0

I have a spring-boot application which runs in different environments (dev,qa,prod). In order to generate immutable builds which can run on all environments without any modification i have packaged environment specific configuration files into generated jar itself. But this creates another problem of exposing production database credentials to development team too. I can use external config server, but that's overkill for me for now.

How can i manage these configuration files to avoid this information leak and have immutable builds to support CI/CD ?

user34567
  • 258
  • 3
  • 12
  • Why don't you just specify the config file path on each environment and deploy the environment specific config on each machine? Or just externalize the credentials on that path? – Dovmo May 16 '18 at 12:43
  • Yes i can do that but this way application deployment process becomes complex, application deployer has now two things to manage,config and application. Moreover where should i put these config files ? code repository, which is accessible to all – user34567 May 16 '18 at 13:01

4 Answers4

1

For dataleakage, it's advisable to encrypt the username/password with jasypt.

application connect to database

https://github.com/ulisesbocchio/jasypt-spring-boot

The password for the decryption has to be on the machine, though, so that should be there already, secured as much as possible (e.g. different user, or https://github.com/certnanny/KeyNanny)

I wouldn't put the configuration in the jar-file, though. It's not part of the applicaction logic, it's part of deployment process, and the deployer should be able to add new machines easily. If you use docker, it's different, of course.

Frischling
  • 2,100
  • 14
  • 34
  • That's not easy to answer, depends on your organization, and what tools your project and organization has or allows to be used. In my projects I usually deploy them to maven repo (with read restrictions, so the files are a bit more private). Then a separate deploy toll (uDeploy, bladelogic) fetches those files, and deploys them. In a different project, different team, same customer, I actually wrote a configuration software for config + deployment. Vendor delivered, app specialist in the bank configured + deployed the delivery. Sadly not open source... – Frischling May 17 '18 at 06:21
  • Oh, and what you can also do is put the to-be-secured stuff on the machine in a dedicated folder, best only readable by deployment user, and then merge them into the config file (with properties this is a simple cat secrets.properties >> application.properties) – Frischling May 17 '18 at 06:22
1

Saving your credentials inside application is seems to insecure practice. You can save the credentials externally (external server to save secrets, or may be on same server inside different application or env variables). Reading data through env varables will keep your build intact.

If you are using any cloud services like aws or pivotal then they have such services to store your secrets.

Sangam Belose
  • 4,262
  • 8
  • 26
  • 48
0

Most of my application config file (eq. application.yml) is like this:

  datasource:
    username: {database_username:root}
    password: {database_password:root123}
    sql-script-encoding: utf-8
    driver-class-name: com.mysql.jdbc.Driver
    url: jdbc:mysql://{database_host:localhost}:3306/dbname?useUnicode=true&characterEncoding=utf-8

If the environment variable is present, the application will load config from environment. otherwise will use the default value.

After this you can build single package and run everywhere.

In my case, I build the application into a docker image, And run in kubernetes, so the config properties will store in ConfigMaps and Secret.

When the Pod running, will load configmaps and secret to environment variable.

And Of course, you can also use other tools as well.

Yunlong
  • 224
  • 2
  • 7
0

You can create yml files for different profiles and specify profile in JVM arguments.

  1. Set common parameters for all profiles in application.yml
  2. Parameters for a specific profile set in application-name.yml
  3. Set profile in JVM arguments: java -jar -Dspring.profiles.active=name or in .conf file: JAVA_OPTS=-Dspring.profiles.active=name
  4. Same as profile set db parameters: java -jar -Dspring.datasource.username=name -Dspring.datasource.password=pass

Read more

Nick
  • 3,691
  • 18
  • 36