I want to use this scheme. I have git repo with some config files, which contains secret props, eg. password. And I have Vault witch secrets.
I want the spring cloud server to go to the repository and take the properties, and then go through the secret properties and take their values from the vault.
Some property file in git:
endpoints:
db:
default-settings:
credentials:
login: test
password: ${passwordInVault}
Value passwordInVault stored in Vault. Before giving it to the client, I want it to be replaced with the real value from the vault.
I didn't find anything like this in the documentation. Is it possible to implement this, is there a link where you can read about it?
Related
I want my Spring Cloud Config Server to provide database credentials to all services. I'm getting confused between Vault Key-Value Secrets Engine and Vault Database Secrets Engine. With Key-Value Secrets, I'm able to retrieve configuration properties like this.
{"name":"demo","profiles":["vault"],"label":null,"version":null,"state":null,"propertySources":[{"name":"vault:application","source":{"mykey":"testkey"}}]}
However, with Vault Database Secrets Engine, I got nothing from propertySources. Should I use Key-Value Secrets and specify database properties like this instead:
// vault server key-value secrets
vault kv put secrets/application spring.data.mongodb.username=admin
I'm trying to user encrypt feature of spring cloud config server. I'v generated a keystore and set required config in application.properties
i'm able to user /encrypt and /decrypt endpoints to encrypt and decrypt value.
However encrypted values are not decrypted by config server before sending them to client!
encrypt.key-store.location=classpath:/config-server.jks
encrypt.key-store.alias=config-server-key
encrypt.key-store.password=changeit
encrypt.key-store.secret=changeit
In my .yml file i've
message: '{cipher}AgAAeBKZOOQ3aM...'
What i'm missing?
i was able to fix my issue: instead of putting confi properties in application.properties, i had to set them in bootstrap.properties.
encrypt.key-store.location=classpath:/config-server.jks
encrypt.key-store.alias=config-server-key
encrypt.key-store.password=changeit
encrypt.key-store.secret=changeit
We are right now storing passwords and other configuration related data in git and filesystem(local) based on profile. This is working fine based on profiles local/dev etc. using SPring cloud config approach.
But to enhance security we have been suggested to use sensitive data in Vault
So i am not clear on how can this be achieved. Whether we will have a single Cloud Config server hosting some properties from Vault and some from Git.
A Config Client will locate the config server based on CONFIGSERVER_URI so we can not have separate instances running
How to achieve this requirement.
Thanks.
It is possible to access Git for some properties and Vault for others using the same config server. Access to Vault locations is granted to individual client through the use of a Vault token. The Vault token is passed automatically to the config server as a header at runtime. You would need to configure your config server with the Vault dependencies and add properties to access both Git and Vault something like this (not the 'vault' profile):-
server:
port: 8888
spring:
profiles:
active: git, vault
application:
name: my-domain-configuration-server
cloud:
config:
server:
git:
uri: https://mygit/my-domain-configuration
order: 1
vault:
order: 2
host: vault.mydomain.com
port: 8200
scheme: https
On your client you need to configure the authorization token supplied by Vault. Note the example below illustrates the property. You can put it into your application yaml files, because it is a per application/per environment token. However I prefer to inject it into the environment during deployment.
spring:
cloud:
config:
uri: https://configserver:8888/
token: <secret token>
You should consult the Vault documentation to understand how to authorize your token to access specific locations but the rules may look something like this:-
{
path "secret/myapp-app" {
policy = "read"
}
path "secret/myapp-app/*" {
policy = "read"
}
path "secret/application" {
policy = "read"
}
path "secret/application/*" {
policy = "read"
}"
}
Finally, it is also possible to access your Git through config server and access Vault directly from your client instead of configuring config server to access both. In this case you need to add the Vault dependencies to the client and configure the client properties to access Vault. You still need the authorization token in the client.
Instead of giving an AppRole or Static Token for Spring Cloud Config Server to access ALL secrets across ALL applications, is it possible to configure Spring Cloud Vault Config to utilize a given token on the request for the configuration?
This communication would be over 2-way SSL with the token in the headers. Not ideal to send such a token outward but seems the proper solution in this scenario.
Keep in mind this is a Spring Cloud Config Server using Git + Vault as backends in order to resolve secrets, variables, etc, into the desired configurations. This would not only be used for Spring Configurations but other files delivered to an ephemeral environment, such as an httpd.conf for Apache (bad example to shove secrets into)
Goal here is to limit access where possible and keeping it limited to the end-application requesting the configuration. Also nice to not duplicate RBAC efforts with AuthZ on Spring Config AND Vault policies.
You can configure each Spring Boot application that talks to Config Server to send its' own unique token to Config Server which is then passed through to Vault.
Vault will allow access to the requested resource based on the policies that define access to that resource and the permissions granted to the token.
Step 1: Define a policy.
cat ./rules/application-a.hcl <<EOF
path "secret/application" {
capabilities = ["read", "list"]
}
path "secret/application-a" {
capabilities = ["read", "list"]
}
EOF
Step 2: Write the policy to Vault.
vault write sys/policy/policy-application-a rules=#./rules/application-a.hcl
Step 3: Create a token using the defined policy.
vault token-create -display-name="My Application A" -policy="policy-application-a"
Step 4: Write some data to Vault
vault write secret/application-a #application-a-config.json
Step 5: Configure the Spring Boot application to use its' token.
Use the token created in Step 3 above. Set the following up in the application's bootstrap.yml file. You could also pass this through at run-time if you're running in a containerized environment.
spring:
cloud:
config:
uri: https://configserver:8888/
token: <secret token>
Spring handles the transfer of token from the client application to Config Server and then onto Vault.
For any other application, you can set the token in the header of a HTTP request.
From the Vault documentation:
https://www.vaultproject.io/intro/getting-started/apis.html
curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/secret/application-a
I hope this helps you.
Question on JWT token and the JHipster Spring Cloud Config Service
The documentation (http://jhipster.github.io/microservices-architecture/) is little vague on how / what to copy for JWT tokens.
It says:
the JHipster Spring Config server makes sure that the config/JWT tokens are available and services authenticated. I have deployed the JHipster Config Server, Gaeway and one Microservice with an Entity.
When I try to call through the Gateway a backend microservice/with Entity (to create Author/Book) it tells me Access denied.
I believe once you register your microservice and gateway with the Config Server, the tokens are copied over to the Config Server and it should work without copying any tokens around.
Any idea how this is supposed to work?.
You should share the key by copying it into the registry's environment repository as jhipster.security.authentication.jwt.secret property in global application-dev.yml and application-prod.yml. Use different keys for prod and dev.
These shared yml files are the ones in your native environment repository (by default jhipster-registry/central-config) or git-based environment repository not in the src/main/resources/config folder of the registry itself.
jhipster:
security:
authentication:
jwt:
secret: "***********************"