javaspring-bootspring-cloudhashicorp-vaultspring-cloud-vault-config

Spring Cloud Vault picking up properties from wrong profile

In my Spring Boot project I defined 4 profiles ide,dev,test and prod. When I ran the project using IntelliJ with profile ide, everything works fine and properties are retrieved from ide profile in the Vault. But during deployment in dev server when I select the dev profile using the argument -Dspring.profiles.active=dev dev profile is being selected and but ide profile properties are being retrieved

CustomVaultConfigurer.java

@Configuration
public class CustomVaultConfigurer  implements VaultConfigurer
{
    @Override
    public void addSecretBackends(SecretBackendConfigurer configurer)
    {
                configurer.add("secret/app/pres/ide");
        configurer.add("secret/app/pres/dev");
        configurer.add("secret/app/pres/test");
        configurer.add("secret/app/pres/prod");

        configurer.registerDefaultGenericSecretBackends(false);
        configurer.registerDefaultDiscoveredSecretBackends(true);
    }
}

Error Log:

2020-05-27 19:28:25.663  INFO 1 --- [           main] gov.cancer.ccr.oit.pres.PresApplication  : The following profiles are active: dev
2020-05-27 19:28:28.495  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFERRED mode.
2020-05-27 19:28:29.710  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 1203ms. Found 55 JPA repository interfaces.
2020-05-27 19:28:30.142  INFO 1 --- [           main] o.s.cloud.context.scope.GenericScope     : BeanFactory id=87545ee5-101d-3ebb-a79a-d12f99f15e9c
2020-05-27 19:28:31.002  INFO 1 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@70c53dbe' of type [org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2020-05-27 19:28:31.011  INFO 1 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityConfig' of type [gov.cancer.ccr.oit.pres.security.MethodSecurityConfig$$EnhancerBySpringCGLIB$$8721baa3] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2020-05-27 19:28:31.033  INFO 1 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityMetadataSource' of type [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2020-05-27 19:28:31.608  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
2020-05-27 19:28:31.635  INFO 1 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2020-05-27 19:28:31.636  INFO 1 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.35]
2020-05-27 19:28:31.778  INFO 1 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2020-05-27 19:28:31.778  INFO 1 --- [           main] o.s.web.context.ContextLoader            : Root WebApplicationContext: initialization completed in 6069 ms
2020-05-27 19:28:32.616  INFO 1 --- [           main] o.s.s.concurrent.ThreadPoolTaskExecutor  : Initializing ExecutorService 'applicationTaskExecutor'
2020-05-27 19:28:32.909  INFO 1 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
2020-05-27 19:29:03.630 ERROR 1 --- [           main] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Exception during pool initialization.

com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host localhost, port 1433 has failed. Error: "Connection refused (Connection refused). Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.".

but when I place ide profile at the end(shown below) of the list, it works

configurer.add("secret/app/pres/dev");
configurer.add("secret/app/pres/test");
configurer.add("secret/app/pres/prod");
configurer.add("secret/app/pres/ide");
Solution

  • Okay. Dumb part on my end. As per Marks comment When you're using configurer.add(…) in combination with configurer.registerDefaultGenericSecretBackends(false) then Spring Cloud Vault does not look at spring.profiles.active at all but rather uses what your VaultConfigurer specifies.

    The updated VaultConfigurer looks like below, and active profile is retrieved from

    VaultConfigurer.java

    @Configuration
public class CustomVaultConfigurer  implements VaultConfigurer
{
    @Autowired
    private Environment environment;

    @Override
    public void addSecretBackends(SecretBackendConfigurer configurer)
    {
        //Get active profile from environment, if none exist select DEV profile
        if(environment.getActiveProfiles().length > 0)
            configurer.add("secret/app/pres/"+environment.getActiveProfiles()[0]);
        else
            configurer.add("secret/app/pres/dev");

        configurer.registerDefaultGenericSecretBackends(false);
        configurer.registerDefaultDiscoveredSecretBackends(true);
    }
}