Spring Cloud Vault is not working with custom mount - spring

In local machine, I ran Vault server with default policy and wrote the following key value.
vault write secret/my-application username=Test
bootstrap.yml (Working)
spring:
application:
name: my-application
cloud:
vault:
authentication: TOKEN
token: sometoken
host: localhost
port: 8200
scheme: http
#uri: http://localhost:8200
connection-timeout: 5000
read-timeout: 15000
config:
order: -10
I was able to fetch the value using Spring Cloud Vault i.e. when I use default mount (secret). But If I hit the QA server with the custom mount(group) I am getting the following error.
org.springframework.vault.VaultException: Status 403 secret/group/grouptype/groupname/DB: permission denied
(Not sure why secret is prefixed)
bootstrap.yml (Not working)
spring:
application:
name: group/grouptype/groupname/DB
cloud:
vault:
authentication: TOKEN
token: sometoken
host: 10.20.30.40
port: 8200
scheme: http
#uri: http://10.20.30.40:8200
connection-timeout: 5000
read-timeout: 15000
config:
order: -10
But if I hit the API from POSTMAN it is working as expected.
GET
http://10.20.30.40:8200/v1/group/grouptype/groupname/DB
Header:
X-Vault-Token:sometoken
How to make custom proxy work with Spring boot application. How to exclude secret from the context

For a custom mount, we have to add generic
spring:
application:
name: grouptype/groupname/DB
cloud:
vault:
authentication: TOKEN
token: sometoken
generic:
enabled: true
backend: group
default-conext: grouptype/groupname/DB
host: 10.20.30.40
port: 8200
scheme: http
#uri: http://10.20.30.40:8200
connection-timeout: 5000
read-timeout: 15000
config:
order: -10
Here "group" is the mount name

Related

Spring cloud config and Vault Integration

I'm trying to read secret values using spring vault. All the properties for client application is stored in github and spring config server is used to access the properties. When I add the vault configuration to client application bootstrap.yml as below, the values are read properly.
bootstrap.yml
spring:
application:
name: client-app
cloud:
config:
uri: http://config-server:8080
vault:
enabled: true
authentication: APPROLE
app-role:
role-id: 12345
secret-id: 12345
role: pres-read
app-role-path: approle
connection-timeout: 5000
read-timeout: 15000
kv:
enabled: true
backend: secrets
application-name: client-app
uri: https://vault/
application.yml in config server
spring:
cloud:
config:
server:
git :
uri: https://github/repo.git
username: abc
password: pass
refreshRate: 300
Based on https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/config-data.html#vault.configdata , it should be possible to load the vault config from properties yml in github. But if i move the above vault config to my client-app.yml in github, the properties are not read from the vault. How do I achieve this?

Deployment issue on Heroku : zuul + eureka + microservices

Thanks for taking the time to read my post.
My issue is as such. I have 2 microservices (auth-service and image-service) deployed on Heroku, as well as a server Eureka and a gateway Zuul.
In local, all of this works.
However, when deployed, the same calls give me 404 errors : for example :
zuul is deployed on port 8762 in local,
so http://localhost:8762/images/user/create works, it points to http://localhost:8200/user/create of the image-service.
Deployed, https://croquis-time-image.herokuapp.com/user/create works, but https://croquis-time-zuul.herokuapp.com/images/user/create throws a 404 error.
On eureka however, all my services are registered, so the trouble doesn't come from there. I thought perhaps zuul didn't manage to get all the services from Eureka, but I'm not sure how to check.
More information :
application.yml of zuul deployed :
server:
port: 8762
eureka:
client:
serviceUrl:
defaultZone: https://croquis-time-eureka.herokuapp.com/eureka/
instance:
hostName: croquis-time-eureka.herokuapp.com
zuul:
#Service will be mapped under the /api URI
prefix: /api
# Uncomment to disable auto-registering all services read from Eureka
# ignoredServices: '*'
routes:
image-service:
path: /images/**
serviceId: image-service
auth-service:
path: /auth/**
serviceId: auth-service
stripPrefix: false
sensitiveHeaders: Cookie,Set-Cookie
spring:
application:
name: zuul-server
security:
jwt:
uri: /auth/**
prefix: Bearer
expiration: 86400
header: Authorization
secret: *****************
The application.yml of eureka deployed
server:
port: 8761
eureka:
instance:
hostname: croquis-time-eureka.herokuapp.com
client:
registerWithEureka: false
fetchRegistry: false
serviceUrl:
defaultZone: https://croquis-time-eureka.herokuapp.com/eureka/
spring:
application:
name: eureka-server
The image service I'm trying to call :
server:
port: 8200
eureka:
client:
serviceUrl:
defaultZone: https://croquis-time-eureka.herokuapp.com/eureka/
instance:
hostName: croquis-time-eureka.herokuapp.com
spring:
application:
name: image-service
jpa:
showSql: true
hibernate:
ddlAuto: update
datasource:
url: jdbc:mysql://***********:3306/croquis-time
username: ******************
password: ****************
I have tried removing and adding the "ignored-services" from zuul to see if that was the problem, but it didn't change anything.
I'm very willing to edit my question with more information if you require more, I'm not sure where is the origin of the problem, so I'm a bit at a loss as to what to add.
Thanks !
you have an issue with the configuration of .yml in zuul server
Your .yml of zuul server must be:
instance:
hostName: croquis-time-zuul.herokuapp.com
And your .yml of image must be:
instance:
hostName: croquis-time-image.herokuapp.com
because instance.hostname is the host of your application acting as the eureka client. if you need more information please visit: https://blog.heroku.com/managing_your_microservices_on_heroku_with_netflix_s_eureka

Service routing 404 through consul and Spring Cloud Gateway

I am creating a microservice app with Spring cloud gateway and Consul.
When I try getting a response from the microservice "example" with its port (3000) I get the response.
But When I try to access with the gateway (demo) port (9090) I got the Whitelabel Error Page 404 error.
Please help, thank you.
WhiteLabel 404 Error
Consul
application.yml
server:
port: 9090
spring:
cloud:
gateway:
routes:
- id: example
uri: lb://example
predicates:
- Path= /**
loadbalancer:
ribbon:
enabled: true
consul:
host: 127.0.0.1
port: 8500
discovery:
health-check-interval: 2s
health-check-timeout: 2s
tags: secure=true
fail-fast: true
instance-id: ${spring.application.name}:${random.value}
jpa:
database: mysql
hibernate:
ddl-auto: update
datasource:
url: jdbc:mysql://localhost:3306/gatewaypfe?serverTimezone=UTC
username: root
password:
application:
name: demo
main:
allow-bean-definition-overriding: true

Openshift secret in Spring Boot bootstrap.yml

This how my bootstrap.yml looks like.
spring:
cloud:
config:
uri: http://xxxx.com
username: ****
password: ****
vault:
host: vault-server
port: 8200
scheme: http
authentication: token
token: ${VAULT_ROOT_TOKEN}
application:
name: service-name
management:
security:
enabled: false
Application is starting when I configure secret as a ENV variable in Deployment Config – OSE, as below.
name: VAULT_ROOT_TOKEN
value: *********
But Configuring secret as a ENV variable and fetching the value from OSE secret is not working.
name: VAULT_ROOT_TOKEN
valueFrom:
secretKeyRef:
name: vault-token
key: roottoken
Error that I am getting is
org.springframework.vault.VaultException: Status 400 secret/service-name/default: 400 Bad Request: missing required Host header
Surprise in this scenario, ENV variable is working within the container/POD but somehow it is not able to fetch during the bootstrap procedure.
env | grep TOKEN
VAULT_ROOT_TOKEN=********
My secret configuration in OSE
oc describe secret vault-token
Name: vault-token
Namespace: ****
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
roottoken: 37 bytes
What is missing in my deployment-config or secrets in OSE? How to configure to fetch secret as ENV variable and inject in the bootstrap.yml file?
NOTE : I can't move Vault configuration out of bootstrap.yml.
Openshift Enterprise info:
Version:
OpenShift Master:v3.2.1.31
Kubernetes Master:v1.2.0-36-g4a3f9c5
Finally I was able to achieve this. This is what I have done
Provide the token as an arugument:
java $JAVA_OPTS -jar -Dspring.cloud.vault.token=${SPRING_CLOUD_VAULT_TOKEN} service-name.jar
This is how my configuration looks like:
Deployment Config:
- name: SPRING_CLOUD_VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-token
key: roottoken
Bootstrap file:
spring:
cloud:
config:
uri: http://xxxx.com
username: ****
password: ****
vault:
host: vault-server
port: 8200
scheme: http
authentication: token
token: ${SPRING_CLOUD_VAULT_TOKEN}
application:
name: service-name
management:
security:
enabled: false
Thanks for my colleagues who has provided the inputs.

Spring-Cloud-Config not getting properties

I cannot Create properties as I get this error:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'configClient': Injection of autowired dependencies failed; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'user.role' in value "${user.role}"
I am following this tutorial:
http://www.baeldung.com/spring-cloud-configuration
I am using
#Value("${user.role}")
and
#Value("${user.role:}")
does not fetch any information.
I have the same issue that you when I tried the tutorial. It seems the client can't achieve the server to resolve the property 'user.role', in my case, the error was the wrong property:
spring.application.name: config-client
You can check the configurations of the server, If you can access your github repo with configs. With server running, like this:
curl http://root:s3cr3t#localhost:9090/config-client/development/master [13:26:43]
{"name":"config-client","profiles":["development"],"label":"master","version":"80d048de5faa3314429a1fce1645917786da28d6","state":null,"propertySources":[{"name":"https://gitlab.com/marcosnasp/spring-config-baeldung-tutorial.git/config-client-development.properties","source":{"user.role":"Developer"}}]}%
I used the the yml config for both, and a different port for the server 9090, the client port by default, since I have not configured in application.properties is the 8080, client and server, at looks like:
the client config:
bootstrap.yml
spring:
application:
name: config-client
profiles:
active: development
cloud:
config:
uri: http://localhost:9090
username: root
password: s3cr3t
fail-fast: true
the server config:
bootstrap.yml
spring:
application:
name: delivery-config-server
encrypt:
key-store:
location: classpath:/config-server.jks
password: my-s70r3-s3cr3t
alias: config-server-key
secret: my-k34-s3cr3t
application.yml:
server:
port: 9090
spring:
cloud:
config:
server:
git:
uri: https://gitlab.com/marcosnasp/spring-config-baeldung-tutorial.git
timeout: 10
clone-on-start: true
security:
user:
name: root
password: s3cr3t

Resources