We have a spring-boot 2 application that connects to db2 database via DAOs. The current application uses application.properties to store the credentials, like this:
spring.datasource.url=jdbc:db2://127.0.0.1:50000/bcupload
spring.datasource.username=db2user
spring.datasource.password=mysecretpa$$
spring.datasource.driver-class-name=com.ibm.db2.jcc.DB2Driver
I would like to store username and password in Hashicorp Vault and retreive it at runtime using Spring Cloud Vault facilities.
I've examined this example from Spring Guides but I'm not understanding what to do with these values I retrieve them from the Vault. How do convert them to properties that Spring Boot uses when connecting to my db2 data source?
Add the same property in vault and connect to Vault with Spring-cloud-vault Library. Have all Vault related configurations in
bootstrap.yml
Not required to convert that as a property. Above mentioned steps are enough
Related
I want my Spring Cloud Config Server to provide database credentials to all services. I'm getting confused between Vault Key-Value Secrets Engine and Vault Database Secrets Engine. With Key-Value Secrets, I'm able to retrieve configuration properties like this.
{"name":"demo","profiles":["vault"],"label":null,"version":null,"state":null,"propertySources":[{"name":"vault:application","source":{"mykey":"testkey"}}]}
However, with Vault Database Secrets Engine, I got nothing from propertySources. Should I use Key-Value Secrets and specify database properties like this instead:
// vault server key-value secrets
vault kv put secrets/application spring.data.mongodb.username=admin
I have a small doubt. I need to connect Spring Cloud Config Server with JDBC Backend. But the credentials to connect to the DB aren’t readily available. The real password has to be retrieved from Cyberark using a nickname and I have relevant Java Code for the same. I need a mechanism where this deciphered Password and Username can be used for setting the datasource of the Spring Cloud Config Server. Is this possible?
I'm using the Azure key vaults just follow this doc.
and spring cloud config server ,
i put the configurations of key vaults in spring cloud config
but found out when application start, the Azure key vaults is load before spring cloud config
so means i can not get the azure configs in spring cloud.
is there a way to change the load sequence?
make the spring cloud configs load in firstly
I am facing some challenges while configuring Spring Boot Micrometer for my application. Micrometer documents says we can configure influxdb uri, userName, password, db etc through application.yml file which is working fine for my demo application but for production ready application we are using docker-compose and we are setting all our environment variable through docker-compose. Now I am facing challenges like -
How can I force micrometer to use docker-compose environment variable influxdb uri
For influxdb password, our application stores passwords in AWS secret Manager, how micrometer will access password from secret manager?
Can I configure all this micrometer properties programmatically (Spring Bean)? How?
I'm not sure how to leverage AWS Secret Manager, but for point 1 and 3 I can offer some advice.
I'm not familiar with Influx specifically, but based on the javadoc it uses management.metrics.export.influx.username to set the password.
1- To set a application property via an environment variable, set the equivalent using the typical 'SCREAMING_SNAKE_CASE' format:
MANAGEMENT_METRICS_EXPORT_INFLUX_USERNAME=myInfluxUser
Or if you already have an environment variable that you want to reference in you application.yml file you con reference in as a property:
management.metrics.export.influx.username: ${INFLUX_USER}
3- To configure Micromerter/influx programatically create a bean on type InfluxProperties:
#Bean
public InfluxProperties influxProperties() {
return new InfluxProperties(); // Programatically set any properties here.
}
I have been using the Spring cloud Service connectors for Pivotal cloud foundry for a long time which gets the connection details from the VCAP_SERVICES env variable. Now we have a requirement to read these credentials from Vault . I am just curious , Can I still continue to use the Service binding approach with spring cloud connector ? I would assume we don't want to expose these credentials from vault to an VCAP_SERVICES variable which defeat the purpose of the vault. Has there been any enhancements in Spring cloud connectors to read the credentials directly from Vault rather than depending the VCAP_SERVICES env variable or should I resort back to the Spring boot's default Application Properties based approach instead of the service binding approach using cloud connectors ?
The Spring Cloud Connectors project is now in maintenance mode, in favor of the newer Java CFEnv project. However, Java CFEnv is also very specific to Cloud Foundry's VCAP_SERVICES model of exposing service bindings and won't help you if the service connection info is in Vault.
I would suggest that you fall back to the Spring Boot properties-based approach using Spring Cloud Vault or Spring Cloud Config Server's Vault integration to automate fetching the properties from Vault and making them available as Spring Boot properties.