Skip to content

Server-side resolve Vault secrets inside application's property sources#1678

Merged
spencergibb merged 6 commits intospring-cloud:masterfrom
donbeave:vault
Jan 11, 2021
Merged

Server-side resolve Vault secrets inside application's property sources#1678
spencergibb merged 6 commits intospring-cloud:masterfrom
donbeave:vault

Conversation

@donbeave
Copy link
Copy Markdown
Contributor

@donbeave donbeave commented Jul 31, 2020

This feature will add the ability to replace property value with the value from Vault KV secret.

It works similarly to how {cipher} works (https://cloud.spring.io/spring-cloud-config/reference/html/#_encryption_and_decryption).

For example, if activated vault profile and application.yml contains some keys with {vault} prefix:

spring:
  datasource:
    username: dbuser
    password: '{vault}:dbs/myapp#pass'

Spring Cloud Config server on the server-side will request the Vault server will load secret with the path dbs/myapp and retrieve the value from pass key and will put it in spring.datasource.password property.

Same as {cipher}, if a value cannot be parsed, it is removed from the property source and an additional property is added with the same key but prefixed with invalid and a value that means “not applicable” (usually <n/a>).

spencergibb
spencergibb requested changes Jul 31, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@spencergibb spencergibb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

at a glance there are quite a few changes that aren't material to the PR such as formatting or adding final or changing the order of static and final. Can you please revert those changes so this will be easier to digest.

@donbeave
Copy link
Copy Markdown
Contributor Author

donbeave commented Jul 31, 2020

@spencergibb ok, sorry for that. Maybe I better make a separate PR for these static/final changes?

@spencergibb
Copy link
Copy Markdown
Member

spencergibb commented Jul 31, 2020

focused PRs are much better. static and final have no material impact of adding new vault encryptor support.

@donbeave
Copy link
Copy Markdown
Contributor Author

donbeave commented Jul 31, 2020

@spencergibb done, pls check again. Build and tests are success on my local machine:

image

It looks like probably CircleCI is not configured properly for this repository, because the error is not related to my code changes.

@donbeave donbeave requested a review from spencergibb July 31, 2020 20:50
@spencergibb spencergibb self-assigned this Jan 11, 2021
@spencergibb spencergibb added this to the 3.0.2 milestone Jan 11, 2021
@spencergibb spencergibb merged commit 4ba93e7 into spring-cloud:master Jan 11, 2021
@spencergibb spencergibb mentioned this pull request Jan 11, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spencergibb spencergibb Awaiting requested review from spencergibb

Assignees

@spencergibb spencergibb

Labels

enhancement

Projects

None yet

Milestone

3.0.2

Development

Successfully merging this pull request may close these issues.

3 participants

@donbeave @spencergibb @spring-projects-issues