Develop Reference

Secrets are not read from the vault after migrating to Spring Boot 3 - Getting an error

We are in process of migrating spring boot 3 from 2.7.7(We did an incremental upgrade from 2.6.8 to 2.7.7 and then to 3.0.0). We have almost got our application working except for the secrets are not read from the vault after migrating to Spring Boot 3 - Getting an error - This method requires either a Token (spring.cloud.vault.token) or a token file at ~/.vault-token. The vault integration worked perfectly fine in the previous version of 2.6.8.
**Specifications - **
JDK - 17
Spring boot - 3.0.0
Spring Cloud - 2022.0.0
spring-cloud-starter-vault-config - 4.0.0
**bootstrap.yml - **
bootstrap.yml: |-
spring:
cloud:
vault:
enabled: true
host: pvault.dummy.local
port: 8200
uri: https://localhost:8200
scheme: https
namespace: rpp
authentication: KUBERNETES
generic:
enabled: false
kv:
enabled: true
backend: kv
profile-separator: '/'
application-name: path1/couchbase
ssl:
trust-store: classpath:config/vault-truststore.p12
trust-store-password: password
#trust-store-type: JKS
kubernetes:
role: b2c-isp-bss-role
kubernetes-path: path1
service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
application.yml -
application.yml: |-
spring:
cloud:
bootstrap:
enabled: true
The migration guide does not suggest any change w.r.t vault. I'm a bit clueless as to where to start the changes.

Spring cloud config and Vault Integration

I'm trying to read secret values using spring vault. All the properties for client application is stored in github and spring config server is used to access the properties. When I add the vault configuration to client application bootstrap.yml as below, the values are read properly.
bootstrap.yml
spring:
application:
name: client-app
cloud:
config:
uri: http://config-server:8080
vault:
enabled: true
authentication: APPROLE
app-role:
role-id: 12345
secret-id: 12345
role: pres-read
app-role-path: approle
connection-timeout: 5000
read-timeout: 15000
kv:
enabled: true
backend: secrets
application-name: client-app
uri: https://vault/
application.yml in config server
spring:
cloud:
config:
server:
git :
uri: https://github/repo.git
username: abc
password: pass
refreshRate: 300
Based on https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/config-data.html#vault.configdata , it should be possible to load the vault config from properties yml in github. But if i move the above vault config to my client-app.yml in github, the properties are not read from the vault. How do I achieve this?

Openshift secret in Spring Boot bootstrap.yml

This how my bootstrap.yml looks like.
spring:
cloud:
config:
uri: http://xxxx.com
username: ****
password: ****
vault:
host: vault-server
port: 8200
scheme: http
authentication: token
token: ${VAULT_ROOT_TOKEN}
application:
name: service-name
management:
security:
enabled: false
Application is starting when I configure secret as a ENV variable in Deployment Config – OSE, as below.
name: VAULT_ROOT_TOKEN
value: *********
But Configuring secret as a ENV variable and fetching the value from OSE secret is not working.
name: VAULT_ROOT_TOKEN
valueFrom:
secretKeyRef:
name: vault-token
key: roottoken
Error that I am getting is
org.springframework.vault.VaultException: Status 400 secret/service-name/default: 400 Bad Request: missing required Host header
Surprise in this scenario, ENV variable is working within the container/POD but somehow it is not able to fetch during the bootstrap procedure.
env | grep TOKEN
VAULT_ROOT_TOKEN=********
My secret configuration in OSE
oc describe secret vault-token
Name: vault-token
Namespace: ****
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
roottoken: 37 bytes
What is missing in my deployment-config or secrets in OSE? How to configure to fetch secret as ENV variable and inject in the bootstrap.yml file?
NOTE : I can't move Vault configuration out of bootstrap.yml.
Openshift Enterprise info:
Version:
OpenShift Master:v3.2.1.31
Kubernetes Master:v1.2.0-36-g4a3f9c5

Finally I was able to achieve this. This is what I have done
Provide the token as an arugument:
java $JAVA_OPTS -jar -Dspring.cloud.vault.token=${SPRING_CLOUD_VAULT_TOKEN} service-name.jar
This is how my configuration looks like:
Deployment Config:
- name: SPRING_CLOUD_VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-token
key: roottoken
Bootstrap file:
spring:
cloud:
config:
uri: http://xxxx.com
username: ****
password: ****
vault:
host: vault-server
port: 8200
scheme: http
authentication: token
token: ${SPRING_CLOUD_VAULT_TOKEN}
application:
name: service-name
management:
security:
enabled: false
Thanks for my colleagues who has provided the inputs.

Spring Cloud Config Server not enforcing BASIC Authentication when running main()

I have configured a Spring Cloud Config server to force BASIC authentication and here is my application.yml file:
# Config Repo:
spring:
cloud:
config:
server:
git:
uri: file:///${HOME}/microservices_config_repo
# Show sensitive information for endpoints:
endpoints:
sensitive: true
# Security for endpoints:
management:
security:
enabled: true
security:
user:
name: user1
password: changeme
My issue I am having is that when I start the server up as:
mvn spring-boot:run
The server endpoints FORCE BASIC Authentication.
But when I start the Application.main() method, BASIC Authentication is enabled, but NOT enforced.
Meaning I can access configuration on:
http://localhost:8888/client-config
and
http://user1:changeme#localhost:8888/client-config
Can anyone help me understand why this is occuring and how to enforce BASIC Authentication while running the Application.main(), and not just through the Maven spring-boot plugin?
Note, when I use maven to package the app into a jar, then run the generated jar, BASIC Authentication is enforced, but still not through the IDE running just the Application.main directly.

Maybe the format the oy Yaml for example to me seems works like this:
server:
port:9999
spring:
application:
name: config-server-sample
cloud:
config:
name: ${spring.application.name}
fail-fast: true
server:
git:
uri: url
username: xx
password: zz
default-label: master
basedir: '${user.home}/${spring.application.name}/default'
timeout: 10
clone-on-start: true
force-pull: true
security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword

Spring cloud config local and remote repositories for different profiles

I'm trying to setup my application with multiple repositories - a local file based one for development/testing purpose and a remote git repo for production.
I am using the following yaml for this purpose -
spring:
application:
name: localRepoConfig
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
repos:
development:
pattern:
- '*/development'
- '*/staging'
uri: https://github.com/development/config-repo
native:
searchLocations: classpath:/config
server:
port: 8888
This is not working however, the following works for the local repo -
spring:
application:
name: localRepoConfig
profiles:
active: native
cloud:
config:
server:
native:
searchLocations: classpath:/config
server:
port: 8888
I have not been able to make the two repositories function, after following the Spring documentation and a few posts here.
Would greatly appreciate if someone can point me in the right direction.

I got this working with the following config in bootstrap.yml -
spring:
application:
name: localRepoConfig
profiles:
active: native
cloud:
config:
server:
native:
searchLocations: classpath:/config
server:
port: 8888
---
spring:
profiles: development
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
server:
port: 8989
I am able to switch between the native and development profiles now.
The following guide was quite helpful -
kubecloud.io/guide-spring-cloud-config/

Based on the documentation on Spring Cloud Config it sounds like native and git are mutually exclusive and that you can't use both for a single config server.