如何将DB AWS秘密传递到Tomcat的context.xml中?

huangapple go评论76阅读模式
英文:

How to pass the DB AWS secret into tomcat context.xml?

问题

我有一个 context.xml 文件,在其中连接到数据库。

<?xml version='1.0' encoding='utf-8'?>
<Context>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

<Resource name="jdbc/SS" 
        auth="Container"
        type="javax.sql.DataSource"
        factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" 
        username="a***b"
        password="C********1"
        driverClassName="org.postgresql.Driver"
        url="jdbc:postgresql://**********:****/a***b"
        maxActive="100"
        maxIdle="50"
        minIdle="10"
        testWhileIdle="true"
        maxWait="30000"  
        maxAge="60000"
        removeAbandoned="true" 
        removeAbandonedTimeout="600" />
</Context>

我需要从密钥管理器中获取数据库凭据,并将这些值传递到 context.xml 中,以替换硬编码的数据库凭据。

是否有实现这一目标的方法?

英文:

I have a context.xml where I am connecting to DB.

&lt;?xml version=&#39;1.0&#39; encoding=&#39;utf-8&#39;?&gt;
&lt;Context&gt;
&lt;WatchedResource&gt;WEB-INF/web.xml&lt;/WatchedResource&gt;
&lt;WatchedResource&gt;${catalina.base}/conf/web.xml&lt;/WatchedResource&gt;

&lt;Resource name=&quot;jdbc/SS&quot; 
        auth=&quot;Container&quot;
        type=&quot;javax.sql.DataSource&quot;
        factory=&quot;org.apache.tomcat.jdbc.pool.DataSourceFactory&quot; 
        username=&quot;a***b&quot;
        password=&quot;C********1&quot;
        driverClassName=&quot;org.postgresql.Driver&quot;
        url=&quot;jdbc:postgresql://**********:****/a***b&quot;
        maxActive=&quot;100&quot;
        maxIdle=&quot;50&quot;
        minIdle=&quot;10&quot;
        testWhileIdle=&quot;true&quot;
        maxWait=&quot;30000&quot;  
        maxAge=&quot;60000&quot;
        removeAbandoned=&quot;true&quot; 
        removeAbandonedTimeout=&quot;600&quot; /&gt;
&lt;/Context&gt;

I need to get the DB credentials from the secret manager and pass the values into the context.xml by replacing the hardcoded DB credentials.

Is there any way to achieve this?

答案1

得分: 2

如果您想动态加载数据库凭据。只有在Tomcat加载context.xml一次的情况下才可能(因为Tomcat只在启动时读取环境变量一次)。

请注意,在运行时,无论何时contxt.xml更改相关的Web应用程序都会重新加载。Tomcat不会被重新启动。

因此,诀窍是将DB凭据作为JVM参数/参数传递,就像上面的${catalina.base}一样。

有三个阶段:

  1. 声明并设置环境变量的值:

     export DB_CREDENTIALS='*****'
    

    一个好的地方是在Tomcat的用户登录脚本.bash_profile中,或者在Tomcat环境的setenv.sh中。

  2. 为环境变量创建JVM参数(系统变量):在最后一行之前的setenv.sh中添加以下行。

     -Denvironment.db.credentials=${DB_CREDENTIALS} \
    
  3. 在context.xml中使用/调用已声明的JVM参数。例如:

     url="jdbc:postgresql://**********:****/${environment.db.credentials}"
    
英文:

If you want to load the DB credential dynamically. It is possible to only for the time Tomcat is loading context.xml once (because Tomcat read environment variable only once at startup).

Notice that at runtime, whenever contxt.xml change the relevant web application reloads. Tomcat is not restarted.

So the trick is to deliver DB credentials as JVM parameter/argument, like the above ${catalina.base}

There are 3 stages:

  1. Declare and set value to the environment variable:

    export DB_CREDENTIALS=&#39;*****&#39;
    

    Good place is at Tomcat's user login script.bash_profile, or Tomcat environments setenv.sh

  2. Create a JVM parameter (system variable) for environment variable: add the following line to setenv.sh before the last line.

    -Denvironment.db.credentials=${DB_CREDENTIALS} \
    
  3. Use/call the declared JVM parameter in context.xml. For example:

    url=&quot;jdbc:postgresql://**********:****/${environment.db.credentials}&quot;
    

huangapple
  • 本文由 发表于 2020年10月20日 15:00:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/64440020.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定