search

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault
http://cloud.spring.io/spring-cloud-vault/
Apache License 2.0
272 stars 151 forks source link

Is it possible configure spring-cloud-vault with config-server? #588

Closed qbeukes closed 3 years ago

qbeukes commented 3 years ago

We have the same application running with different configurations in many environments. It is not practical to give all possible configurations for database secrets in the bootstrap.yml, so we're hoping to get spring-cloud-vault to load it's configuration from config-server.

This doesn't seem work out of the box because org.springframework.cloud.vault.config.databases.VaultConfigDatabaseBootstrapConfiguration is needed to fetch the secrets and populate the properties for config-server to be able to resolve them.

Is there any specific reason why this needs to happen during bootstrap and is there a possible way to let this coincide with loading config-server?

qbeukes commented 3 years ago

One workaround to our issue is to specify a custom bootstrap.yml in each environment, using -Dspring.cloud.bootstrap.additional-location=/etc/config/bootstrap.yml

But I'm still curious as to why spring-cloud-vault requires configs to be loaded in bootstrap and if there are any ways to get my configs into config-server

mp911de commented 3 years ago

You can integrate Vault and Config server in different styles:

  1. Use the config client only. You can integrate a Vault EnvironmentRepository that is operated through config server and Config server is going to fetch the secrets for you. However, that works only for key-value repositories.
  2. Mixed: Using config client for non-secrets and Spring Cloud Vault for secrets: Here, the config client and Vault complement each other. You can obtain a set of configuration properties from config server and setup Spring Cloud Vault to fetch database secrets.

With storing the Vault endpoint in your config server, you might run into a chicken-and-egg problem since you need to ensure proper ordering. Depending on the config organization, you need information from Vault to access config server, but you might also need config server first to determine the Vault server endpoint.

You might be interested in checking out Spring Boot's Config Data API which is described here: https://spring.io/blog/2020/08/14/config-file-processing-in-spring-boot-2-4

qbeukes commented 3 years ago

@mp911de Thanks for the information. I think the additional-location option will be the best going forward.

PS. Next time I'll ask for support in stackoverflow. I forgot the official spring support is on stackoverflow. So if you wish you can remove this issue since I learned what I needed.