In Spring Cloud Server adds other properties to an existing environment

Question

We are using spring cloud config server with a backed git repository to provide properties for a test profile. We have received a requirement to move our keys to vault (hashicorp) and keep regular properties as usual in our properties file.

Before having vault, we were passing the keys through a system property (using -Dxxx=yyy), which was loaded as a regular property source and the app is working as expected.

Now I must have a composite property sources to fetch from the property file and also from vault at the same time. I'm not sure how to pull properties from both vault and git at the same time and offered them to spring cloud config clients.

I've been digging in the documentation and found that we can have composite environment repository, however I cannot make vault and git work at the same time.

I've tried multiple things like putting properties like this:

spring.cloud.config.server.git.uri=file:///E:/Project/git/myappdata

spring.cloud.config.server.vault.host=127.0.0.1
spring.cloud.config.server.vault.port=8200
spring.cloud.config.server.vault.scheme=http
spring.cloud.config.server.vault.backend=secret
spring.cloud.config.server.vault.defaultKey=myapp

Also tested using spring cloud vault and I could fetch the secrets, however they are not provided to my clients.

Have tried to use implement a EnvironmentRepository interface, but this is to create a new repository (and I just want to add 1 vault property to the existing provided repository based on git).

And was going to use the spring event ApplicationEnvironmentPreparedEvent and tried to dynamically append the vault property.

I think I'm overlooking something. Do you know what is the right way to read a vault secret and append it as a property of a regular property file?

Answer 1

It's possible. You should use few profiles for Spring Cloud Config Service.

    spring:
      profiles:
        active: vault, git
      cloud:
        config:
          server:
            vault:
              order: 1
            git:
              order: 2  
              uri: https://some-git-repo.com/
              username: user 
              password: pass

With such config Vault and Git will work together. You will need also to implement support of Vault Token and have it in each configuration client. With Vault it works a bit differently. It will not get all properties as it does with Git. When client asks for some property with token it will go to Vault and retrieve it. If it's not present it will go and search in git repo. You can specify order in the configuration.

Spring is resolving properties recursively, so you can have property file that will have property placeholder stored in git and served by Config server (application.yml):

database:
  password: ${database.secure.password}

and sensitive property stored in Vault, e.g.

vault write secret/clientAppName database.secure.password=SuperSecurePassword

Spring Cloud will automatically resolve your ${database.password} property.