Spring Cloud Config Git身份验证模式
Spring Cloud Config的配置是存储在公共仓库的,我们目前的配置托管在BitBucket上的一个仓库中:
在程序访问仓库获取配置的过程中有两种身份验证模式,一种是基于用户名密码的身份验证,一种是基于SSH Key的身份验证。
常规可选基于用户名密码的身份验证模式,仅需在配置文件中指定username和password即可:
spring:
application:
name: config-server
cloud:
config:
server:
git:
uri: https://bitbucket.aac.com/scm/aco/api_platform_configuration.git
username: 60054814
password: xxxxxx
但在账户密码变更之后必须同步更新配置文件中的密码,略微麻烦。因此,在内网域账号要求定期更换密码的情况下,建议采用基于SSH Key的身份验证。
基于SSH Key的身份验证首先要求生成密钥(以下操作针对CentOS 7)。
在任意Linux机器上运行如下指令:
ssh-keygen -t rsa -C "QAS of API"
-C是密钥标识,可以填邮箱,或者一些具有标志性的短语。
[root@VLXCNECZ01APIQ2 .ssh]# ssh-keygen -t rsa -C "QAS of API" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:G+bx0Afv/8e689BbygDTotYsyJz1maCLfVDxQdLMU4Q QAS of API The key's randomart image is: +---[RSA 2048]----+ | .=.+o | | ..E | | o.o | | ...+ | | .S = + | | o.B % O . | | *.* B o ..o| | o o.. +.o=| | . o. *B+| +----[SHA256]-----+
完整的指令输出如上,可以按照实际的要求来填写。
填写完成之后,进入上述提示的密钥存储的路径,而后使用Cat指令查看公钥:
[root@VLXCNECZ01APIQ2 .ssh]# ls authorized_keys id_rsa id_rsa.pub known_hosts [root@VLXCNECZ01APIQ2 .ssh]# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgXMPeViknsXXXXXXXXXXXXXXXXXXXXXXXXXXX QAS of API
将公钥复制,在BitBucket中打开Account-SSH Keys,点击Add Key来添加Key:
添加完成后,重新回到生成SSH Key的服务器,获取私钥:
[root@VLXCNECZ01APIQ2 .ssh]# cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Drur2vNmhaECewGDzggAaJemX89ymIRWt4aKORIuGxy8MDFpi9TGpEfrvFzzyB7E 58RlWOjQ7sOZiz8jF1fAoSlY4sjYn5JqsOoV8HlVJzqt0PJvOrDavqUR1/wJgr20 1LU2HjPuZx2pLX0rnhDBhJQ6AqT34Q2ISEaG2+c6pDG+oEVt+Y1pYKPS6sAqVZeU oMWGzsMLI62nT5dnd3nZAps1cPuJXaW6Sgj0M/gmWYk8NeMpd75KYvxWR/wIMptc ZX5xOr1/jYmM5a4Ru9cxKIPjUTMKXpGjLASZ1jcc6N1BRXBLB8TZuzKLYd1CGZ+t t5/WrJe981RMXZk1uJSwpez6R2TU4RthB7b99sBPI1OSdOfgS+4KznpTBqvE3VL6 njmTy4xSmUAPdzpOAZ1qeaQkp4a5coGPkQblxRYYABfu71QWqqsC5liq6bFDqvvB sCUC8VmLb6xyGVrE3WEGCqRMJWIHCE1FwTwNal42R2TLhfz100jyUtCBCZGTrYbu w+jQaycm7Vfks7MZ0pAxgmnfvKl2O3hRD1C50X2cRDCWunOAzhCs9rRMVtLSTlQg iOOw9cLR1KnU834pH2wRHv2PM6eZ00KL+Whgh/uIqYPPCMOC7S6Tka1qNIGXTeiA uLDQ25/I+SKZw2Zm0kPIEDi2ulcBkmWCLat4+mRpMrtmfBfVTX+hc9EPjETAUoGm X9gO3ipe0CujMqA0qltYKlNC5U1xM8qWgt2mgI8JIw+aQXJ4sCESuVGxgw0rDz3v gychkX+VGHAIRQIE/vjapUmJRNMyjd+riIGyCZU3hEWl3z8TGj6Y7R6wlMaVnGoE xUP9htc5qb6r3/hlOpahwNEbO1Z3RowdZmzgYbm4VdtQWuLW8TmrA4IDUCcNYzrN T+cX1DAR3TCo+bsk4Q5Z2gJP6nx7mcuEbyE7aNwe47IDPa8r1E0OZK4dEueiwArT v/W+ey82JVgBZthhSTCuEd6LW5rxaKVU54GOqEwBqzHRrZ4bKbjAh+Rx616LLzB2 ZQAj3p3MZ4XkW+ReN4fl+49vebtRsGbyfyWxNwCRdYzDB6id44LbYHE2dkN26/xD oF+TWsq1/2Lza/goO/UWE8GKvu8FvVpCbZ/6d8wBqQ8POISQ2+jZYXxW5tLmBbZu IRroAp7PMBMgEVE7qaNP9w374r6srt3pkZFxlcNU6GMmZ0sqYLz0caejPJXCFNJF grcna8Lvav0vu5MLb1J8ljyV0Yl465RQzSOVhBGp6/wPM8oCltZuA769sem7NKC+ 27Q8EQZhJXZ0aAKCvqx6cfcy4d+OkY1jKyDW7aQB6hVui3/XjD4XzjZyYSm3nI3S lm0xcMiODcV1lur2GJL74bPorL52B8H0W/xSF75W68zJWvTWGAP8s9e04sGGYO+x YdAPcSpZPqymGWikOZUOIXx51O1n/iZ748BLvkzzkieimzb5jK2bA466hv5bmprG xCCmVYa1NkdFaMkxJv1m8KOJmRpIL2NpL0HC/m0v9SY0LUCFpXvzYtqGlG6dKHNv XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -----END RSA PRIVATE KEY-----
将私钥部分复制,打开Spring Cloud Config的配置文件,添加如下配置:
spring:
application:
name: config-server
cloud:
config:
server:
git:
uri: https://bitbucket.aac.com/scm/aco/api_platform_configuration.git
clone-on-start: true
force-pull: true
skip-ssl-validation: true
default-label: master
ignoreLocalSshSettings: true
hostKey: QAS of API
hostKeyAlgorithm: ssh-rsa
privateKey: |
Drur2vNmhaECewGDzggAaJemX89ymIRWt4aKORIuGxy8MDFpi9TGpEfrvFzzyB7E
58RlWOjQ7sOZiz8jF1fAoSlY4sjYn5JqsOoV8HlVJzqt0PJvOrDavqUR1/wJgr20
1LU2HjPuZx2pLX0rnhDBhJQ6AqT34Q2ISEaG2+c6pDG+oEVt+Y1pYKPS6sAqVZeU
oMWGzsMLI62nT5dnd3nZAps1cPuJXaW6Sgj0M/gmWYk8NeMpd75KYvxWR/wIMptc
ZX5xOr1/jYmM5a4Ru9cxKIPjUTMKXpGjLASZ1jcc6N1BRXBLB8TZuzKLYd1CGZ+t
t5/WrJe981RMXZk1uJSwpez6R2TU4RthB7b99sBPI1OSdOfgS+4KznpTBqvE3VL6
njmTy4xSmUAPdzpOAZ1qeaQkp4a5coGPkQblxRYYABfu71QWqqsC5liq6bFDqvvB
sCUC8VmLb6xyGVrE3WEGCqRMJWIHCE1FwTwNal42R2TLhfz100jyUtCBCZGTrYbu
w+jQaycm7Vfks7MZ0pAxgmnfvKl2O3hRD1C50X2cRDCWunOAzhCs9rRMVtLSTlQg
iOOw9cLR1KnU834pH2wRHv2PM6eZ00KL+Whgh/uIqYPPCMOC7S6Tka1qNIGXTeiA
uLDQ25/I+SKZw2Zm0kPIEDi2ulcBkmWCLat4+mRpMrtmfBfVTX+hc9EPjETAUoGm
X9gO3ipe0CujMqA0qltYKlNC5U1xM8qWgt2mgI8JIw+aQXJ4sCESuVGxgw0rDz3v
gychkX+VGHAIRQIE/vjapUmJRNMyjd+riIGyCZU3hEWl3z8TGj6Y7R6wlMaVnGoE
xUP9htc5qb6r3/hlOpahwNEbO1Z3RowdZmzgYbm4VdtQWuLW8TmrA4IDUCcNYzrN
T+cX1DAR3TCo+bsk4Q5Z2gJP6nx7mcuEbyE7aNwe47IDPa8r1E0OZK4dEueiwArT
v/W+ey82JVgBZthhSTCuEd6LW5rxaKVU54GOqEwBqzHRrZ4bKbjAh+Rx616LLzB2
ZQAj3p3MZ4XkW+ReN4fl+49vebtRsGbyfyWxNwCRdYzDB6id44LbYHE2dkN26/xD
oF+TWsq1/2Lza/goO/UWE8GKvu8FvVpCbZ/6d8wBqQ8POISQ2+jZYXxW5tLmBbZu
IRroAp7PMBMgEVE7qaNP9w374r6srt3pkZFxlcNU6GMmZ0sqYLz0caejPJXCFNJF
grcna8Lvav0vu5MLb1J8ljyV0Yl465RQzSOVhBGp6/wPM8oCltZuA769sem7NKC+
27Q8EQZhJXZ0aAKCvqx6cfcy4d+OkY1jKyDW7aQB6hVui3/XjD4XzjZyYSm3nI3S
lm0xcMiODcV1lur2GJL74bPorL52B8H0W/xSF75W68zJWvTWGAP8s9e04sGGYO+x
YdAPcSpZPqymGWikOZUOIXx51O1n/iZ748BLvkzzkieimzb5jK2bA466hv5bmprG
xCCmVYa1NkdFaMkxJv1m8KOJmRpIL2NpL0HC/m0v9SY0LUCFpXvzYtqGlG6dKHNv
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
这里关于如何写这部分私钥是一个问题,按照Spring Cloud Config文档中的解释,需要用一个竖线符号标识,而后粘贴,注意每一行需要用Tab键对齐,并且符合规范之后,在Notepad++中字体会变成灰色:
如此配置之后,启动Spring Cloud Config时,便会以SSH的方式从Git仓库进行配置获取,也就不用再考虑域账号密码变更的问题。
浙公网安备 33010602011771号