Sahara云大数据>> demo-spring-cloud-vault>> 返回
项目作者: gmarziou

项目描述 :
Shows how to use Spring Cloud Vault Config to retrieve database username/password from Vault
高级语言: Shell
项目地址: git://github.com/gmarziou/demo-spring-cloud-vault.git
创建时间: 2017-07-24T21:55:58Z
项目社区:https://github.com/gmarziou/demo-spring-cloud-vault
开源协议:Apache License 2.0
下载


Vaulted

This is a demo application that shows how to use Spring Cloud Vault Config
to retrieve some secret values from HashiCorp Vault and inject them into the application
context using @Value annotation in DemoApplication.java or
placeholders in application.yml.

In particular, it retrieves some standard Spring properties spring.datasource.username=demo-user and
spring.datasource.password to configure an H2 datasource.
These properties are defined differently according to active Spring profile(s).

Starting Vault server

To simplfy things, we use Vault in dev mode but this demo can adapted to use a real configuration with authentication and TLS connections, spring-cloud-vault as some doc and bash scripts to make it easy.

Command below starts a Vault server in dev mode with a known initial root token that we can use for dev and tests and listening on http://localhost:8200

  1. vault server -dev -log-level=INFO -dev-root-token-id=00000000-0000-0000-0000-000000000000

Before using the CLI to configure the vault, you must set this environment variable:

  1. export VAULT_ADDR=http://localhost:8200

Add some secret application properties.

  1. # default application, default profile
  2. vault write secret/application spring.datasource.username=default-user spring.datasource.password=default-pass
  4. # demo application, default profile
  5. vault write secret/demo spring.datasource.username=demo-user spring.datasource.password=demo-pass
  7. # demo application, dev profile
  8. vault write secret/demo/dev spring.datasource.username=demo-user-dev spring.datasource.password=demo-pass-dev
  10. # demo application, swagger profile
  11. vault write secret/demo/swagger spring.datasource.username=demo-user-swagger spring.datasource.password=demo-pass-swagger

Gotcha

:warning: When writing to a path in Vault, you must write all key/value pairs at once.

vault write <existing-path> key1=value1 will blow away any keys other than key1.

  1. # Wrong, only spring.datasource.password is stored
  2. vault write secret/application spring.datasource.username=default-user
  3. vault write secret/application spring.datasource.password=default-pass
  5. # Good, the 2 properties are stored
  6. vault write secret/application spring.datasource.username=default-user spring.datasource.password=default-pass

Running the application

  1. mvnw clean package

Without profile, the application prints “default” as spring.application.name property is not defined in bootstrap.yml

  1. java -jar target/demo-0.0.1-SNAPSHOT.jar
  3. ##########################
  4. profile(s): null
  5. username: default-user
  6. password: default-pass
  7. other: default-user
  8. Successfully connected to database
  9. ##########################

With dev profile, the application prints “demo-dev” because spring.application.name property is defined in bootstrap-dev.yml

  1. java -jar target/demo-0.0.1-SNAPSHOT.jar --spring.profiles.active=dev
  3. ##########################
  4. profile(s): dev
  5. username: demo-user-dev
  6. password: demo-pass-dev
  7. other: demo-user-dev
  8. Successfully connected to database
  9. ##########################

With “dev,swagger” profiles, the application prints “demo-swagger”

  1. java -jar target/demo-0.0.1-SNAPSHOT.jar --spring.profiles.active=dev,swagger
  3. ##########################
  4. profile(s): dev,swagger
  5. username: demo-user-swagger
  6. password: demo-pass-swagger
  7. other: demo-user-swagger
  8. Successfully connected to database
  9. ##########################