1

I am using Spring Cloud Config Server to serve configuration for my client apps. To facilitate secrets configuration I am using HashiCorp Vault as a back end. For the remainder of the configuration I am using a GIT repo. So I have configured the config server in composite mode. See my config server bootstrap.yml below:-

server:
    port: 8888

spring:
    profiles:
        active: local, git, vault

    application:
        name: my-domain-configuration-server

    cloud:
        config:
            server:
                git:
                    uri: https://mygit/my-domain-configuration
                    order: 1
                vault:
                    order: 2
                    host: vault.mydomain.com
                    port: 8200
                    scheme: https
                    backend: mymount/generic

This is all working as expected. However, the token I am using is secured with a Vault auth policy. See below:-

{
    "rules": "path "mymount/generic/myapp-app,local" {
                  policy = "read"
              }

              path "mymount/generic/myapp-app,local/*" {
                  policy = "read"
              }

              path "mymount/generic/myapp-app" {
                  policy = "read"
              }

              path "mymount/generic/myapp-app/*" {
                  policy = "read"
              }

              path "mymount/generic/application,local" {
                  policy = "read"
              }

              path "mymount/generic/application,local/*" {
                  policy = "read"
              }

              path "mymount/generic/application" {
                  policy = "read"
              }

              path "mymount/generic/application/*" {
                  policy = "read"
              }"
}

My issue is that I am not storing secrets in all these scopes. I need to specify all these paths just so I can authorize the token to read one secret from mymount/generic/myapp-app,local. If I do not authorize all the other paths the VaultEnvironmentRepository.read() method returns a 403 HTTP status code (Forbidden) and throws a VaultException. This results in complete failure to retrieve any configuration for the app, including GIT based configuration. This is very limiting as client apps may have multiple Spring profiles that have nothing to do with retrieving configuration items. The issue is that config server will attempt to retrieve configuration for all the active profiles provided by the client.

Is there a way to enable fault tolerance or lenience on the config server, so that VaultEnvironmentRepository does not abort and returns any configuration that it is actually authorized to return?

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
Codesnooper
  • 331
  • 2
  • 10

1 Answers1

0

Do you absolutely need the local profile? Would you not be able to get by with just the 'vault' and 'git' profiles in Config Server and use the 'default' profile in each Spring Boot application?

If you use the above suggestion then the only two paths you'd need in your rules (.hcl) file are:

path "mymount/generic/application" {
  capabilities = ["read", "list"]
}

and

path "mymount/generic/myapp-app" {
  capabilities = ["read", "list"]
}

This assumes that you're writing configuration to 

vault write mymount/generic/myapp-app

and not

vault write mymount/generic/myapp-app,local

or similar.

Reegz
  • 511
  • 1
  • 6
  • 13
  • Agreed, even so my issue illustrates a problem that still exists if I add any profile that is not configured in Vault. I need a mechanism that permits me to use profiles that are not configured in Vault. The "local" profile just is being used purely for illustration here. – Codesnooper Jan 19 '18 at 13:20