這些資源會告訴 CSI 驅動程式，在要求密鑰時要與哪些供應器通訊。下表列出 Apigee Hybrid 預期的檔案名稱 (objectNames)：

密鑰	預期的密鑰檔案名稱
AX Hash Salt	`ax-hash-salt`
Redis	`redis-password`
機構加密金鑰	`kmsEncryptionKey` `kvmEncryptionKey` `contractEncryptionKey`
Env 加密金鑰	`kmsEncryptionKey` `kvmEncryptionKey` `envKvmEncryptionKey` `cacheEncryptionKey`

請使用下列 SecretProviderClass 範本設定這些資源：

# axhashsalt-spc.yaml

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: apigee-axhashsalt-spc
spec:
  provider: vault
  parameters:
    roleName: apigee-axhashsalt
    vaultAddress: VAULT_ADDRESS
    # "objectName" is an alias used within the SecretProviderClass to reference
    # that specific secret. This will also be the filename containing the secret.
    # Apigee Hybrid expects these exact values so they must not be changed.
    # "secretPath" is the path in Vault where the secret should be retrieved.
    # "secretKey" is the key within the Vault secret response to extract a value from.
    objects: |
      - objectName: "ax-hash-salt"
        secretPath: ""
        secretKey: ""

# redis-spc.yaml

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: apigee-redis-spc
spec:
  provider: vault
  parameters:
    roleName: apigee-redis
    vaultAddress: VAULT_ADDRESS
    # "objectName" is an alias used within the SecretProviderClass to reference
    # that specific secret. This will also be the filename containing the secret.
    # Apigee Hybrid expects these exact values so they must not be changed.
    # "secretPath" is the path in Vault where the secret should be retrieved.
    # "secretKey" is the key within the Vault secret response to extract a value from.
    objects: |
      - objectName: "redis-password"
        secretPath: ""
        secretKey: ""

# orgencryptionkeys-spc.yaml

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: apigee-orgencryptionkeys-spc
spec:
  provider: vault
  parameters:
    roleName: apigee-orgencryptionkeys
    vaultAddress: VAULT_ADDRESS
    # "objectName" is an alias used within the SecretProviderClass to reference
    # that specific secret. This will also be the filename containing the secret.
    # Apigee Hybrid expects these exact values so they must not be changed.
    # "secretPath" is the path in Vault where the secret should be retrieved.
    # "secretKey" is the key within the Vault secret response to extract a value from.
    objects: |
      - objectName: "kmsEncryptionKey"
        secretPath: ""
        secretKey: ""
      - objectName: "kvmEncryptionKey"
        secretPath: ""
        secretKey: ""
      - objectName: "contractEncryptionKey"
        secretPath: ""
        secretKey: ""

# envencryptionkeys-spc.yaml

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: apigee-envencryptionkeys-spc
spec:
  provider: vault
  parameters:
    roleName: apigee-envencryptionkeys
    vaultAddress: VAULT_ADDRESS
    # "objectName" is an alias used within the SecretProviderClass to reference
    # that specific secret. This will also be the filename containing the secret.
    # Apigee Hybrid expects these exact values so they must not be changed.
    # "secretPath" is the path in Vault where the secret should be retrieved.
    # "secretKey" is the key within the Vault secret response to extract a value from.
    objects: |
      - objectName: "cacheEncryptionKey"
        secretPath: ""
        secretKey: ""
      - objectName: "kvmEncryptionKey"
        secretPath: ""
        secretKey: ""
      - objectName: "envKvmEncryptionKey"
        secretPath: ""
        secretKey: ""
      - objectName: "kmsEncryptionKey"
        secretPath: ""
        secretKey: ""

VAULT_ADDRESS 是 Vault 伺服器執行的端點。如果 Vault 與 Apigee 在同一個叢集和命名空間中執行，格式通常會是 http://vault.APIGEE_NAMESPACE.svc.cluster.local:VAULT_SERVICE_PORT。

將上述 SecretProviderClasses 套用至 APIGEE_NAMESPACE 命名空間：

kubectl -n APIGEE_NAMESPACE apply -f axhashsalt-spc.yaml
kubectl -n APIGEE_NAMESPACE apply -f redis-spc.yaml
kubectl -n APIGEE_NAMESPACE apply -f orgencryptionkeys-spc.yaml
kubectl -n APIGEE_NAMESPACE apply -f envencryptionkeys-spc.yaml

為 AX 雜湊鹽啟用外部機密資料。
1. 在 overrides.yaml 檔案中新增下列設定，啟用 AX 雜湊鹽值的使用外部密鑰：
```
axHashSaltSecretProviderClass: apigee-axhashsalt-spc
```
2. 升級 org Helm 圖表，套用變更：
```
helm upgrade org apigee-org/ \
  --namespace APIGEE_NAMESPACE \
  -f overrides.yaml
```

為 Redis 密碼啟用外部機密資料。

在 overrides.yaml 檔案中新增下列設定，啟用 Redis 密碼的外部密鑰使用方式：
```
redis:
  auth:
    secretProviderClass: apigee-redis-spc
```

接著，請按照以下順序升級 operator 和 redis 圖表，以便套用變更：

helm upgrade operator apigee-operator/ \
  --namespace APIGEE_NAMESPACE \
  -f overrides.yaml
helm upgrade redis apigee-redis/ \
  --namespace APIGEE_NAMESPACE \
  -f overrides.yaml

為加密金鑰啟用外部密鑰

在 overrides.yaml 檔案中新增下列設定，啟用機構層級加密金鑰的外部密鑰使用權限：
```
encryptionKeySecretProviderClass: apigee-orgencryptionkeys-spc
```

升級 org Helm 圖表來套用變更：

helm upgrade org apigee-org/ \
  --namespace APIGEE_NAMESPACE \
  -f overrides.yaml

在每個環境的 overrides.yaml 檔案中，為環境專屬的加密金鑰新增下列設定：
```
envs:
- name: ENV_NAME
  encryptionKeySecretProviderClass: apigee-envencryptionkeys-spc
```

針對每個環境升級 env Helm 圖表一次，即可套用變更：

helm upgrade ENV_NAME apigee-env/ \
  --namespace APIGEE_NAMESPACE \
  --set env=ENV_NAME \
  -f overrides.yaml

復原

AX Hash Salt

在 overrides.yaml 檔案中，移除啟用 AX 雜湊鹽值外部機密用法的設定：

# Comment out or delete the following line:
# axHashSaltSecretProviderClass: apigee-axhashsalt-spc

升級 org Helm 圖表，套用變更：

helm upgrade org apigee-org/ \
  --namespace APIGEE_NAMESPACE \
  -f overrides.yaml

Redis 密碼

在 overrides.yaml 檔案中，移除啟用外部密鑰來使用 Redis 密碼的設定：

redis:
  auth:
  # Comment out or delete the following line:
  # secretProviderClass: apigee-redis-spc

接著，請按照以下順序升級 redis 和 operator 圖表，以便套用變更：

helm upgrade redis apigee-redis/ \
  --namespace APIGEE_NAMESPACE \
  -f overrides.yaml
helm upgrade operator apigee-operator/ \
  --namespace APIGEE_NAMESPACE \
  -f overrides.yaml

加密金鑰

在 overrides.yaml 檔案中，移除啟用外部密鑰使用 env 加密金鑰的設定：

envs:
  - name: ENV_NAME
  # Comment out or delete the following line:
  # encryptionKeySecretProviderClass: apigee-envencryptionkeys-spc