2

I need to externalize the Vault token and backend to use in my SpringBoot/Cloud application so that the same binary can be deployed to different Pivotal Cloud Foundry spaces. For example I have a single .jar I want to push to Dev, Test, QA, PROD spaces without have to rebuild the .jar.

I also have a ConfigServer backed by a git repo as well as a User Provided Service, that could hold the information but that just moves the externalization problem, it does not solve it. And it causes more problems, specifically with the order that objects are created in.

I am struggling to get the relevant information like the vault token and vault backend to use externalized settings from the .jar.

All the examples I can find use the bootstrap.properties or application.yml

spring:
  cloud:
    config:
      token: YourVaultToken

and that obviously will not work because it is embedded in the .jar and would be environment specific.

Solutions that use the default Spring magic bindings will not work because I need to manually make calls using VaultTemplate.

What is the most idiomatic way to externalize the client configuration of how to connect to the Vault and read the secrets with VaultTemplate where I do not have to rebuild the .jar for each environment.

1 Answers1

1

It's spring boot's configuration. You can use environment variables (SPRING_CLOUD_CONFIG_TOKEN=xxx) or java system properties (-Dspring.cloud.config.token=xxx). You could also use User Provided Services on CF.

spencergibb
  • 24,471
  • 6
  • 69
  • 75
  • neither of these suggestions solve the problem of connecting to the vault service manually. Just setting that token in the `ENV` does not allow me to connect to the vault, there are other things that have to be set as well, `backend`, `uri`, etc. I have tried both and both *solutions* have pitfalls with sequencing creation of objects. **This is not really an answer and more a comment either way.** –  Jan 31 '19 at 15:25
  • Nope that does not work for using `VaultTemplate` manually. It only works for the auto-magical properties binding which is not sufficient for my scenario. –  Feb 01 '19 at 15:39
  • Sorry, it seemed you asked about how to externalize the token. Maybe you can explain what you are trying to do in the question. You didn't mention `VaultTemplate` there. – spencergibb Feb 01 '19 at 19:11