0

Using the following:

  • Spring Cloud Data Flow Server Cloudfoundry 1.0.0.RC1
  • Spring Cloud Config Server service

I rebuilt the spring-cloud-dataflow-server-cloudfoundry with the additional dependency to enable its binding with Spring Cloud Config server as the instructions provide. It seems to be working as expected, so that's great.

The issue is arising now, when I attempt to define a stream with a custom module I developed, where the environment variables for the module (specifically ENCRYPT_KEY) are in a manifest YML file in my git repo.

The name of the manifest file is customapp-dev.yml. The manifest looks like this: 

applications:
- name: customapp
  env: 
    ENCRYPT_KEY: keyForEncryption

The name of the properties file is customapp-dev.properties. The properties file looks like this: 

customapp.initial.context.factory=com.sun.jndi.ldap.LdapCtxFactory
customapp.ldap.provider.url=ldap://directory.xyz.com:389/dc=xyz,dc=com
customapp.username=ldap_user
customapp.password={cipher}958f87532ebba83cd81b7b0e9a0a0cc

The application has a properties file in the boot jar called application.properties. It looks like this: 

spring.application.name=customapp

Finally, when I deploy my stream, I provide one additional property in the command line like this: 

--properties app.customapp.SPRING_PROFILES_ACTIVE=dev

Tailing the logs of the app's deployment, I can see that the config server instance is being read, and that the app name and profile are being correctly resolved. The config client is mapping both the YML manifest, and the properties file from my git repo.

However, the error is indicating there is no possible decryption for the placeholder customapp.password. 

2016-08-26T13:40:46.62-0600 [APP/0]      OUT   .   ____          _            __ _ _
2016-08-26T13:40:46.62-0600 [APP/0]      OUT  /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
2016-08-26T13:40:46.62-0600 [APP/0]      OUT ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
2016-08-26T13:40:46.62-0600 [APP/0]      OUT  \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
2016-08-26T13:40:46.62-0600 [APP/0]      OUT   '  |____| .__|_| |_|_| |_\__, | / / / /
2016-08-26T13:40:46.62-0600 [APP/0]      OUT  =========|_|==============|___/=/_/_/_/
2016-08-26T13:40:46.63-0600 [APP/0]      OUT  :: Spring Boot ::        (v1.3.5.RELEASE)
2016-08-26T13:40:46.65-0600 [APP/0]      OUT Fetching config from server at: https://config-dfcc3100-7514-47e6-b30e-a0eefcf4929d.dev.xyz.com
2016-08-26T13:40:48.13-0600 [APP/0]      OUT Located environment: name=customapp, profiles=[dev, cloud], label=master, version=null
2016-08-26T13:40:48.13-0600 [APP/0]      OUT Located property source: CompositePropertySource [name='configService', propertySources=[MapPropertySource [name='https://user@bitbucket.xyz.com/scm/project/app-config.git/dev/customapp-dev.yml'], MapPropertySource [name='https://user@bitbucket.xyz.com/scm/project/app-config.git/dev/customapp-dev.properties']]]
2016-08-26T13:40:48.16-0600 [APP/0]      OUT Application startup failed
2016-08-26T13:40:48.16-0600 [APP/0]      OUT java.lang.IllegalStateException: Cannot decrypt: key=customapp.password

If I explicitly set the ENCRYPT_KEY environment variable for the deployed (crashed) application, and restage it, it starts up fine and works like a charm.

Is there another way for me to specify the environment variables for a stream app at deployment time?

Channing Jackson
  • 163
  • 10

2 Answers2

0

The manifest (customapp-dev.yml) would not need to be in (the same) git repo as the rest of your config (as a matter of fact, it better not be, as it contains the decryption key).

More importantly, it's not clear from your question how you "use" it. Do you expect it to be taken into account automatically (thanks to config server, or anything) or do you indeed use it when you cf push your app?

The symptoms you're describing seem to indicate that the environment variable you set there is not taken into account (via manifest).

ebottard
  • 1,997
  • 2
  • 12
  • 14
  • My expectations were that it would be loaded by config server automatically. Since this is a stream app that gets deployed automatically when I deploy a stream, I'm not using `cf push` at all. You're correct, the environment variable is not getting taking into account, so the decrypt is not happening at stream deployment time. One thing I haven't tried yet, is to bundle the manifest in the app's JAR and hope it is read at deploy time. – Channing Jackson Aug 29 '16 at 15:09
  • Tried bundling the manifest in the app's boot jar, and got same error. Why wouldn't using `app.customapp.ENCRYPT_KEY=key` on the deployment command line work in this case? Is it because that is not a "known" environment variable? – Channing Jackson Aug 29 '16 at 18:28
  • To add to the manifest story: manifests are only used by the `cf (push)` command line app, at least as of now. – ebottard Aug 31 '16 at 11:20
0

So, I RTFM'd and found a useful excerpt in the existing documentation.

Spring Cloud Config Server

The command line specification at deploy time will work, but I was using the wrong syntax. Instead of:

app.customapp.ENCRYPT_KEY=keyForEncryption

I should use:

app.customapp.encrypt.key=keyForEncryption

Channing Jackson
  • 163
  • 10