spring-cloud / spring-cloud-config

External configuration (server and client) for Spring Cloud
Apache License 2.0
1.97k stars 1.29k forks source link

Support Vault health endpoint in health check #1536

Open csterwa opened 4 years ago

csterwa commented 4 years ago

Problem

If a Vault token is not provided to the Config Server when accessing it's health actuator then the Vault backend health check will respond as failed.

Requested Solution

If a Vault token is not provided, the Config Server health check should not fail and may provide just the Vault server's health status API response instead.

https://www.vaultproject.io/api/system/health.html

spencergibb commented 4 years ago

should this be in spring cloud config?

csterwa commented 4 years ago

Moved to Spring Cloud Config repo.

habuma commented 4 years ago

The best solution, IMO, is to have Vault's environment repository fail gracefully when there is no token. That addresses the health indicator problem, but also addresses other problems such as the requirement that all config clients be given a token, even if only some need secrets from Vault.

In short, if VaultEnvironmentRepository were to return an empty set of secrets when there is no token, rather than failing with an IllegalArgumentException, then it would address the concern with the health indicator, address an SCS-specific need for our dashboard, and allow multiple clients to consume properties from a Vault-backed config server, even if they don't have the Vault token (only those with a token will receive Vault secrets, though).