Use a file from GCP Secret Manager as Spring PropertySource - spring-boot

We use GCP Secret Manager and load a whole property file into a secret.
Is it possible to use this file (in fact it's a string) as a PropertySource in Spring Boot so that we can access the single properties with #Value?

Related

How to change the load sequence for Azure key vault and spring cloud config?

I'm using the Azure key vaults just follow this doc.
and spring cloud config server ,
i put the configurations of key vaults in spring cloud config
but found out when application start, the Azure key vaults is load before spring cloud config
so means i can not get the azure configs in spring cloud.
is there a way to change the load sequence?
make the spring cloud configs load in firstly

programmatically configuration for spring boot micrometer with influxdb

I am facing some challenges while configuring Spring Boot Micrometer for my application. Micrometer documents says we can configure influxdb uri, userName, password, db etc through application.yml file which is working fine for my demo application but for production ready application we are using docker-compose and we are setting all our environment variable through docker-compose. Now I am facing challenges like -
How can I force micrometer to use docker-compose environment variable influxdb uri
For influxdb password, our application stores passwords in AWS secret Manager, how micrometer will access password from secret manager?
Can I configure all this micrometer properties programmatically (Spring Bean)? How?
I'm not sure how to leverage AWS Secret Manager, but for point 1 and 3 I can offer some advice.
I'm not familiar with Influx specifically, but based on the javadoc it uses management.metrics.export.influx.username to set the password.
1- To set a application property via an environment variable, set the equivalent using the typical 'SCREAMING_SNAKE_CASE' format:
MANAGEMENT_METRICS_EXPORT_INFLUX_USERNAME=myInfluxUser
Or if you already have an environment variable that you want to reference in you application.yml file you con reference in as a property:
management.metrics.export.influx.username: ${INFLUX_USER}
3- To configure Micromerter/influx programatically create a bean on type InfluxProperties:
#Bean
public InfluxProperties influxProperties() {
return new InfluxProperties(); // Programatically set any properties here.
}

Defining trust-store and key-store information in spring boot application with external tomcat

I have configured my trustsore and keystore information in the external tomcat's server.xml in the Connector tag. The certificates are stored in the tomcat's /base/lib directory.
I need to deploy a spring boot application to this external tomcat.
How can I make the information about trustsore and keystore available to the spring boot application?
Where in the spring boot application do I need to store the trsustore and keystore .jks files?
I did the same with the datasource in Resource tag in server.xml, and in spring boot application I used
spring.datasource.jndi-name=some name to jndi. How can I configure the same for trsustore and keystore?
The keystore and truststore in Tomcat's <Connector> have a single purpose:
the keystore contains the certificate (and private key) used by the server's SSL port,
the truststore contains the list of CAs, which are trusted if mutual SSL authentication is enabled.
Therefore these settings are specific to each deployment of your application. You shouldn't provide them yourself.
You should only provide system administrators a way to configure those settings. In your case Spring Boot already takes care of it (cf. server.ssl properties).
See also:
What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app

How to retrieve db credentials using Spring Cloud Vault

We have a spring-boot 2 application that connects to db2 database via DAOs. The current application uses application.properties to store the credentials, like this:
spring.datasource.url=jdbc:db2://127.0.0.1:50000/bcupload
spring.datasource.username=db2user
spring.datasource.password=mysecretpa$$
spring.datasource.driver-class-name=com.ibm.db2.jcc.DB2Driver
I would like to store username and password in Hashicorp Vault and retreive it at runtime using Spring Cloud Vault facilities.
I've examined this example from Spring Guides but I'm not understanding what to do with these values I retrieve them from the Vault. How do convert them to properties that Spring Boot uses when connecting to my db2 data source?
Add the same property in vault and connect to Vault with Spring-cloud-vault Library. Have all Vault related configurations in
bootstrap.yml
Not required to convert that as a property. Above mentioned steps are enough

Spring Cloud Security JWT: Distribute Public Key using Config Server / Key Rotation

How do you manage your Private / Public Keys for signing / validating JWTs in Spring Cloud environment?
The "problem":
At the moment I generate a Key Pair. Then copy Private + Public Key to my auth-server application. And also copy the Public Key to each and every Resource Server.
When I now want to implement "Key Rotation" I have to somehow populate the new keys to every service.
The idea:
Maybe I could use the spring-cloud-config-server to store and distribute the Key Pairs?
The config server already provides database login credentials. So why not store even more sensitive information there?
Question(s):
If this is the way to go: How would you implement the key pair distribution with spring-cloud-config-server?
Do you have any security concerns?
How did you solve this problem? I guess there are better solutions.
EDIT:
Maybe there's some solution using Spring Oauth's security.oauth2.resource.jwt.keyUri property for JWKs?
First of all, I would had a gateway to hide the JWT mechanism. It will allow you to revoke tokens from the gateway. If an user know about his token, you can't revoke it without revoke the public key. It will look like this :
It's easy to implement with zuul's filters and session-scoped beans.
Secondly, has you said it in comments, you can simply create a new private key to generate new tokens. But all your resource servers must be able to read all the previously generated tokens. So you need to have a list of public key on each resource servers, and each time you receive a request, you must try to verify it with each public key. Maybe you can had a public key id (and put the id on each generated token) to avoid to do dumb look for this task.
For key distribution, use spring cloud bus and rabbit mq seems right to me.
You should consider the use of Spring Cloud Consul Config instead:
Consul provides a Key/Value Store for storing configuration and other
metadata. Spring Cloud Consul Config is an alternative to the Config
Server and Client. Configuration is loaded into the Spring Environment
during the special "bootstrap" phase. Configuration is stored in the
/config folder by default. Multiple PropertySource instances are
created based on the application’s name and the active profiles that
mimicks the Spring Cloud Config order of resolving properties.
You can POST to /refresh to update your key, or watch for changes:
The Consul Config Watch takes advantage of the ability of consul to
watch a key prefix. The Config Watch makes a blocking Consul HTTP API
call to determine if any relevant configuration data has changed for
the current application. If there is new configuration data a Refresh
Event is published.

Resources