How to use Spring Cloud Config Server with Git and Vault

How to use Spring Cloud Config Server with Git and Vault | Microservices 4

Рет қаралды 11,607

The Dev World - by Sergio Lema

Күн бұрын

Пікірлер: 27

@deepikadurairaj6328 2 жыл бұрын

Thanks for the video...Good one with perfect explanation 👌👌

@TheDevWorldbySergioLema 2 жыл бұрын

Thanks to you for taking your time to write this comment

@jeancarlossouza3432 Жыл бұрын

Saudações de um dev brasileiro! Obrigado pelo tutorial, estava configurando certo e dava erro, a propriedade que estava faltando era a do spring.cloud.config.server.vault.order=1 isso faz com que os dois funcionem perfeitamente. Thank you very much for this, it helped alot.

@TheDevWorldbySergioLema Жыл бұрын

Glad it helped you!

@pavanmadiraju 2 ай бұрын

Nice video, I was almost able to have my spring cloud config client get password from vault. Not sure what you did on the client side to indicate that it needs to get the password from Spring Config vault. Can you share what how did you accomplish that. Spring documentation seems to refer to about Define properties with the {vault} prefix to specify the Vault path and key for retrieving secrets:

@TheDevWorldbySergioLema 2 ай бұрын

Thanks! On the client, I've added the configuration of Spring Config Client indicating that the first source is from Vault (and I've configured the Vault access).

@glisavkatroshi3237 Жыл бұрын

Does this also work for nested secret paths in Vault? For example, in Secret Engine secret/ , I will have secret key as application and inside application another subfolder, let's call it dev and inside dev, we could have properties. So secret/application/dev/properties. In this path, we can store a key value pair of secret. Somehow I can't pull secrets from this path. Can you please help me?

@TheDevWorldbySergioLema Жыл бұрын

Never tried this far. What is the problem? Do you have some error logs?

@ai_made_easy 8 ай бұрын

Thanks for the video. Can you let me whether it is okay to do what I did: I added a spring security to the config server, a databased backend and stored the username and password on Hashicorp vault. I decided to connect the client services using the keys retrieved from vault. Unfortunately, this doesnt work. When I directly used the username and password in the spring.config.import for the services, it works. I will not want to hard code the username and password into the properties folder. Can you help me know why it is not connecting? Thanks, Sergio.

@TheDevWorldbySergioLema 8 ай бұрын

Do you use Spring Config Bootstrap? docs.spring.io/spring-cloud-config/docs/current/reference/html/#config-first-bootstrap

@ai_made_easy 8 ай бұрын

Yes I actually use bootstrap. Thanks or the reply@@TheDevWorldbySergioLema

@ai_made_easy 8 ай бұрын

Thanks again for the response and link. I think it may be fine to use the username and password directly in the code following the examples provided in the doc you sent. Because services using http can often let some flexibility. @@TheDevWorldbySergioLema

@ayuen100home6 3 жыл бұрын

Nice tutorial. Quite easy to follow :) Question though: I see you're storing he vault configs in the root directory "secret/service-users". Is there a way to store them in sub directories? e.g. "secret/dev/service-users", "secret/test/service-users", "secret/prod/service-users", etc... If so, how is this configured on both the server and client apps?

@TheDevWorldbySergioLema 3 жыл бұрын

Thanks, yes you can do it. To configure this in Vault, you must create the directories manually. But in the application, you can use environnement variables in your configuration file to obtain the path depending where the application is running, only based on an environment variable

@gopalpatil8098 2 жыл бұрын

How do i check if vault properties can be fetched?

@TheDevWorldbySergioLema 2 жыл бұрын

I'm not sure to understand your question. This video is about the distributed configuration architecture with Spring Cloud. For that, I've used Vault, but I'm not aware of the Vault details (if that's what you're asking for).

@shirishabonagam526 2 жыл бұрын

Hi,Thanks for the video. please can you Suggest me how to add dbpassword as & Symbol in vault. when i add dbpassword like sh&6%4*fhwT in vault , am getting '6%4*fhwT' is not recognized as an internal or external command. please suggest me how to read the above password

@TheDevWorldbySergioLema 2 жыл бұрын

How are you inserting the password? Because using Java, the '&' isn't a special character and should be inserted correctly. If you use bash, then use single quotes for the password, otherwise the '&' will be interpreted as a variable. Another option is to encode your password, like using URL encoding to avoid to have the '&' symbols.

@shirishabonagam526 2 жыл бұрын

@@TheDevWorldbySergioLema am inserting passwords in vault as you mentioned in vault terminal spring.datasource.password.in my application password is dbpassword = sh&64*fhwT ... After & am getting '64*fhwT' is not recognised.

@shirishabonagam526 2 жыл бұрын

@@TheDevWorldbySergioLema and I have one more query.my application name is customer and inside customer folder services folder is there.inside the services I have four property files are there. I was used label also to checkout the other branch.. but am unable to fetch the uri specified in config server.

@TheDevWorldbySergioLema 2 жыл бұрын

You must check directly in Vault, because I think the problem is not at the read but when storing the password in Vault.

@TheDevWorldbySergioLema 2 жыл бұрын

Check here, cloud.spring.io/spring-cloud-config/reference/html/#_quick_start, how Spring Cloud Config searches for the application yml files depending on the application name, profile and label.

@sladerunsoftware381 2 жыл бұрын

Thanks for this, Sergio. Very helpful in its conciseness. A couple of security observations: 1. You seem to suggest that the Git repo's username and password might be embedded in the "cloud.config.server.git.uri'. All secrets should reside in Vault, no? If so, how would you tell the config server to get the Git credentials from Vault? And, 2. Along the same lines, it looks like the Config Server's microservice clients have unprotected access to the server? Shouldn't each microservice have its own Config Server username and password, again, residing in Vault? Just a couple of thoughts as I'm currently upgrading a 2 year old system and intend to make sure all assets are secured and all secrets are stored in Vault. Questions are rhetorical... Please don't feel obligated to respond .

@TheDevWorldbySergioLema 2 жыл бұрын

Thanks for your observations. 1. The configuration described is in the Config Server. In some way, the Config Server must know how to update the Git repository. I know that having the credentials in the application yaml isn't very secure. Nevertheless, having them in Vault will lead to an infinite loop. But for the Git authentication you have other methods, as the SSH keys. 2. I've shown a quick setup of Spring Config Server with Vault. But you're right, for security reasons, each microservice should need a set of individual credentials to get the information from the Config Server. There are multiple ways to do that: with the username and password in the bootstrap file; with the username and password in the Config Server URL; or indicating which individual Vault token to use to retrieve the personal configuration. This way, only the target microservice knows about the Vault authentication with its particular configuration, no other microservice can access this particular configuration without this personal Token. I hope I've answered your doubts. And courage for the migration!

@maneshipocrates2264 2 жыл бұрын

Is boostrap not legacy?

@TheDevWorldbySergioLema 2 жыл бұрын

I'm not sure to understand your question. I'm not even sure how it's related to the video.

@maneshipocrates2264 9 ай бұрын

Hi. I was asking whether using the bootstrap dependency in boot 3.2 is optional? And I am trying to load properties from a onfig server. The issue is: when I use a username and password to lok the config server (and implemented credential authentication from the config server database), it is impossible for the config client to authenticate using the secrets from vault. I could not load the config lient properties even after storing the username and password in Hashicorp vault. Thanks@@TheDevWorldbySergioLema