mp911de
commented
1 year ago This scheme comes from aligning with Spring Cloud Config Server to allow application- and environment-specific segmentation of configuration secrets. In the past, we've even extended this scheme as we've seen extensive usage of this approach.
You have three approaches if you need to customize Spring Cloud Vault behavior:
- Individual imports of secrets via
spring.config.import=vault:///my-secret-backend/my-app-path - Implementing
VaultConfigurerto programmatically apply customization - Disable key-value support altogether via
spring.cloud.vault.kv.enabled=false(if you want to import the remaining support for e.g. databases) and mix with individual imports viaspring.config.import=vault://
Let us know how this goes for you.
patpatpat123
Describe the bug Please provide details of the problem, including the version of Spring Cloud that you are using. Version: SpringBoot 3.0.2 + Spring Cloud 2022.0.1 (But it is not version specific, observed with most of recent Spring Cloud Vault versions)
On application startup, Spring Cloud Vault will look into multiple paths of Vault, such as (only listing a few here) secret/myapp secret/application/myprofile secret/application
While I understand this can be a nice features for people storing secrets in multiple Vault paths, this is a little "useless" and actually, detrimental to Vault instance
First of all, if the secrets are only stored in one Vault path, and this is known in advanced, and not multiple paths, it does not make sense for Spring Cloud Vault to search in multiple places, where actually, there will be no other results (since the secrets are only stored in one unique Vault path)
Adding to that, this is detrimental to smaller Vault instances handling multiple instances from multiple different microservices. Not everyone has a giant very strong Vault instance. In our case, our Vault instance is quite small. But this small Vault instance is doing its job perfectly, protecting application secrets like a pro. It hold the secrets from application A, B, C, ... A has 3 instances, B has M instances, C has N instances.
Every time, on applications startup, each instance of each microservice will make a http call to Vault backend. Actually, only one from each is useful, with many duplicates to other paths yielding fore sure no secret.
Is it possible to just tell Vault: Hey, thanks but I am sure my secrets are only in this path /the/path. You do not need to make further http call to all the other paths, because nothing is there.
I hope to have been clear in the description of what seems to be an issue.
Thank you for your time considering it.