Open xieus opened 4 years ago
I think passwords in a file (.conf or .yml) is not a problem, this file is for the deployment not for the development. OpenStack Ansible also use a specific file to save all passwords for all OpenStack services. We just need to add some codes to read a specific .conf or .yml file instead of putting credentials in the application properties. This conf or yml file should be prepared before deployment by human.
Right. The first step for us is to separate config files with source codes so that credential related files are only accessible by DevOps people instead of developer. More advanced password-less mechanism also could be considered.
Sprint Vault + HashiCorp maybe is a solution to solve the problem. They are all opensource. The idea is simple, just put secret data in the HashiCorp, and use Spring Vault in the program to retrieve the secret in the code. https://spring.io/projects/spring-vault https://www.vaultproject.io/
Context
Currently microservice configuration files (e.g. application.properties) store explicit passwords in order to access database and Keystone. This leaves with security concerns for production environment.
Requirements