search

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault
http://cloud.spring.io/spring-cloud-vault/
Apache License 2.0
274 stars 152 forks source link

ConfigData defaut location may have incorrect profile precedence order #568

Closed bwoods8 closed 3 years ago

bwoods8 commented 3 years ago

I am using Spring Cloud Vault 3.0.0 and Spring Boot 2.4.2. I am noticing that the order of precedence seems to be not what I expected. /secret/appname has higher precedence over/secret/appname/profile

The configuration looks similar to this:

spring.application.name: appname

spring.cloud.vault:
  application-name: ${spring.application.name}
  uri: https://localhost:8200
  fail-fast: true
  authentication: APPROLE
  app-role:
    role-id: role-id
    secret-id: secret-id
spring.config.import: vault://

In vault using KV v2:

/secret/application /secret/application/profile /secret/appname /secret/appname/profile

I used a simple hello world app from Spring Boot examples to use external configuration values. If I add name=Mars to /secret/appname/profile I see "Mars" output. If I also place name=Earth to /secret/appname. I then see "Earth" now. I expect to see "Mars" as the profile should override the previous. If I remove name=Earth from /secret/appname, I see "Mars" again.

I get this expectation from:

https://docs.spring.io/spring-boot/docs/2.4.0-SNAPSHOT/reference/htmlsingle/#boot-features-external-config-files-profile-specific

Profile-specific properties are loaded from the same locations as standard application.properties, with profile-specific files always overriding the non-specific ones. If several profiles are specified, a last-wins strategy applies. For example, if profiles prod,live are specified by the spring.profiles.active property, values in application-prod.properties can be overridden by those in application-live.properties.

If I am doing something wrong or my understanding is flawed, please let me know.

Thanks for all the hard work!

mp911de commented 3 years ago

VaultConfigDataLocationResolver.resolveProfileSpecific(…) actually returns VaultConfigLocation in the exactly specified order. Need to investigate why the order in which the property sources get added to Environment have a reverse order.

mp911de commented 3 years ago

Seems that Boot expects the list of config location in ascending order while we return the list in descending order. So flipping the list should do the trick.