springspring-boothashicorp-vaultspring-cloud-vault-configspring-vault

Properties are not read from Vault on Integrating Vault with Spring Cloud Config Server


I am trying use Spring boot config server with git and vault and all my spring boot client application will retrieve the vault properties via the config server by passing the vault config token.

I am using the spring boot 2.1.8.RELEASE and below is the POM.xml file for my spring boot config server.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.1.8.RELEASE</version>
    <relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.ps.psc</groupId>
<artifactId>psc-config-server</artifactId>
<version>0.0.1</version>
<name>psc-config-server</name>
<description>Spring configuration server</description>

<properties>
    <java.version>1.8</java.version>
    <spring-cloud.version>Greenwich.SR2</spring-cloud.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-bus-amqp</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-config-server</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-vault-config</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-config-monitor</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-configuration-processor</artifactId>
        <optional>true</optional>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-devtools</artifactId>
    </dependency>
</dependencies>

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>${spring-cloud.version}</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

The bootstrap.yml file

spring:
  profiles:
    active:
    - git
    - vault
  cloud:
    config:
      enabled: true
      server:
        git:
          order: 2
          username: ********
          password: ********
          uri: https://*******@bitbucket.org/krushna/configuration.git
          search-paths:
          - payment*
        vault:
          host: 127.0.0.1
          port: 8200
          scheme: http
          order: 1
          skip-ssl-validation: true
          kv-version: 1
    vault:
      authentication: TOKEN
      token: s.PB5cAJ9WhOuWamIOuFVkzpbl
      scheme: http
      host: 127.0.0.1
      port: 8200
      config:
        order: 1

My application.yml file

server:
 port: 7000
spring:
  application:
  name: configserver

With the above configuartion my config server is able read the properties only from the GIT not from the vault.

In the vault I have written a properties like below.

vault write secret/payment password=test@123

If I make curl call like below

curl -X "GET" "http://127.0.0.1:7000/payment/default" -H "X-Config-Token: s.PB5cAJ9WhOuWamIOuFVkzpbl"

I am geeting properties from git only, response below.

{
"name": "payment",
"profiles": ["default"],
"label": null,
"version": "e9b941d22f6b7cd3083a731d168f78fa4ec0fc42",
"state": null,
"propertySources": [{
    "name": "https://******@bitbucket.org/krushna/configuration.git/application.properties",
    "source": {
        "foofromGit": "bar"
    }
}]
}

What I am doing worng here? I have tried multiple option like differnt KV version, only configuring spring cloude config vault etc.

Edit:

I have used the vault conf like below.

backend "file" {
    path = "vault"
}
listener "tcp" {
    tls_disable = 1
}

and doing curl to vault driectly I am able to read the value now.

curl -X GET -H "X-Vault-Token:s.PB5cAJ9WhOuWamIOuFVkzpbl" http://127.0.0.1:8200/v1/secret/payment/

response:

{
    "request_id": "35c8793e-3530-81c1-7917-3e922ef4065b",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 2764800,
    "data": {
        "password": "test@123"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

Solution

  • I am able to fix the issue by moving the git and spring cloude config vault configuration details from bootstrap.yml to application.yml like below.

    bootstrap.yml

    spring:
      application:
        name: configserver
      cloud:
        vault:
          authentication: TOKEN
          token: s.jyFarEyroi5pJNOxPnhT4f3D
          scheme: http
          host: 127.0.0.1
          port: 8200
          config:
            order: 1
    

    Application.yml

    server:
      port: 7000
    spring:
      profiles:
        active: git, vault
      cloud:
        config:
          server:
            git:
              uri: https://krushna@bitbucket.org/krushna/configuration.git
              search-paths:
              - payment*
            vault:
              port: 8200
              host: 127.0.01
              skip-ssl-validation: true
              scheme: http
    

    I am still not clear how this fix the issues?, only thing I know that bootstrap will load first, and I am reading the git credential from vault and then application.yml has the other details for the spring cloud config vault and git.

    Any explanation on this will be really welcome