0

We have SCDF triggering task on PCF, however SCDF invokes task(s) it sets SPRING_APPLICATION_JSON with datasource information in task environment variables.

This exposes sensitive database information in clear text including password which is not desirable.

Our coporate policy is to have all the sensitive information stored in vault, the apps are bound to config server which gets sensitive information from vault injects them into app.

In our current setup we bind config server to SCDF and the tasks. We don't want SCDF to pass datasource information in SPRING_APPLICATION_JSON for invoked tasks.

Is there a way to configure SCDF not to pass datasource information to invoked tasks ?

Nitty
  • 41
  • 1
  • 5

1 Answers1

0

Since you already use config server and have this bound to SCDF server and task applications, you can enable appropriate profile/app name in the SCDF server/task application to have the configuration properties retrieved from Spring Cloud Config server.

Do you have any issues retrieving the properties this way?

Ilayaperumal Gopinathan
  • 4,099
  • 1
  • 13
  • 12
  • SCDF and task are retrieving properties from config server and they work fine, however SCDF is passing datasource information to tasks as part of environment variables (spring_application_json) - this is redundant and is exposing sensitive data. Is there a way to prevent this (SCDF sending datasource information to tasks)? – Nitty Nov 05 '18 at 15:08
  • Task executions are updated in the database (same as that of the SCDF) and that's the reason the data source information is sent over. Also, if your task is a batch, then all the batch related persistent data are stored in the same database as well. – Ilayaperumal Gopinathan Nov 05 '18 at 16:28
  • Since we have config server bound to tasks and the tasks already have datasource information (from config server) to write to batch metadata tables, I was looking for a way to prevent SCDF set as task env variable (since it exposes credentials) – Nitty Nov 05 '18 at 20:18