spring-cloud-config-client: Load properties from Vault first.

spring-cloud / spring-cloud-config

External configuration (server and client) for Spring Cloud

Apache License 2.0

1.96k stars 1.29k forks source link

spring-cloud-config-client: Load properties from Vault first. #2326

Open kis024 opened 1 year ago

kis024 commented 1 year ago

We've added basic auth to our config server, we want to store credentials for config clients in vault. This flow doesn't work since RestTemplate that connects to config server is constructed much earlier than properties are loaded from vault (spring-cloud-dependencies: 2022.0.4).

Possible solution: If spring-cloud-starter-vault-config is present in the class path and connection info is known, the following order of values resolution could be used:

fetch values from vault
resolve current property placeholders
load other remote property sources
resolve placeholders other remote property sources

ryanjbaxter commented 1 year ago

Are you using spring.config.import? can you provide its configuration?

kis024 commented 1 year ago

yes, spring.config.import: vault://, configserver:https://... or spring.config.import: configserver:https://..., vault://

ryanjbaxter commented 1 year ago

Are this in you application yaml/properties?

can you try setting an environment variable/system property just for the vault import and leave the config server import in the application configuration file?

kis024 commented 1 year ago

Tried, same result but different behaviour (I was even surprised that it worked, I though spring.config.import from env var would override the value from config file :)) I noticed that connection to vault now is done before connecting to config-server. But property values are still not resolved and authentication failed.

ryanjbaxter commented 1 year ago

Ok. We will have to take a look at it, it might be a limitation of spring boot but we will look into it

ENate commented 10 months ago

Hi. Has this issue been resolved? I am trying to load config properties from spring cloud config server (using a username and password) after loading other spring config server from vault. It seems the property sources cannot be loaded by clients when I used spring.config.import: optional:configserver: http://username:password@config-server:PORT. Any help will be welcomed.

ryanjbaxter commented 10 months ago

@ENate are you trying to loading the username and password to use to authenticate with the config server from vault?

Something like spring.import.config=http://${config.server.username}:${config.server.password}@locahost:8888 where config.server.username and config.server.password are coming from vault?

ENate commented 10 months ago

Yes @ryanjbaxter thanks for putting it so clear. I have been looking on ways to handle this issue but cant find any. I did it this way (with a yaml file which is same basically) :

spring:
    import:
       config: http://${CONFIG_USER}:${CONFIG_PASSWORD}@localhost:8888

I defined spring.cloud.config.usernameand spring.cloud.config.password as keys with their corresponding secrets inside vault and passed them in place of username and password but it did not work. I implemented a spring security authentication for config server with a database backend for the config server. So, I do not if there is a special mechanism to be used by config clients to retrieve properties from the spring cloud server vault. I got the following in the config server logs (which I believe came from the client):

find using query: { "username" : "${CONFIG_USER}"} fields: Document{{}} for class: class com.mypackage..ConfigUserEntity in collection: config_user_server_details

Thanks again