Vault Integration in Spring Applications Deployed Across Different Environments

64 views
Skip to first unread message

Daniel Meyer

unread,
Oct 31, 2019, 3:48:16 AM10/31/19
to Vault
Hi Guys,

Our environment is drawn by Openshift with one Vault instance to manage credentials for any of our different environments such as production, acceptance, etc.
Spring Boot constitutes the framework we choose for building up our microservices in a Docker-fashion by leveraging on Volt-agent and Volt-fetcher to obtain desired credentials from Vault finally (see links below for details).
We operate one Vault instance in which we organise our credentials for the different environments as followings: 

/secret/prod/db-margin/user and /secret/prod/db-margin/pwd
respectively
/secret/acpt/db-margin/user and /secret/acpt/db-margin/pwd

Regarding the way on how Volt-fetcher and a Spring-based application work together the desired credentials are configurable via environment variables which are then persisted into application.yaml for the subsequent usage from Spring, meaning injecting them into the different components. As it would not be unusual for Spring utilising annotations to specify details it becomes part of the compilation which is no longer changeable. An example would be following injection:


@Component
@Configuration
@Slf4j
public class JPAConfig {

    @Value("${secret.prod.db-margin.user}")
    private String user;

    @Value("${secret.prod.db-margin.pwd}")
    private String pwd;

...
}

So, the way reveals undisputedly drawbacks since the classification of an environment is hard-coded within the application not mentioning other issues. The question here would be is there any practical approach that facilitates the way of dealing with different environments which does not affects the code base at all?

Should we operate for each environment a different Vault instance?
Doing so, we could then put our credentials into Vault in an environment-transparent manner. Is that the way to go?

Any thoughts?

I am delighted to get any feedback on this topic.
Thanks


Referenced Docs:

Michel Vocks

unread,
Oct 31, 2019, 4:29:32 AM10/31/19
to Vault
Hi Daniel!

I know that some people use Spring Cloud Vault to handle this problem.
Would this be a solution for you?

Cheers,
Michel

Philippe Sevestre

unread,
Oct 31, 2019, 2:19:56 PM10/31/19
to Vault
+1 for using spring cloud vault.

I've been using it for a while and works pretty well for both static and dynamic secrets, such as those created by the database secret engine. 
Reply all
Reply to author
Forward
0 new messages