search

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault
http://cloud.spring.io/spring-cloud-vault/
Apache License 2.0
270 stars 151 forks source link

Invalid configuration is not fatal #685

Open mwisnicki opened 1 year ago

mwisnicki commented 1 year ago

Describe the bug If configuration is invalid (e.g. wrong SSL certs) then vault config prints exception and continues execution. Even when spring.config.import is not set to optional.

This is probably because in LeaseAwareVaultPropertySource ignoreSecretNotFound is always true.

Sample bug-vault-bad-config-nonfatal.zip

  1. Use spring-cloud-starter-vault-config:3.1.2
  2. Point config to invalid vault url
  3. Make sure import is non-optional
spring:
  cloud:
    vault:
      uri: https://bad.site/
      authentication: token
      token: foo
  config:
    import: vault://foo/bar

Log

2023-03-28T13:22:06.206-04:00  INFO 23668 --- [           main] o.s.v.c.e.LeaseAwareVaultPropertySource  : Vault location [foo/bar] not resolvable: I/O error on GET request for "https://bad.site:443/v1/foo/bar": bad.site
2023-03-28T13:22:06.592-04:00  INFO 23668 --- [           main] o.s.cloud.context.scope.GenericScope     : BeanFactory id=13545f80-8375-3886-af6d-4191f093e243
2023-03-28T13:22:06.862-04:00  INFO 23668 --- [           main] e.b.BugVaultBadConfigNonfatalApplication : Started BugVaultBadConfigNonfatalApplication in 1.657 seconds (process running for 2.251)
mwisnicki commented 1 year ago

PS. I know about fail-fast but spring.config.import has concept of optional and non-optional imports and these should be honored IMHO.

mp911de commented 1 year ago

Have you tried setting spring.cloud.vault.fail-fast=true? This has been in place since the bootstrap context.

Generally, we could switch entirely on the built-in mechanism by throwing ConfigDataResourceNotFoundException.