Spring cloud config server share binary file - spring

I am using spring configuration server.
While setting up Kafka, I came across the fact that I need to somehow specify binary certificates
spring:
kafka:
ssl:
truststore:
location: /filepath/trust_cert.jks
password: 1234
keystore:
location: /filepath/keystore_cert.jks
password: 1234
Can I somehow put them on the configuration server, and in this case, what should I write to the config, where the path to the file is expected?
I really don’t want to manually upload them to each server, I would like the configuration server to give them
Of course, these urls must be protected, just like configuration server urls

Related

Spring Boot HTTPS on localhost

I had this working on localhost about a month ago, but when I came back to the project, hitting the URL results in a "This site can’t provide a secure connection" error in the browser. For reference, I believe I had used this site as a guide to get it set up: https://www.thomasvitale.com/https-spring-boot-ssl-certificate/
I'm running the project with the bootRun Gradle task and the default embedded Tomcat server. The following configuration is set:
/grails-app/conf/application.yml
spring:
profiles: development
server:
port: 8092
ssl:
enabled: true
key-store: classpath:keystore.jks
key-store-password: password
key-store-type: pkcs12
key-alias: alias
key-password: password
The keystore is located at /src/main/resources/keystore.jks.
I don't see any errors in the console indicating any issues opening or accessing the keystore so I'm at a loss as to what might have changed. Is there a better guide than the one linked above that would give me other things to check for issues?
Eventually, I tried changing the password field to something I knew was not the password and the app started without errors. This led me to determine that the YAML file was not being picked up by bootRun. Removing the Spring profile config at the top of the YAML file then caused the app to error because of the incorrect password.
This led me to realize that somehow the active profile configuration in my Gradle bootRun task was reset. Adding -Dspring.profiles.active=development to the VM options fixes the problem.

Spring Cloud config server security

I implemented Spring Cloud config server. How can I prevent the config server bootstrap.yml file from storing the GIT user name and password as clear text?
Vault: https://github.com/hashicorp/vault
Use Vault: https://cloud.spring.io/spring-cloud-config/reference/html/#_vault
Set up Spring Vault:
https://docs.spring.io/spring-vault/docs/2.2.2.RELEASE/reference/html/
https://spring.io/projects/spring-vault
In your Spring Cloud config server, file bootstrap.yml
spring:
cloud:
config:
token: YourVaultToken
ok So this is working fine for me, the issue was my config server's bootstrap.yml need to connect to GIT repository as backend and GIT repo is secured with username and password but I can not pass the username and password in bootstrap.yml file.
To solve this:
Pass the credential as environmental variable and store these environment variable in terraform or any other secure location.

How to run spring boot application multiple instance when get resource from config server?

I have Eureka server, Eureka zuul and config server.
So I write a simple microservice. Then, running on 8686 port.
So I want to run that microservice on another port.
I trying that command. But don't work.
java -Dserver.port=8687 -jar -Dlogging.file="bla.log" testMicro.jar --debug > "bla.log"&
I am confusing. Help me!
You have two ways to running your instances on different ports.
user assignment of random port from a specified range:
server:
port: ${random.int(8080,8090)}
Set in property file from config server for testMicro microservice the following configurations:
spring:
cloud:
config:
override-system-properties: false
allow-override: true
override-none: true
and then run again your jar with -Dserver.port=8687 property

What is the best way to secure spring cloud config?

I have a spring cloud config server running with spring bus. I want to make the calls to that server secure:
When a client is asking for configurations.
When calling /monitor - used by the webhook.
What is the best practice to do that? basic? encryption?
Can someone provide a working example?
Thanks!
You can secure it by adding encrypting and decrypting properties
You need to provide jks for securely encrypting and decrypting them
Spring cloud config server supports symmetric and asymmetric keys
To configure a symmetric key, you need to set encrypt.key to a secret String (or use the ENCRYPT_KEY environment variable to keep it out of plain-text configuration files).
For asymmetric you need to provide in bootsrap.yml such properties:
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: your git url or your local repository on file system
username: username for git or bitbucket if needed
password: password
clone-on-start: true this property will clone all repo localy on starttup
force-pull: true
application:
name: config-server
encrypt:
key-store:
location: jks location
password: letmein
alias: mytestkey
secret: changeme
For generating jks you need to execute this command
keytool -genkeypair -alias mytestkey -keyalg RSA \
-dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
-keypass changeme -keystore server.jks -storepass letmein
Actually java by default has a limitation on certain key length parameters.
Its 128 bit by default.
To use key more key length you just need replace existing local_policy.jar and US_export_policy.jar in <java-home>/lib/security
Here is link for download :
https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
And also you can encrypt and decrypt your properties by such endpoints :
curl config_server_host:port/encrypt-d your data to be encrypted
curl config_server_host:port/decrypt -d your data to be decrypted // this will automatically use this endpoint to decrypt values
//Both are http post requests
To use encryption by config server you need to provide such prefix in your configuration for your application which will get configs from config server:
'{cipher}your_encrypted_data'
Also, you can control access to secrets in the config by the using of Spring Cloud Vault.
This solution simpler than encrypt all communication between your application and config server, but maybe this is not what you want.
I hope it helps.

Spring Configuration Server: Fallback configuration in case repository is not available

We use spring cloud configuration Server (SCCS) with a svn backend.
I currently investigate into fallback/emergency scenarios when the backend is (temporarly) not available.
In case of a svn backend SCCS is downloading the configuration files into a local directory.
Our idea is to configure SCCS it first looks for the svn backend, and when it is not available the copied files are taken for the source.
Does anybody know how configuration has to look like, or has a totally different idea how this scenario is to be faced?
Thank you in advance!
So basically you want the Cloud Config Server to have multiple repositories. You can do that with profiles, but the switch from one repository to another one won't be automatic (at least from the top of my head).
The Spring Cloud Config Server bootstrap.yml with two repositories:
spring:
profiles.active: remote-svn
application:
name: config-server
cloud:
config:
server:
svn:
uri: https://yourserver.com/config-repo
force-pull: true
//---
spring:
profiles: local-svn
application:
name: config-server
cloud:
config:
server:
svn:
uri: ${user.home}/config-repo
Generally you would start your server like:
mvn spring-boot:run
But if your remote svn server is down, you would kill the server and restart it like:
mvn spring-boot:run -Dspring.profiles.active=local-svn
The thing is that you must maintain both of these repositories synced. So when you push your configurations to the SVN repository, you need to have two remotes configured. One referencing your SVN server and the other referencing the Spring Cloud Config Server repository.
You can have a bash script with a logic that checks the health of your SVN server and when it finds out that the server is down it restart the Spring Cloud Config Server using the local-svn profile.

Resources