I am integrating the spring-cloud-aws-secrets-manager-config module with my SpringBoot application to fetch secrets from AWS Secrets Manager.
I have following two secrets in AWS Secrets Manager.
/myapp/dbcredentials
/myapp/apikey
Now, with bootstrap.yml, I am able to fetch either of these two secrets. Not both.
bootstrap.yml
aws:
secretsmanager:
prefix: /myapp
defaultContext: application
profileSeparator: _
failFast: false
name: dbcredentials
enabled: true
What will be the configuration in bootstrap.yml to fetch both the secrets?
Starting from Spring cloud AWS 2.3, spring.config.import could be used to load more than one secrets
spring.config.import=aws-secretsmanager:secret-key;other-secret-key
https://docs.awspring.io/spring-cloud-aws/docs/2.3.0/reference/html/index.html#integrating-your-spring-cloud-application-with-the-aws-secrets-manager
Hope this helps !
Related
I am running Spring Cloud Dataflow on Kubernetes runtime.
Currently, I am using K8 secrets to manage secrets for the dataflow server, and skipper server. Going forward I want to use Spring Cloud Vault as a secrets manager.
Is there any support to configure vault secrets in dataflow and skipper servers?
SCDF Version: springcloud/spring-cloud-dataflow-server:2.10.0
Skipper Version: springcloud/spring-cloud-skipper-server:2.9.0
I enabled following configuration in
application.yaml
vault:
enabled: true
authentication: KUBERNETES
uri: http://<vault_host>
backend: secret
application-name: scdf-server
kubernetes:
role: internal-app
bootstrap.yaml
spring:
application:
name: scdf-server
I was expecting scdf-server to inject secrets from the vault kV backend, but it seems it's not activating the vault config.
Spring Cloud Vault isn't in the classpath of the standard build.
You can follow these instructions to add jar files to the containers.
I have application.yaml file which contains database properties fetched from Secrets object in Kubernetes Cluster in separate deployment environment. However, when I try to run that application locally (Spring Boot application), it fails to load for obvious reason that it can't find the datasource due to not having actual values in application.yaml file.
Does anyone have any idea how to start application locally without hardcoding database credentials in yaml file?
url: ${DB_URL}
username: ${DB_USER}
password: ${DB_PASSWORD}
I don't have Kubernetes cluster locally.
I don't have Kubernetes cluster locally.
You will need something to run .yaml files locally probably "minikube". Add secrets to that environment using another file(local-secrets.yaml) or directly using "kubectl".
See here how to add secrets.
The object will look something like this (base64'ed)
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
without hardcoding database credentials in yaml file
you may use helm charts for that, cause you can provide values with --set parameter when installing the chart.
I'm working with microservice architecture and have spring cloud config service and another microservice.
profiles:
active: vault
cloud:
# Configuration for a vault server running in dev mode
vault:
scheme: http
host: 127.0.0.1
port: 8200
connection-timeout: 5000
read-timeout: 15000
authentication: TOKEN
token: s.E4gdoIYAKxMvCE56MP5Etmvy
kv:
enabled: true
backend: secret
backend-version: 2
profile-separator: /
generic:
enabled: false
application-name: myapp
Config server dependency
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
<version>2.1.5.RELEASE</version>
</dependency>
this is into .yml into the config service. Then into the .yml for my microservice i have db.username property which I want to resolve from Vault but I can't. Do you have any ideas?
username: db.username
password: secret/apm-transaction-service/dev/db.user
#Value("${db.username}")
this value is resolved into the java code but not into the .yml
Now for each microservice which I have I want to resolve the secrets from the configuration service without making any changes into the microservices. Currently reading native .ymls from the config service and want to add one more source :)
ApplicationStartupRunner run method Started !!root
if you are using spring-boot, for the value in .yml file to be resolved it has to be a variable. you must use ${db.username} in the yaml file
I have question is there any way to retrieve certain values and inject them to bootstrap.yml while application is coming up.
I have configuration file like this:
spring:
application:
name: myApp
cloud:
consul:
enabled: true
host: localhost
port: 8500
config:
enabled: true
datasource:
url: jdbc:oracle:thin:#localhost:1111:XXXX
username: ${nameOfVariable1}
password: ${nameOfVariable1}
driver-class-name: oracle.jdbc.OracleDriver
For example, I need to configure embedded tomcat port, or DB credentials, I don't want to put it hardcoded in .yml properties file, instead I want to put some variable name in .yml so Spring will go and bring value from Consul. Is it possible?
You can use Spring Cloud Consul Config project that helps to load configuration into the Spring Environment during the special "bootstrap" phase.
3 steps:
add pom dependency: spring-cloud-starter-consul-config
enable consul config: spring.cloud.consul.config.enabled=true
add some config in consul kv in specific folder, such as key: config/testConsulApp/server.port, value:8081
and then start the sample web app, it will listen 8081.
more detail at spring cloud consul doc.
and demo code here
I'm able to set up a git repository a config backend:
spring:
cloud:
config:
server:
git:
# username: user
# password: '{cipher}passwd'
I think it's not a good practive to provide user and password straightforwardly herewith on bootstrap.yml file.
I'd like they are picked up from Vault.
Is it possible?
You can use spring cloud vault to do so, Spring offers a start guide here