我无法配置 spring.cloud.vault 在令牌过期时重新验证应用程序。 我将 Kubernetes 身份验证与服务令牌一起使用,在 SessionManager 类中的 Bun 中我找到了批处理令牌(它是 TTL 结尾,SpringVault 只是抛出错误)并且它无法重新创建
我第一次必须检查或搜索什么? 或者我该如何修复这个错误?
我无法在我的公司使用 Vault Agent
堆栈跟踪:
Caused by: org.springframework.vault.VaultException: Status 403 Forbidden: permission denied; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: "{"errors":["permission denied"]}<EOL>"
at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:85)
at org.springframework.vault.core.VaultKeyValueAccessor.lambda$doRead$2(VaultKeyValueAccessor.java:174)
at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:448)
at org.springframework.vault.core.VaultKeyValueAccessor.doRead(VaultKeyValueAccessor.java:163)
at org.springframework.vault.core.VaultKeyValueAccessor.doRead(VaultKeyValueAccessor.java:132)
at org.springframework.vault.core.VaultKeyValueAccessor.doRead(VaultKeyValueAccessor.java:107)
at org.springframework.vault.core.VaultKeyValue1Template.get(VaultKeyValue1Template.java:69)
at sbp.bpm.designer.utils.credential.VaultAwareCredentialSetup.lambda$createSecretRetriever$2(VaultAwareCredentialSetup.java:127)
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4868)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3533)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2282)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2159)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2049)
... 16 common frames omitted
这是 application.yaml 配置
spring:
servlet:
multipart:
enabled: true
max-file-size: 10MB
max-request-size: 10MB
cloud:
vault:
enabled: true
uri: http://vault.url:8080
authentication: KUBERNETES
kubernetes:
role: role
kubernetes-path: k8s/dap.url.com
service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
依赖版本:
如果您的令牌具有 type = renew false,SpringVault 不要使用自己的撤销/更新逻辑,此代码对我有帮助:
@Component
@ConditionalOnProperty(name = "spring.cloud.vault.enabled", havingValue = "true")
public class CustomVaultSessionManager implements SessionManager {
private final ClientAuthentication authentication;
private Optional<VaultToken> actualToken = Optional.empty();
private Optional<Long> expirationTime = Optional.empty();
public CustomVaultSessionManager(ClientAuthentication authentication) {
this.authentication = authentication;
}
@NotNull
@Synchronized
@Override
public VaultToken getSessionToken() {
if (isTokenExpired() || actualToken.isEmpty()) {
actualToken = Optional.of(generateNewToken());
log.info("Get session token : {}", actualToken.get());
}
return actualToken.get();
}
private boolean isTokenExpired() {
Boolean isTokenExpired = expirationTime
.map(expiration -> expiration < System.currentTimeMillis())
.orElse(false);
return isTokenExpired;
}
private VaultToken generateNewToken() {
VaultToken newToken = authentication.login();
if (newToken instanceof LoginToken) {
LoginToken loginToken = (LoginToken) newToken;
expirationTime = updateExpirationTime(loginToken);
} else {
expirationTime = Optional.empty();
}
return newToken;
}
private Optional<Long> updateExpirationTime(LoginToken loginToken) {
return Optional.of(System.currentTimeMillis() + loginToken.getLeaseDuration().toMillis() - 500);
} }