Spring Config Server : get secrets from vault with specific path - spring

I am trying to get my microservices configuration from a config server connected to 2 sources : git and vault (for secrets). I have the config bellow:
in the config-server:
server:
port: 8888
spring:
profiles:
active: git, vault
cloud:
config:
server:
vault:
port: 8200
host: 127.0.0.1
kvVersion: 2
git:
order: 2
uri: git#gitlab.git
and in the client side in the bootstrap.yml:
spring:
application:
name: my-service-name
cloud:
config:
uri: http://localhost:8888
token: //token
label: dev
But in my vault i have the path like this :
secret/cad
|--my-service-name
When i make my secret directly in /secret/my-service-name i can access my secrets, but how can i configure acces to secrets in : /secret/cad/my-service-name
Thank you.

You can create your Custom configuration Class that implements VaultConfigurer where you can override to your custom path
#Configuration
Public class CustomVaultConfiguraton implements VaultConfigurer {
#override
public void addSecretsBackends(SecretBackendConfigurer configures){
configures.add("customPath");
}
}
add above configuration class in spring.factories
org.springframework.cloud.bootstrap.BootstrapConfiguration=\packagename.CustomVaultConfiguration

Related

Spring boot config server does not refresh if I update local

I have Spring cloud project which has below information:
Controller of address-service-1:
#RestController
#RequestMapping("/api/address")
#Slf4j
#RefreshScope
public class AddressController {
#Value("${scope-refresh-testing}")
private String message;
#RequestMapping("/scope-refresh-testing-message")
String getMessage() {
return this.message;
}
}
bootstrap.yml of address-service-1:
spring:
application:
name: address-service-1
# register to config server
cloud:
config:
discovery:
enabled: true
service-id: config-server-1
profile: default
management:
endpoints:
web:
exposure:
include:
- refresh
Properties of config-server-1:
server:
port: 8888
spring:
application:
name: config-server-1
cloud:
config:
server:
git:
default-label: master
uri: file:///E:/workspace/Spring-boot-microservices-config-server-study/
Properties which I stored in file:///E:/workspace/Spring-boot-microservices-config-server-study/ (address-service-1.yml):
scope-refresh-testing: testDefault
If I change scope-refresh-testing: testDefault222 then run url actuator/refresh, the properties file will rollback to scope-refresh-testing: testDefault
Did I miss something in configuration?
Thanks

Spring Cloud Config Server/Client Security Issue

I have following security configs in
Server application.yml
management:
security:
enabled: false
server:
port: 8888
spring:
cloud:
config:
server:
jdbc:
order: 1
sql: SELECT prop_key,value FROM xlabs.properties where application=?
and profile=? and label=?
datasource:
password: XXXXX
url: jdbc:postgresql://localhost:8000/finos?currentSchema=xlabs
username: XXXXX
profiles:
active: jdbc
security:
user:
name: mufg
password: mufg
In Client side.
client application.properties
server:
port: 8082
spring:
application:
name: config-server
cloud:
config:
label: latest
profile: development
uri: http://localhost:8888
username: mufg
password: mufg
With this settings
Config server security works fine I can access properties via http://localhost:8888/config-server/development/latest after entering username and passwords. But when I try to up client it says property not resolved. Any issue here?
Thanks.
After some times I am able to find out the answer. In Config server with only that configs the client side will be blocked. So have to disable csrf and allow any request like as follows.
just add sever side.
#Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/encrypt/**").authenticated()
.antMatchers("/decrypt/**").authenticated();
}
}
But Here default security will be disabled. Here problem is if username or password changed from client side authentication happens.

Spring Security: Local profile is token based but Dev profile defaults to username password

I want to implement token-based authentication. I am able to do it by adding filters. This seems to work in local profile only, but when I go to dev profile I get defaulted to Using generated security password: xxx , and the logs also do not register filters in dev profile like they do for local profile.
application-local.yml :
spring:
profiles:
active: local
h2:
console:
enabled: true
main:
allow-bean-definition-overriding: true
# Configuration used to validate header
auth:
userid: gibberish213 # header key: header value
application-dev.yml :
spring:
profiles:
active: local
main:
allow-bean-definition-overriding: true
datasource:
# Datasource related configs
application:
name: token-auth
# Configuration used to validate
auth:
userid: gibberish213 # header key: header value
I have an empty SpringSecurityInitializer class, would I need to add some config in that class:
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}
Check if you have #Profile("local") annotation at top of your filter beans. If you do, they only work at the specified profile.

virtualHost Not Creating on RabbitMQ server using application.yml springboot and from config server

Virtualhost are not getting created on RabbitMQ server based on configuration
Do i have make sure VH aka Virtual Hosts on RabbitMQ .
Am i missing some configuration.
Please find the configuration below
application.yml
spring:
rabbitmq:
host: 127.0.0.1
virtual-host: /defaultVH
username: defaultUser
password: defaultPassword
cloud:
stream:
bindings:
saviyntSampleQueueA:
binder: rabbit-A
contentType: application/x-java-object
group: groupA
destination: saviyntSampleQueueA
saviyntSampleQueueB:
binder: rabbit-B
contentType: application/x-java-object
group: groupB
destination: saviyntSampleQueueB
binders:
rabbit-A:
defaultCandidate: false
inheritEnvironment: false
type: rabbit
environment:
spring:
rabbitmq:
host: 127.0.0.1
virtualHost: /vhA
username: userA
password: paswdA
port: 5672
connection-timeout: 10000
rabbit-B:
defaultCandidate: false
inheritEnvironment: false
type: rabbit
environment:
spring:
rabbitmq:
host: 127.0.0.1
virtualHost: /vhB
username: userB
password: paswdB
port: 5672
connection-timeout: 10000
bootstrap.yml
############################################
# default settings
############################################
spring:
main:
banner-mode: "off"
application:
name: demo-service
cloud:
config:
enabled: true #change this to use config-service
retry:
maxAttempts: 3
discovery:
enabled: false
fail-fast: true
override-system-properties: false
server:
port: 8080
Added default spring boot added Enable binding
#EnableBinding({MessageChannels.class})
#SpringBootApplication
public class Configissue1124Application {
public static void main(String[] args) {
SpringApplication.run(Configissue1124Application.class, args);
}
}
Now simple straightforward massage channel to to dispatch massage
interface MessageChannels {
#Input("saviyntSampleQueueA")
SubscribableChannel queueA();
#Input("saviyntSampleQueueB")
SubscribableChannel queueB();
}
When i ran the Boot Application its not creating any Virtualhost on the system . i tried using config server buy providing same configuration but still no luck
can you please find if some thing am missing.
Thanks in Advance
The AMQP protocol (or RabbitMQ REST API) provides no mechanism to provision virtual hosts from the client.
Virtual hosts must be provisioned manually on the server.

How to Secure Spring Cloud Config Server

I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.
How can i prevent the clients from storing these user name and
password as clear text in the bootstrap.yml files in the client
application/services ?
The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)
You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml):
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
If you want custom user/password pairs, you need indicate in server configuration file
security:
basic:
enabled: false
and add this minimal Class in your code (BasicSecurityConfiguration.java):
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
#Configuration
//#EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Value("#{'${qa.admin.password:admin}'}") //property with default value
String admin_password;
#Value("#{'${qa.user.password:user}'}") //property with default value
String user_password;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password(user_password).roles("USER")
.and()
.withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/encrypt/**").authenticated()
.antMatchers("/decrypt/**").authenticated()
//.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
//.antMatchers("/qa/**").permitAll()
;
}
}
#Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.
For example (application.yml):
server:
port: 8888
security:
basic:
enabled: false
qa:
admin:
password: adminadmin
user:
password: useruser
management:
port: 8888
context-path: /admin
logging:
level:
org.springframework.cloud: 'DEBUG'
spring:
cloud:
config:
server:
git:
ignoreLocalSshSettings: true
uri: ssh://git#gitlab.server.corp/repo/configuration.git
This works for me.
Edit: Instead of the Class, you can put basic user configuration directly in application.yaml:
security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)
spring.security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
Basic authentication configuration that works for me.
Server-side:
Needed depedency: org.springframework.boot:spring-boot-starter-security
bootstrap.yml
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: git#bitbucket.org:someRepo/repoName.git
hostKeyAlgorithm: ssh-rsa
hostKey: "general hostKey for bitbucket.org"
security:
user:
name: yourUser
password: yourPassword
Client-side:
bootstrap.yml
spring:
application:
name: config
profiles:
active: dev
cloud:
config:
uri: http://localhost:8888
username: yourUser
password: yourPassword
management:
security:
enabled: false
Sources: Spring doc security feautres, Spring cloud config client security
encrypted text can be placed in bootstrap.yml.
Check -> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption

Resources