2

I am running microservices with two configuration servers:

  • Spring Cloud Config (with git backend)
  • Spring Cloud Vault

I store the Vault token in Spring Cloud Config server. When starting up the microservice, I expect it to:

  1. Retrieve configurations stored in Spring Cloud Config, including the Vault token.
  2. Use the Vault token to connect to Spring Cloud Vault, then retrieve configurations stored in Spring Cloud Vault.

bootstrap.properties:

spring.application.name=my-app
spring.cloud.config.uri=http://localhost:8888

Spring Cloud Config server:

spring.cloud.vault.token=19aefa97-cccc-bbbb-aaaa-225940e63d76

However, I hit exception saying spring.cloud.vault.token must be present.

Caused by: java.lang.IllegalArgumentException: Token (spring.cloud.vault.token) must not be empty
    at org.springframework.util.Assert.hasText(Assert.java:181)
    at org.springframework.cloud.vault.config.VaultBootstrapConfiguration.clientAuthentication(VaultBootstrapConfiguration.java:270)
    at org.springframework.cloud.vault.config.VaultBootstrapConfiguration$$EnhancerBySpringCGLIB$$473cc7b3.CGLIB$clientAuthentication$7(<generated>)
    at org.springframework.cloud.vault.config.VaultBootstrapConfiguration$$EnhancerBySpringCGLIB$$473cc7b3$$FastClassBySpringCGLIB$$5f991c47.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:358)
    at org.springframework.cloud.vault.config.VaultBootstrapConfiguration$$EnhancerBySpringCGLIB$$473cc7b3.clientAuthentication(<generated>)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)
    ... 88 common frames omitted

Questions:

  1. Is it a valid use case to store Vault token in Spring Cloud Config for the microservice to access Spring Cloud Vault later?

  2. If yes, do we need to set the order of property retrieval? I.e. setting spring.cloud.vault.config.order for Spring Cloud Vault. Is there any equivalent parameter for Spring Cloud Config?

wltheng
  • 750
  • 1
  • 11
  • 26
  • Answered here: [how to retrieve vault settings from config-server](https://stackoverflow.com/questions/48797436/spring-cloud-config-and-spring-cloud-vault-order-of-initialization/58710190#58710190). – Dmitry3271 Nov 05 '19 at 11:43

1 Answers1

4

  1. It looks like it is not valid case of Vault token usage here. According to the documentation Spring Cloud Config Client should supply a token for the Server to retrieve values from Vault - Spring Cloud Config - Vault. So in the Config Server you just provide configuration to git repos and Vault server and that's all. It is not retrieving all configs from Vault as it does from Git repos. It will retrieve sensitive properties by request from configuration client that will have proper Vault token.

  2. Yes, there is order property, 

    spring:
  profiles:
    active: vault, git
  cloud:
    config:
      server:
        vault:
          order: 1
        git:
          order: 2  
          uri: https://some-git-repo.com/
          username: user 
          password: pass

I used configuration from this StackOverflow question, it helped me and works fine.

nmyk
  • 1,582
  • 1
  • 8
  • 20