面向.NET开发人员的Dapr——机密
目錄:
面向.NET開發(fā)人員的Dapr——前言
面向.NET開發(fā)人員的Dapr——分布式世界
面向.NET開發(fā)人員的Dapr——俯瞰Dapr
面向.NET開發(fā)人員的Dapr——入門
面向.NET開發(fā)人員的Dapr——參考應(yīng)用程序
面向.NET開發(fā)人員的Dapr——狀態(tài)管理
面向.NET開發(fā)人員的Dapr——發(fā)布和訂閱
面向.NET開發(fā)人員的Dapr——綁定
面向.NET開發(fā)人員的Dapr——可觀察性
The Dapr secrets building block
Dapr 機(jī)密構(gòu)建塊
Enterprise applications require secrets. Common examples include:
A database connection string that contains a username and password.
An API key for calling an external web API.
A client certificate for authenticating to an external system.
企業(yè)應(yīng)用程序要求保密。常見示例包括:
包含用戶名和密碼的數(shù)據(jù)庫連接字符串。
用于調(diào)用外部 web API 的 API 密鑰。
外部系統(tǒng)進(jìn)行身份驗證的客戶端證書。
Secrets must be carefully managed so that they're never disclosed outside of the application.
必須謹(jǐn)慎管理機(jī)密,使其不會在應(yīng)用程序外公開。
Not long ago, it was popular to store application secrets in a configuration file inside the application codebase. .NET developers will fondly recall the?web.config?file. While simple to implement, integrating secrets to along with code was far from secure. A common misstep was to include the file when pushing to a public GIT repository, exposing the secrets to the world.
不久前,將應(yīng)用程序機(jī)密存儲在應(yīng)用程序代碼庫內(nèi)的配置文件中是很常見的。.NET 開發(fā)人員將想到?web.config?的文件。雖然實現(xiàn)起來很簡單,但將機(jī)密與代碼集成在一起并不安全。常見的失誤是在推送到公共 GIT 存儲庫時包括文件,從而向世界公開機(jī)密。
A widely accepted methodology for constructing modern distributed applications is?The Twelve-Factor App. It describes a set of principles and best practices. Its third factor prescribes that?configuration and secrets be externalized outside of the code base.
用于構(gòu)造現(xiàn)代分布式應(yīng)用程序的一種廣泛接受的方法是十二要素應(yīng)用。其中介紹了一系列原則和最佳實踐。第三個要素規(guī)定, 將配置和機(jī)密外部化在基礎(chǔ)代碼外。
To address this concern, the .NET Core platform includes a?Secret Manager?feature that stores sensitive data in a physical folder outside of the project tree. While secrets are outside of source control, this feature doesn't encrypt data. It's designed for?development purposes?only.
為了解決這一問題,.NET Core 平臺包含一個?密鑰管理器?功能,該功能將敏感數(shù)據(jù)存儲在項目樹之外的物理文件夾中。雖然機(jī)密不受源代碼管理,但此功能不會對數(shù)據(jù)進(jìn)行加密。它被設(shè)計為僅用于?開發(fā)目的?。
A more modern and secure practice is to isolate secrets in a secrets management tool like?Hashicorp Vault?or?Azure Key Vault. These tools enable you to store secrets externally, vary credentials across environments, and reference them from application code. However, each tool has its complexities and learning curve.
更現(xiàn)代、安全的做法是在機(jī)密管理工具(Hashicorp Vault or Azure Key Vault)中隔離機(jī)密。這些工具使你能夠?qū)C(jī)密存儲在外部,能跨環(huán)境改變憑據(jù),能從應(yīng)用程序代碼中引用它們。然而,每個工具都有其復(fù)雜性和學(xué)習(xí)曲線。
Dapr offers a building block that simplifies managing secrets.
Dapr 提供簡化密鑰管理的構(gòu)建塊。
What it solves
解決方法
The Dapr?secrets building block?abstracts away the complexity of working with secrets and secret management tools.
It hides the underlying plumbing through a unified interface.
It supports various?pluggable?secret store components, which can vary between development and production.
Applications don't require direct dependencies on secret store libraries.
Developers don't require detailed knowledge of each secret store.
Dapr?機(jī)密構(gòu)建塊?消除了使用機(jī)密和機(jī)密管理工具的復(fù)雜性。
它通過統(tǒng)一的接口隱藏基礎(chǔ)管道。
它支持各種可?插入?的機(jī)密存儲組件,這些組件在開發(fā)和生產(chǎn)之間有所不同。
應(yīng)用程序無需直接依賴于密鑰存儲庫。
開發(fā)人員無需詳細(xì)了解每個密鑰存儲。
Dapr handles all of the above concerns.
Dapr 處理上述所有問題。
Access to the secrets is secured through authentication and authorization. Only an application with sufficient rights can access secrets. Applications running in Kubernetes can also use its built-in secrets management mechanism.
通過身份驗證和授權(quán)來保護(hù)對機(jī)密的訪問。只有具有足夠權(quán)限的應(yīng)用程序可以訪問機(jī)密。在 Kubernetes 中運(yùn)行的應(yīng)用程序也可以使用其內(nèi)置的機(jī)密管理機(jī)制。
How it works
工作原理
Applications use the secrets building block in two ways:
Retrieve a secret directly from the application block.
Reference a secret indirectly from a Dapr component configuration.
應(yīng)用程序通過兩種方式使用機(jī)密構(gòu)建塊:
直接從應(yīng)用程序塊檢索機(jī)密。
從 Dapr 組件配置中間接引用機(jī)密。
Retrieving secrets directly is covered first. Referencing a secret from a Dapr component configuration file is addressed in a later p.
首先介紹如何直接檢索機(jī)密。在后面的部分中對從 Dapr 組件配置文件引用機(jī)密進(jìn)行了說明。
The application interacts with a Dapr sidecar when using the secrets building block. The sidecar exposes the secrets API. The API can be called with either HTTP or gRPC. Use the following URL to call the HTTP API:
使用機(jī)密構(gòu)建塊時,應(yīng)用程序與 Dapr邊車交互。邊車公開了機(jī)密 API。可以通過 HTTP 或 gRPC 調(diào)用 該API。使用以下 URL 調(diào)用 HTTP API:
http://localhost:<dapr-port>/v1.0/secrets/<store-name>/<name>?<metadata>The URL contains the following segments:
<dapr-port>?specifies the port number upon which the Dapr sidecar is listening.
<store-name>?specifies the name of the Dapr secret store.
<name>?specifies the name of the secret to retrieve.
<metadata>?provides additional information for the secret. This segment is optional and metadata properties differ per secret store. For more information on metadata properties, see the [secrets API reference](Secrets API reference | Dapr Docs).
URL 包含以下段:
<dapr-port>?指定 Dapr 邊車正在偵聽的端口號。
<store-name>?指定 Dapr 機(jī)密存儲的名稱。
<name>?指定要檢索的機(jī)密的名稱。
<metadata>?提供機(jī)密的附加信息。此段是可選的,每個密鑰存儲的元數(shù)據(jù)屬性各不相同。有關(guān)元數(shù)據(jù)屬性的詳細(xì)信息,請參閱 [secrets API 參考](Secrets API reference | Dapr Docs)。
Note
The above URL represents the native Dapr API call available to any development platform that supports HTTP or gRPC. Popular platforms like .NET, Java, and Go have their own custom APIs.
備注
上述 URL 表示可用于支持 HTTP 或 gRPC 的任何開發(fā)平臺的本機(jī) Dapr API 調(diào)用。.NET、Java 和Go等常用平臺都有自己的自定義 Api。
The JSON response contains the key and value of the secret.
JSON 響應(yīng)包含機(jī)密的鍵和值。
Figure 10-1 shows how Dapr handles a request for the secrets API:
圖10-1 顯示了 Dapr 如何處理secrets API請求:
Figure 10-1. Retrieving a secret with the Dapr secrets API.
圖 10-1。使用 Dapr secrets API 檢索機(jī)密。
The service calls the Dapr secrets API, along with the name of the secret store, and secret to retrieve.
The Dapr sidecar retrieves the specified secret from the secret store.
The Dapr sidecar returns the secret information back to the service.
服務(wù)使用使用機(jī)密存儲的名稱和要檢索的機(jī)密調(diào)用 Dapr secrets API。
Dapr 邊車從機(jī)密存儲中檢索指定的機(jī)密。
Dapr 邊車將機(jī)密信息返回給服務(wù)。
Some secret stores support storing multiple key/value pairs in a single secret. For those scenarios, the response would contain multiple key/value pairs in a single JSON response as in the following example:
某些機(jī)密存儲支持在單個機(jī)密中存儲多個鍵/值對。對于這些情況,響應(yīng)會在單個 JSON 響應(yīng)中包含多個鍵/值對,如以下示例中所示:
GET http://localhost:3500/v1.0/secrets/secret-store/interestRates?metadata.version_id=3{"tier1-percentage": "2.5","tier2-percentage": "3.8","tier3-percentage": "5.1" }The Dapr secrets API also offers an operation to retrieve all the secrets the application has access to:
Dapr secrets API還提供了一個操作,用于檢索應(yīng)用程序有權(quán)訪問的所有機(jī)密:
http://localhost:<dapr-port>/v1.0/secrets/<store-name>/bulkUse the Dapr .NET SDK
使用 Dapr .NET SDK
For .NET developers, the Dapr .NET SDK streamlines Dapr secret management. Consider the?DaprClient.GetSecretAsync?method. It enables you to retrieve a secret directly from any Dapr secret store with minimal effort. Here's an example of fetching a connection string secret for a SQL Server database:
對于 .NET 開發(fā)人員而言,Dapr .NET SDK 精簡了 Dapr 機(jī)密管理。考慮使用?DaprClient.GetSecretAsync?方法。它使你能夠以最小的努力直接從任何 Dapr 機(jī)密存儲中檢索機(jī)密。下面是一個獲取 SQL Server 數(shù)據(jù)庫的連接字符串機(jī)密的示例:
var metadata = new Dictionary<string, string> { ["version_id"] = "3" }; Dictionary<string, string> secrets = await daprClient.GetSecretAsync("secret-store", "eshopsecrets", metadata); string connectionString = secrets["customerdb"];Arguments for the?GetSecretAsync?method include:
The name of the Dapr secret store component ('secret-store')
The secret to retrieve ('eshopsecrets')
Optional metadata key/value pairs ('version_id=3')
?GetSecretAsync?方法的參數(shù)包括:
Dapr 機(jī)密存儲組件的名稱( "secret store"? )
要檢索的機(jī)密 ( "eshopsecrets" )
可選的元數(shù)據(jù)鍵/值對 ( "version_id = 3" )
The method responds with a dictionary object as a secret can contain multiple key/value pairs. In the example above, the secret named?customerdb?is referenced from the collection to return a connection string.
方法返回字典對象,因為機(jī)密可包含多個鍵/值對。在上面的示例中,從集合引用名為customerdb?的機(jī)密以返回連接字符串。
The Dapr .NET SDK also features a .NET configuration provider. It loads specified secrets into the underlying?.NET Core configuration API. The running application can then reference secrets from the?IConfiguration?dictionary that is registered in ASP.NET Core dependency injection.
Dapr .NET SDK 還提供 .NET 配置提供程序。它將指定的機(jī)密加載到底層?.Net Core 配置 API。然后,運(yùn)行中的應(yīng)用程序可以從 ASP.NET Core 依賴關(guān)系注入中注冊的IConfiguration?字典中引用機(jī)密。
The secrets configuration provider is available from the?Dapr.Extensions.Configuration?NuGet package. The provider can be registered in the?Program.cs?of an ASP.NET Web API application:
Dapr.Extensions.Configu?NuGet 包中提供了機(jī)密配置提供程序。可在 ASP.NET Web API 應(yīng)用程序的?Program.cs中注冊提供程序?:
public static IHostBuilder CreateHostBuilder(string[] args) =>Host.CreateDefaultBuilder(args).ConfigureAppConfiguration(config =>{var daprClient = new DaprClientBuilder().Build();var secretDescriptors = new List<DaprSecretDescriptor>{new DaprSecretDescriptor("eshopsecrets")};config.AddDaprSecretStore("secret-store", secretDescriptors, daprClient);}).ConfigureWebHostDefaults(webBuilder =>{webBuilder.UseStartup<Startup>();});The above example loads the?eshopsecrets?secrets collection into the .NET configuration system at startup. Registering the provider requires an instance of?DaprClient?to invoke the secrets API on the Dapr sidecar. The other arguments include the name of the secret store and a?DaprSecretDescriptor?object with the name of the secret.
上述示例在啟動時將?eshopsecrets?機(jī)密集合加載到 .net 配置系統(tǒng)中。注冊提供程序需要?DaprClient?的實例,以在 Dapr 邊車上調(diào)用secrets API 。其他參數(shù)包括機(jī)密存儲的名稱,以及包含機(jī)密名稱的?DaprSecretDescriptor?對象。
Once loaded, you can retrieve secrets directly from application code:
加載后,可以直接從應(yīng)用程序代碼中檢索機(jī)密:
public void GetCustomer(IConfiguration config) {var connectionString = config["eshopsecrets"]["customerdb"]; }Secret store components
機(jī)密存儲組件
The secrets building block supports several secret store components. At the time of writing, the following secret stores are available:
Environment Variables
Local file
Kubernetes secrets
AWS Secrets Manager
Azure Key Vault
GCP Secret Manager
HashiCorp Vault
機(jī)密構(gòu)建塊支持多個機(jī)密存儲組件。撰寫本文時,可以使用以下機(jī)密存儲:
環(huán)境變量
本地文件
Kubernetes?secrets
AWS 機(jī)密管理器
Azure Key Vault
GCP 機(jī)密管理器
HashiCorp?Vault
Important
The environment variables and local file components are designed for development workloads only.
重要
環(huán)境變量和本地文件組件被設(shè)計為僅在開發(fā)環(huán)境中使用。
The following ps show how to configure a secret store.
以下部分說明如何配置機(jī)密存儲。
Configuration
配置
You configure a secret store using a Dapr component configuration file. The typical structure of the file is shown below:
使用 Dapr 組件配置文件配置機(jī)密存儲。文件的典型結(jié)構(gòu)如下所示:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: [component name]namespace: [namespace] spec:type: secretstores.[secret store type]version: [secret store version]metadata:- name: [property name]value: [property value]All Dapr component configuration files require a?name?along with an optional?namespace?value. Additionally, the?type?field in the?spec?p specifies the type of secret store component. The properties in the?metadata?p differ per secret store.
所有 Dapr 組件配置文件都需要指定?name?值和可選的?namespace?值。另外,??spec?節(jié)中的type?字段指定了機(jī)密存儲組件的類型。?metadata?節(jié)中的屬性因機(jī)密存儲的不同而不同。
Indirectly consume Dapr secrets
間接使用 Dapr 機(jī)密
As mentioned earlier in this chapter, applications can also consume secrets by referencing them in component configuration files. Consider a?state management component?that uses Redis cache for storing state:
如本章前面所述,應(yīng)用程序還可以通過在組件配置文件中引用機(jī)密來使用機(jī)密。請思考使用 Redis 緩存來存儲狀態(tài)的?狀態(tài)管理組件?:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: eshop-basket-statestorenamespace: eshop spec:type: state.redisversion: v1metadata:- name: redisHostvalue: localhost:6379- name: redisPasswordvalue: e$h0p0nD@prThe above configuration file contains a?clear-text?password for connecting to the Redis server.?Hardcoded?passwords are always a bad idea. Pushing this configuration file to a public repository would expose the password. Storing the password in a secret store would dramatically improve this scenario.
上述配置文件包含用于連接到 Redis 服務(wù)的?明文?密碼。?硬編碼?密碼始終是個壞主意。將此配置文件推送到公共存儲庫將泄露密碼。將密碼存儲在機(jī)密存儲中會顯著改善這種情況。
The following examples demonstrate this using several different secret stores.
下面的示例使用幾個不同的機(jī)密存儲對此進(jìn)行了演示。
Local file
本地文件
The local file component is designed for development scenarios. It stores secrets on the local filesystem inside a JSON file. Here's an example named?eshop-secrets.json. It contains a single secret - a password for Redis:
本地文件組件被設(shè)計用于開發(fā)場景。它將機(jī)密存儲在本地文件系統(tǒng)上的 JSON 文件中。下面是一個名為?eshop-secrets.json?的示例。它包含單個機(jī)密——Redis 的密碼:
{"eShopRedisPassword": "e$h0p0nD@pr" }You place this file in a?components?folder that you specify when running the Dapr application.
將此文件放置在運(yùn)行 Dapr 應(yīng)用程序時指定的?components?文件夾中。
The following secret store configuration file consumes the JSON file as a secret store. It's also placed in the?components?folder:
以下機(jī)密存儲配置文件使用 JSON 文件作為機(jī)密存儲。它放置在?components?文件夾中:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: eshop-local-secret-storenamespace: eshop spec:type: secretstores.local.fileversion: v1metadata:- name: secretsFilevalue: ./components/eshop-secrets.json- name: nestedSeparatorvalue: ":"The component type is?secretstore.local.file. The?secretsFile?metadata element specifies the path to the secrets file.
組件類型為?secretstore.local.file?。Metadata節(jié)中的secretsFile元素指定機(jī)密文件的路徑。
Important
The path to a secrets file can be a absolute or relative path. The relative path is based on the folder in which the application starts. In the example, the?components?folder is a sub-folder of the directory that contains the .NET application.
重要
機(jī)密文件的路徑可以是絕對路徑或相對路徑。相對路徑基于應(yīng)用程序的啟動文件夾。在此示例中,?components?文件夾是包含 .net 應(yīng)用程序的目錄的子文件夾。
From the application folder, start the Dapr application specifying the?components?path as a command-line argument:
從應(yīng)用程序文件夾中,啟動 Dapr 應(yīng)用程序,并將?components?的路徑指定為命令行參數(shù):
dapr run --app-id basket-api --components-path ./components dotnet runNote
This above example applies to running Dapr in self-hosted mode. For Kubernetes hosting, consider using volume mounts.
備注
上面的示例適用于在自承載模式下運(yùn)行 Dapr。對于 Kubernetes 托管,請考慮使用卷裝載。
The?nestedSeparator?in a Dapr configuration file specifies a character to?flatten?a JSON hierarchy. Consider the following snippet:
Dapr 配置文件中的nestedSeparator指定一個字符來展開 JSON 層次結(jié)構(gòu)。請考慮以下代碼片段:
{"redisPassword": "some password","connectionStrings": {"customerdb": "some connection string","productdb": "some connection string"} }Using a colon as a separator, you can retrieve the?customerdb?connection-string using the key?connectionStrings:customerdb.
使用冒號作為分隔符,可以使用?connectionStrings:customerdb?鍵來檢索?customerdb?連接字符串。
Note
The colon?:?is the default separator value.
備注
冒號?:?為默認(rèn)分隔符值。
In the next example, a state management configuration file references the local secret store component to obtain the password for connecting to the Redis server:
在下一個示例中,狀態(tài)管理配置文件引用本地機(jī)密存儲組件以獲取用于連接到 Redis 服務(wù)的密碼:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: eshop-basket-statestorenamespace: eshop spec:type: state.redisversion: v1metadata:- name: redisHostvalue: localhost:6379- name: redisPasswordsecretKeyRef:name: eShopRedisPasswordkey: eShopRedisPassword auth:secretStore: eshop-local-secret-storeThe?secretKeyRef?element references the secret containing the password. It replaces the earlier?clear-text?value. The secret name and the key name,?eShopRedisPassword, reference the secret. The name of the secret management component?eshop-local-secret-store?is found in the?auth?metadata element.
secretKeyRef元素引用包含密碼的機(jī)密。它將替換前面的?明文?值。機(jī)密名稱和鍵名?eShopRedisPassword?引用機(jī)密。可在?auth?結(jié)中的secretStore元素中找到機(jī)密管理組件的名稱?eshop-local-secret-store?。
You might wonder why?eShopRedisPassword?is identical for both the name and key in the secret reference. In the local file secret store, secrets aren't identified with a separate name. The scenario will be different in the next example using Kubernetes secrets.
您可能想知道為什么secretKeyRef中名稱和鍵是相同的,都是?eShopRedisPassword?。在本地文件機(jī)密存儲中,不會使用單獨(dú)的名稱標(biāo)識機(jī)密。在下一個示例中,使用 Kubernetes 機(jī)密的情況將會不同。
Kubernetes secret
Kubernetes 機(jī)密
This second example focuses on a Dapr application running in Kubernetes. It uses the standard secrets mechanism that Kubernetes offers. Use the Kubernetes CLI (kubectl) to create a secret named?eshop-redis-secret?that contains the password:
此第二個示例重點(diǎn)介紹在 Kubernetes 中運(yùn)行的 Dapr 應(yīng)用程序。它使用 Kubernetes 提供的標(biāo)準(zhǔn)機(jī)密機(jī)制。使用 Kubernetes CLI (kubectl) 創(chuàng)建一個包含密碼的名為?eshop-redis-secret?的機(jī)密:
kubectl create secret generic eshopsecrets --from-literal=redisPassword=e$h0p0nD@pr -n eshopOnce created, you can reference the secret in the component configuration file for state management:
創(chuàng)建后,可以在 "狀態(tài)管理" 的組件配置文件中引用該機(jī)密:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: eshop-basket-statestorenamespace: eshop spec:type: state.redisversion: v1metadata:- name: redisHostvalue: redis:6379- name: redisPasswordsecretKeyRef:name: eshopsecretskey: redisPassword auth:secretStore: kubernetesThe?secretKeyRef?element specifies the name of the Kubernetes secret and the secret's key,?eshopsecrets, and?redisPassword?respectively. The?auth?metadata p instructs Dapr to use the Kubernetes secrets management component.
secretKeyRef元素分別指定 Kubernetes 機(jī)密的名稱(eshopsecrets?)和機(jī)密的鍵(?redisPassword?)。?auth節(jié)指示 Dapr 使用 Kubernetes 機(jī)密管理組件。
Note
Auth is the default value when using Kubernetes secrets and can be omitted.
備注
Auth是使用 Kubernetes 機(jī)密時的默認(rèn)值,可以省略。
In a production setting, secrets are typically created as part of an automated CI/CD pipeline. Doing so ensures only people with sufficient permissions can access and change the secrets. Developers create configuration files without knowing the actual value of the secrets.
在生產(chǎn)設(shè)置中,通常會將機(jī)密作為自動 CI/CD 管道的一部分創(chuàng)建。這樣做可確保只有具有足夠權(quán)限的人員才能訪問和更改機(jī)密。開發(fā)人員無需知道機(jī)密的實際值即可創(chuàng)建配置文件。
Azure Key Vault
The next example is geared toward a real-world production scenario. It uses?Azure Key Vault?as the secret store. Azure Key Vault is a managed Azure service that enables secrets to be stored securely in the cloud.
下一個示例適用于實際的生產(chǎn)場景。它使用 Azure Key Vault 作為機(jī)密存儲。Azure Key Vault 是一種托管的 Azure 服務(wù),可讓機(jī)密安全地存儲在云中。
For this example to work, the following prerequisites must be satisfied:
You've secured administrative access to an Azure subscription.
You've provisioned an Azure Key Vault named?eshopkv?that holds a secret named?redisPassword?that contains the password for connecting to the Redis server.
You've created?service principal?in Azure Active Directory.
You've installed an X509 certificate for this service principal (containing both the public and private key) on the local filesystem.
要使此示例正常工作,必須滿足以下先決條件:
已獲得對 Azure 訂閱的管理員訪問權(quán)限。
你預(yù)配了一個名為?eshopkv?的 Azure Key Vault,它包含一個名為?redisPassword?的機(jī)密,其中包含用于連接到 Redis 服務(wù)的密碼。
已在 Azure Active Directory 中創(chuàng)建服務(wù)主體?。
在本地文件系統(tǒng)上已為此服務(wù)主體安裝了 X509 證書(包含公鑰和私鑰) 。
Note
A service principal is an identity that can be used by an application to authenticate an Azure service. The service principal uses a X509 certificate. The application uses this certificate as a credential to authenticate itself.
備注
服務(wù)主體是應(yīng)用程序可用于對 Azure 服務(wù)進(jìn)行身份驗證的標(biāo)識。服務(wù)主體使用 X509 證書。應(yīng)用程序使用此證書作為憑據(jù)對自己進(jìn)行身份驗證。
The?Dapr Azure Key Vault secret store documentation?provides step-by-step instructions to create and configure a Key Vault environment.
Dapr Azure Key Vault 機(jī)密存儲文檔提供了創(chuàng)建和配置 Key Vault 環(huán)境的分步說明。
Use Key Vault when running in self-hosted mode
在自承載模式下運(yùn)行時使用 Key Vault
Consuming Azure Key Vault in Dapr self-hosted mode requires the following configuration file:
在 Dapr 自承載模式下使用 Azure Key Vault 需要以下配置文件:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: eshop-azurekv-secret-storenamespace: eshop spec:type: secretstores.azure.keyvaultversion: v1metadata:- name: vaultNamevalue: eshopkv- name: spnTenantIdvalue: "619926af-a7c3-4e95-93ed-4ecc4e3e652b"- name: spnClientIdvalue: "6cf48032-6c38-43be-9d6f-2a43ce736b09"- name: spnCertificateFilevalue : "azurekv-spn-cert.pfx"The secret store type is?secretstores.azure.keyvault. The?metadata?element to configure access to Key Vault requires the following properties:
The?vaultName?contains the name of the Azure Key Vault.
The?spnTenantId?contains the?tenant ID?of the service principal used to authenticate against the Key Vault.
The?spnClientId?contains the?app ID?of the service principal used to authenticate against the Key Vault.
The?spnCertificateFile?contains the path to the certificate file for the service principal to authenticate against the Key Vault.
機(jī)密存儲類型為?secretstores.azure.keyvault?。用于配置對 Key Vault 的訪問權(quán)限的?metadata元素需要以下屬性:
vaultName包含 Azure Key Vault 的名稱。
spnTenantId包含用于對 Key Vault 進(jìn)行身份驗證的服務(wù)主體的?租戶 ID?。
spnClientId包含用于對 Key Vault 進(jìn)行身份驗證的服務(wù)主體的?應(yīng)用程序 ID?。
spnCertificateFile包含服務(wù)主體的證書文件路徑,以對 Key Vault 進(jìn)行身份驗證。
Tip
You can copy the service principal information from the Azure portal or Azure CLI .
提示
可以從 Azure 門戶或 Azure CLI 復(fù)制服務(wù)主體信息。
Now the application can retrieve the Redis password from the Azure Key Vault.
現(xiàn)在,應(yīng)用程序可以從 Azure Key Vault 中檢索 Redis 密碼。
Use Key Vault when running on Kubernetes
在 Kubernetes 上運(yùn)行時使用 Key Vault
Consuming Azure Key Vault with Dapr and Kubernetes also requires a service principal to authenticate against the Azure Key Vault.
和Dapr 和 Kubernetes 一起使用的 Azure Key Vault 也需要服務(wù)主體針對 Azure Key Vault 進(jìn)行身份驗證。
First, create a?Kubernetes secret?that contains a certificate file using the kubectl CLI tool:
首先,使用 kubectl CLI 工具創(chuàng)建包含證書文件的?Kubernetes 機(jī)密?:
kubectl create secret generic [k8s_spn_secret_name] --from-file=[pfx_certificate_file_local_path] -n eshopThe command requires two command-line arguments:
[k8s_spn_secret_name]?is the secret name in Kubernetes secret store.
[pfx_certificate_file_local_path]?is the path of X509 certificate file.
此命令需要兩個命令行參數(shù):
[k8s_spn_secret_name]?Kubernetes 機(jī)密存儲中的機(jī)密名稱。
[pfx_certificate_file_local_path]?是 X509 證書文件的路徑。
Once created, you can reference the Kubernetes secret in the secret store component configuration file:
創(chuàng)建后,可以在機(jī)密存儲組件配置文件中引用 Kubernetes 機(jī)密:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: eshop-azurekv-secret-storenamespace: eshop spec:type: secretstores.azure.keyvaultversion: v1metadata:- name: vaultNamevalue: [your_keyvault_name]- name: spnTenantIdvalue: "619926af-a7c3-4e95-93ed-4ecc4e3e652b"- name: spnClientIdvalue: "6cf48032-6c38-43be-9d6f-2a43ce736b09"- name: spnCertificatesecretKeyRef:name: [k8s_spn_secret_name]key: [pfx_certificate_file_local_name] auth:secretStore: kubernetesAt this point, an application running in Kubernetes can retrieve the Redis password from the Azure Key Vault.
此時,在 Kubernetes 中運(yùn)行的應(yīng)用程序可以從 Azure Key Vault 檢索 Redis 密碼。
Important
It's critical to keep the X509 certificate file for the service principal in a safe place. It's best to place it in a well-known folder outside the source-code repository. The configuration file can then reference the certificate file from this well-known folder. On a local development machine, you're responsible for copying the certificate to the folder. For automated deployments, the pipeline will copy the certificate to the machine where the application is deployed. It's a best practice to use a different service principal per environment. Doing so prevents the service principal from a DEVELOPMENT environment to access secrets in a PRODUCTION environment.
重要
將服務(wù)主體的 X509 證書文件保存在安全的位置至關(guān)重要。最好將它放在源代碼存儲庫外的已知文件夾中。然后,配置文件可以引用此文件夾中的證書文件。在本地開發(fā)計算機(jī)上,您負(fù)責(zé)將證書復(fù)制到文件夾。對于自動部署,管道會將證書復(fù)制到部署該應(yīng)用程序的計算機(jī)。最佳做法是在各個環(huán)境中使用不同的服務(wù)主體。這樣做可以防止開發(fā)環(huán)境中的服務(wù)主體訪問生產(chǎn)環(huán)境中的機(jī)密。
When running in Azure Kubernetes Service (AKS), it's preferable to use an?Azure Managed Identity?for authenticating against Azure Key Vault. Managed identities are outside of the scope of this book, but explained in the?Azure Key Vault with managed identities?documentation.
在 Azure Kubernetes Service (AKS) 中運(yùn)行時,最好使用?Azure Managed Identity?對 Azure Key Vault 進(jìn)行身份驗證。Managed identities超出了本書的范圍,但在?Azure Key Vault with managed中進(jìn)行了介紹。
Scope secrets
限定范圍的機(jī)密
Secret scopes allow you to control which secrets your application can access. You configure scopes in a Dapr sidecar configuration file. The?Dapr configuration documentation?provides instructions for scoping secrets.
機(jī)密作用域允許您控制您的應(yīng)用程序可以訪問哪些機(jī)密。在 Dapr 邊車配置文件中配置作用域。?Dapr 配置文檔提供了有關(guān)限定范圍的機(jī)密的介紹。
Here's an example of a Dapr sidecar configuration file that contains secret scopes:
下面是包含機(jī)密作用域的 Dapr 邊車配置文件的示例:
apiVersion: dapr.io/v1alpha1 kind: Configuration metadata:name: dapr-confignamespace: eshop spec:tracing:samplingRate: "1"secrets:scopes:- storeName: eshop-azurekv-secret-storedefaultAccess: allowdeniedSecrets: ["redisPassword", "apiKey"]You specify scopes per secret store. In the above example, the secret store is named?eshop-azurekv-secret-store. You configure access to secrets using the following properties:
為每個機(jī)密存儲指定作用域。在上面的示例中,機(jī)密存儲名為?eshop-azurekv-secret-store?。使用以下屬性配置對機(jī)密的訪問:
| defaultAccess | allow?or?deny | Allows or denies access to?all?secrets in the specified secret store. This property is optional with a default value of?allow. |
| allowedSecrets | List of secret keys | Secrets specified in the array will be accessible. This property is optional. |
| deniedSecrets | List of secret keys | Secrets specified in the array will NOT be accessible. This property is optional. |
| defaultAccess | allow?或?deny | 允許或拒絕對指定機(jī)密存儲中?所有?機(jī)密的訪問。此屬性是可選的,默認(rèn)值為?allow?。 |
| allowedSecrets | 機(jī)密鍵列表 | 數(shù)組中指定的機(jī)密將可供訪問。此屬性是可選的。 |
| deniedSecrets | 機(jī)密鍵列表 | 數(shù)組中指定的機(jī)密將不可訪問。此屬性是可選的。 |
The?allowedSecrets?and?deniedSecrets?properties take precedence over the?defaultAccess?property. Imagine specifying?defaultAccess: allowed?and an?allowedSecrets?list. In this case, only the secrets in the?allowedSecrets?list would be accessible by the application.
allowedSecrets和?deniedSecrets?屬性優(yōu)先于?defaultAccess?屬性。假設(shè)指定?defaultAccess: allowed?和?allowedSecrets?列表。在這種情況下,?應(yīng)用程序只能訪問allowedSecrets?列表中的機(jī)密。
Reference application: eShopOnDapr
參考應(yīng)用程序:eShopOnDapr
The eShopOnDapr reference application uses the secrets building block for two secrets:
The password for connecting to the Redis cache.
The API-key for using the Twilio Sendgrid API. The application uses Twillio to send emails using a Dapr output binding (as described in the?bindings building block chapter).
EShopOnDapr 參考應(yīng)用程序為兩個機(jī)密使用機(jī)密構(gòu)建塊:
用于連接到 Redis 緩存的密碼。
用于使用 Twilio Sendgrid API 的 API 密鑰。應(yīng)用程序通過 Dapr 輸出綁定使用 Twillio 發(fā)送電子郵件,如?綁定構(gòu)建塊章節(jié)中所述。
When running the application using Docker Compose, the?local file?secret store is used. The component configuration file?eshop-secretstore.yaml?is found in the?dapr/components?folder of the eShopOnDapr repository:
使用 Docker Compose 運(yùn)行應(yīng)用程序時,將使用?本地文件機(jī)密存儲。組件配置文件?eshop-secretstore.yaml?位于eShopOnDapr 存儲庫的dapr/components?文件夾中:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: eshop-secretstorenamespace: eshop spec:type: secretstores.local.fileversion: v1metadata:- name: secretsFilevalue: ./components/eshop-secretstore.jsonThe configuration file references the local store file?eshop-secretstore.json?located in the same folder:
配置文件引用位于同一文件夾中的本地存儲文件?eshop-secretstore.json?:
{"redisPassword": "**********","sendgridAPIKey": "**********" }The?components?folder is specified in the command-line and mounted as a local folder inside the Dapr sidecar container. Here's a snippet from the?docker-compose.override.yml?file in the repository root that specifies the volume mount:
在命令行中指定?components?文件夾,并將其作為本地文件夾裝載到 Dapr 邊車容器中。下面是存儲庫根目錄中的?docker-compose.override.yml?文件中用于指定卷裝載的代碼段:
ordering-backgroundtasks-dapr:command: ["./daprd","-app-id", "ordering-backgroundtasks","-app-port", "80","-dapr-grpc-port", "50004","-components-path", "/components","-config", "/configuration/eshop-config.yaml"]volumes:- "./dapr/components/:/components"- "./dapr/configuration/:/configuration"Note
The Docker Compose override file contains environmental specific configuration values.
備注
Docker Compose 重載文件包含特定于環(huán)境的配置值。
The?/components?volume mount and?--components-path?command-line argument are passed into the?daprd?startup command.
/components卷裝載和?--components-path?命令行參數(shù)會傳遞到?daprd?啟動命令。
Once configured, other component configuration files can also reference the secrets. Here's an example of the Publish/Subscribe component configuration consuming secrets:
配置后,其他組件配置文件也可以引用該機(jī)密。下面是發(fā)布/訂閱組件配置使用機(jī)密的示例:
apiVersion: dapr.io/v1alpha1 kind: Component metadata:name: pubsubnamespace: eshop spec:type: pubsub.redisversion: v1metadata:- name: redisHostvalue: redis:6379- name: redisPasswordsecretKeyRef:name: redisPassword auth:secretStore: eshop-secretstoreIn the preceding example, the local Redis store is used to reference secrets.
在前面的示例中,本地 Redis 存儲用于引用機(jī)密。
Summary
總結(jié)
The Dapr secrets building block provides capabilities for storing and retrieving sensitive configuration settings like passwords and connection-strings. It keeps secrets private and prevents them from being accidentally disclosed.
Dapr 機(jī)密構(gòu)建塊提供了存儲和檢索敏感配置設(shè)置(例如密碼和連接字符串)的功能。它將機(jī)密保密,防止無意中泄露機(jī)密。
The building block supports several different secret stores and hides their complexity with the Dapr secrets API.
構(gòu)建塊支持多個不同的機(jī)密存儲,并通過 Dapr 機(jī)密 API 隱藏其復(fù)雜性。
The Dapr .NET SDK provides a?DaprClient?object to retrieve secrets. It also includes a .NET configuration provider that adds secrets to the .NET Core configuration system. Once loaded, you can consume these secrets in your .NET code.
Dapr .NET SDK 提供了一個?DaprClient?用于檢索機(jī)密的對象。它還包括將機(jī)密添加到 .NET Core 配置系統(tǒng)的 .NET 配置提供程序。加載后,可以在 .NET 代碼中使用這些機(jī)密。
You can use secret scopes to control access to specific secrets.
可以使用機(jī)密作用域來控制對特定機(jī)密的訪問。
目錄:
面向.NET開發(fā)人員的Dapr——前言
面向.NET開發(fā)人員的Dapr——分布式世界
面向.NET開發(fā)人員的Dapr——俯瞰Dapr
面向.NET開發(fā)人員的Dapr——入門
面向.NET開發(fā)人員的Dapr——參考應(yīng)用程序
面向.NET開發(fā)人員的Dapr——狀態(tài)管理
面向.NET開發(fā)人員的Dapr——發(fā)布和訂閱
面向.NET開發(fā)人員的Dapr——綁定
面向.NET開發(fā)人員的Dapr——可觀察性
總結(jié)
以上是生活随笔為你收集整理的面向.NET开发人员的Dapr——机密的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 面向.NET开发人员的Dapr——总结和
- 下一篇: 面向.NET开发人员的Dapr——可观察