Spring Cloud config server security - spring

I implemented Spring Cloud config server. How can I prevent the config server bootstrap.yml file from storing the GIT user name and password as clear text?

Vault: https://github.com/hashicorp/vault
Use Vault: https://cloud.spring.io/spring-cloud-config/reference/html/#_vault
Set up Spring Vault:
https://docs.spring.io/spring-vault/docs/2.2.2.RELEASE/reference/html/
https://spring.io/projects/spring-vault
In your Spring Cloud config server, file bootstrap.yml
spring:
cloud:
config:
token: YourVaultToken

ok So this is working fine for me, the issue was my config server's bootstrap.yml need to connect to GIT repository as backend and GIT repo is secured with username and password but I can not pass the username and password in bootstrap.yml file.
To solve this:
Pass the credential as environmental variable and store these environment variable in terraform or any other secure location.

Related

Spring cloud config server share binary file

I am using spring configuration server.
While setting up Kafka, I came across the fact that I need to somehow specify binary certificates
spring:
kafka:
ssl:
truststore:
location: /filepath/trust_cert.jks
password: 1234
keystore:
location: /filepath/keystore_cert.jks
password: 1234
Can I somehow put them on the configuration server, and in this case, what should I write to the config, where the path to the file is expected?
I really don’t want to manually upload them to each server, I would like the configuration server to give them
Of course, these urls must be protected, just like configuration server urls

Spring Cloud Config Server - Git - Not authorized

I have a Spring-Boot application that use Spring Cloud Config and I'm trying to get the application's configuration file from Bitbucket. I was able to get the configuration file some time ago but now I'm getting an error when I try to access by config-server url.
application.yml:
server:
port: 8888
spring:
application:
name: config-server
cloud:
config:
server:
git:
password: ##########
username: ##########
uri: https://USERNAME#bitbucket.org/repositorios-closeup/cup-configuration-files
searchPaths: '{application}'
When I try to access the url the application is showing an error - NOT AUTHORIZED:
org.eclipse.jgit.api.errors.TransportException: https://USERNAME#bitbucket.org/repositorios-closeup/cup-configuration-files: not authorized
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:254) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar:5.1.3.201810200350-r]
at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:306) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar:5.1.3.201810200350-r]
Does anybody know what is happening? I've already check all credentials and url on bitbucket.
I had to generate a Personal Access Token on my Github user settings. And use it, instead of the real password.
I know you mentioned Bitbucket, but I've got the same issue with Github instead. And that's how I solved the "Not authorized" message.
I want to add my contribution to this question. I hope it might help someone. #henriqueor answer was what helped me. As I've enabled SSH I needed to generate a Personal Access Token with all scopes granted. (As I'm a Junior Developer, I would need more time to investigate what scopes are necessary to avoid this error.)
Selected scopes: admin:enterprise, admin:gpg_key, admin:org, admin:org_hook, admin:public_key, admin:repo_hook, admin:ssh_signing_key, delete:packages, delete_repo, gist, notifications, project, repo, user, workflow, write:discussion, write:packages
I added the following command line. It worked for me.
spring.cloud.config.server.git.ignore-local-ssh-settings=true
This setting ignores the local ssh config.
I needed to change the authentication to use ssh instead of https.
I generated the ssh using this command:
sh-keygen -m PEM -t rsa -b 4096 -C 'bitbucket_username'
Imported the public key to bitbucket using this tutorial:
https://support.atlassian.com/bitbucket-cloud/docs/set-up-an-ssh-key/
And changed my application.yml to use the ssh-private-key:
cloud:
config:
server:
git:
uri: git#bitbucket.org:repositorios/configuration-files.git
searchPaths: '{application}'
ignore-local-ssh-settings: true
private-key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
default-label: master
For BitBucket i had to create an App Password and put it in the spring.cloud.config.server.git.password property
BitBucket create App Passwords

Spring Cloud Config Server-GITLAB SSH Connection

After going the number of SO threads and blogs and Spring cloud config documentation still, I couldn't find on how I can connect to remote GITLAB repository as I'm getting below error while starting the spring-cloud-config server.
Caused by: com.jcraft.jsch.JSchException: Auth fail
spring:
cloud:
config:
server:
git:
uri: git#private_gitlab_repo:project
search-paths: '{application}'
skip-ssl-validation: true
strict-host-key-checking: false
known-hosts-file: C:\Users\myname\.ssh\known_hosts
spring-boot :2.1.2.RELEASE
spring-cloud.version: Greenwich.RELEASE
OS: Windows-7
With the command prompt, I could able to interact with the GITLAB repository. I do have the SSH key generated and added the public key in GITLAB settings. Also, I do not have the option to use username and password to connect to GITLAB.
Any pointers on where I'm missing the configuration or steps?
Found that this is my IntelliJ idea IDE issue and when I try running the same project in command prompt it worked without any issues.

What is the best way to secure spring cloud config?

I have a spring cloud config server running with spring bus. I want to make the calls to that server secure:
When a client is asking for configurations.
When calling /monitor - used by the webhook.
What is the best practice to do that? basic? encryption?
Can someone provide a working example?
Thanks!
You can secure it by adding encrypting and decrypting properties
You need to provide jks for securely encrypting and decrypting them
Spring cloud config server supports symmetric and asymmetric keys
To configure a symmetric key, you need to set encrypt.key to a secret String (or use the ENCRYPT_KEY environment variable to keep it out of plain-text configuration files).
For asymmetric you need to provide in bootsrap.yml such properties:
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: your git url or your local repository on file system
username: username for git or bitbucket if needed
password: password
clone-on-start: true this property will clone all repo localy on starttup
force-pull: true
application:
name: config-server
encrypt:
key-store:
location: jks location
password: letmein
alias: mytestkey
secret: changeme
For generating jks you need to execute this command
keytool -genkeypair -alias mytestkey -keyalg RSA \
-dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
-keypass changeme -keystore server.jks -storepass letmein
Actually java by default has a limitation on certain key length parameters.
Its 128 bit by default.
To use key more key length you just need replace existing local_policy.jar and US_export_policy.jar in <java-home>/lib/security
Here is link for download :
https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
And also you can encrypt and decrypt your properties by such endpoints :
curl config_server_host:port/encrypt-d your data to be encrypted
curl config_server_host:port/decrypt -d your data to be decrypted // this will automatically use this endpoint to decrypt values
//Both are http post requests
To use encryption by config server you need to provide such prefix in your configuration for your application which will get configs from config server:
'{cipher}your_encrypted_data'
Also, you can control access to secrets in the config by the using of Spring Cloud Vault.
This solution simpler than encrypt all communication between your application and config server, but maybe this is not what you want.
I hope it helps.

Spring Configuration Server: Fallback configuration in case repository is not available

We use spring cloud configuration Server (SCCS) with a svn backend.
I currently investigate into fallback/emergency scenarios when the backend is (temporarly) not available.
In case of a svn backend SCCS is downloading the configuration files into a local directory.
Our idea is to configure SCCS it first looks for the svn backend, and when it is not available the copied files are taken for the source.
Does anybody know how configuration has to look like, or has a totally different idea how this scenario is to be faced?
Thank you in advance!
So basically you want the Cloud Config Server to have multiple repositories. You can do that with profiles, but the switch from one repository to another one won't be automatic (at least from the top of my head).
The Spring Cloud Config Server bootstrap.yml with two repositories:
spring:
profiles.active: remote-svn
application:
name: config-server
cloud:
config:
server:
svn:
uri: https://yourserver.com/config-repo
force-pull: true
//---
spring:
profiles: local-svn
application:
name: config-server
cloud:
config:
server:
svn:
uri: ${user.home}/config-repo
Generally you would start your server like:
mvn spring-boot:run
But if your remote svn server is down, you would kill the server and restart it like:
mvn spring-boot:run -Dspring.profiles.active=local-svn
The thing is that you must maintain both of these repositories synced. So when you push your configurations to the SVN repository, you need to have two remotes configured. One referencing your SVN server and the other referencing the Spring Cloud Config Server repository.
You can have a bash script with a logic that checks the health of your SVN server and when it finds out that the server is down it restart the Spring Cloud Config Server using the local-svn profile.

Resources