From cf59feef2d52d9dc8a28d9dcdfe79f12cd50042b Mon Sep 17 00:00:00 2001 From: buildmaster Date: Tue, 10 Sep 2019 18:58:52 +0000 Subject: [PATCH] Sync docs from v2.1.3.RELEASE to gh-pages --- .../2.1.3.RELEASE/css/highlight.css | 35 + .../2.1.3.RELEASE/css/manual-multipage.css | 9 + .../2.1.3.RELEASE/css/manual-singlepage.css | 6 + .../2.1.3.RELEASE/css/manual.css | 342 ++++ spring-cloud-vault/2.1.3.RELEASE/ghpages.sh | 330 ++++ .../2.1.3.RELEASE/images/background.png | Bin 0 -> 18255 bytes .../2.1.3.RELEASE/images/callouts/1.png | Bin 0 -> 329 bytes .../2.1.3.RELEASE/images/callouts/2.png | Bin 0 -> 353 bytes .../2.1.3.RELEASE/images/callouts/3.png | Bin 0 -> 350 bytes .../2.1.3.RELEASE/images/caution.png | Bin 0 -> 2099 bytes .../2.1.3.RELEASE/images/important.png | Bin 0 -> 2085 bytes .../2.1.3.RELEASE/images/logo.png | Bin 0 -> 4387 bytes .../2.1.3.RELEASE/images/note.png | Bin 0 -> 2257 bytes .../2.1.3.RELEASE/images/tip.png | Bin 0 -> 931 bytes .../2.1.3.RELEASE/images/warning.png | Bin 0 -> 2130 bytes .../2.1.3.RELEASE/multi/css/highlight.css | 35 + .../multi/css/manual-multipage.css | 9 + .../multi/css/manual-singlepage.css | 6 + .../2.1.3.RELEASE/multi/css/manual.css | 342 ++++ .../2.1.3.RELEASE/multi/images/background.png | Bin 0 -> 18255 bytes .../2.1.3.RELEASE/multi/images/callouts/1.png | Bin 0 -> 329 bytes .../2.1.3.RELEASE/multi/images/callouts/2.png | Bin 0 -> 353 bytes .../2.1.3.RELEASE/multi/images/callouts/3.png | Bin 0 -> 350 bytes .../2.1.3.RELEASE/multi/images/caution.png | Bin 0 -> 2099 bytes .../2.1.3.RELEASE/multi/images/important.png | Bin 0 -> 2085 bytes .../2.1.3.RELEASE/multi/images/logo.png | Bin 0 -> 4387 bytes .../2.1.3.RELEASE/multi/images/note.png | Bin 0 -> 2257 bytes .../2.1.3.RELEASE/multi/images/tip.png | Bin 0 -> 931 bytes .../2.1.3.RELEASE/multi/images/warning.png | Bin 0 -> 2130 bytes .../multi/multi__client_side_usage.html | 66 + .../multi/multi__quick_start.html | 37 + ...multi__service_registry_configuration.html | 17 + .../2.1.3.RELEASE/multi/multi_pr01.html | 3 + .../multi/multi_spring-cloud-vault.html | 3 + .../multi/multi_vault-lease-renewal.html | 22 + .../multi_vault.config.authentication.html | 199 ++ ...ulti_vault.config.backends.configurer.html | 22 + ...ult.config.backends.database-backends.html | 103 ++ .../multi/multi_vault.config.backends.html | 99 + .../multi/multi_vault.config.fail-fast.html | 8 + .../multi/multi_vault.config.ssl.html | 13 + .../2.1.3.RELEASE/single/css/highlight.css | 35 + .../single/css/manual-multipage.css | 9 + .../single/css/manual-singlepage.css | 6 + .../2.1.3.RELEASE/single/css/manual.css | 342 ++++ .../single/images/background.png | Bin 0 -> 18255 bytes .../single/images/callouts/1.png | Bin 0 -> 329 bytes .../single/images/callouts/2.png | Bin 0 -> 353 bytes .../single/images/callouts/3.png | Bin 0 -> 350 bytes .../2.1.3.RELEASE/single/images/caution.png | Bin 0 -> 2099 bytes .../2.1.3.RELEASE/single/images/important.png | Bin 0 -> 2085 bytes .../2.1.3.RELEASE/single/images/logo.png | Bin 0 -> 4387 bytes .../2.1.3.RELEASE/single/images/note.png | Bin 0 -> 2257 bytes .../2.1.3.RELEASE/single/images/tip.png | Bin 0 -> 931 bytes .../2.1.3.RELEASE/single/images/warning.png | Bin 0 -> 2130 bytes .../single/spring-cloud-vault.html | 559 ++++++ .../2.1.3.RELEASE/spring-cloud-vault.html | 117 ++ .../2.1.3.RELEASE/spring-cloud-vault.xml | 1621 +++++++++++++++++ 58 files changed, 4395 insertions(+) create mode 100644 spring-cloud-vault/2.1.3.RELEASE/css/highlight.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/css/manual-multipage.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/css/manual-singlepage.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/css/manual.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/ghpages.sh create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/background.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/callouts/1.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/callouts/2.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/callouts/3.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/caution.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/important.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/logo.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/note.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/tip.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/images/warning.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/css/highlight.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/css/manual-multipage.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/css/manual-singlepage.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/css/manual.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/background.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/callouts/1.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/callouts/2.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/callouts/3.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/caution.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/important.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/logo.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/note.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/tip.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/images/warning.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi__client_side_usage.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi__quick_start.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi__service_registry_configuration.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_pr01.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_spring-cloud-vault.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault-lease-renewal.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.authentication.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.configurer.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.database-backends.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.fail-fast.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.ssl.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/css/highlight.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/css/manual-multipage.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/css/manual-singlepage.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/css/manual.css create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/background.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/callouts/1.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/callouts/2.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/callouts/3.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/caution.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/important.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/logo.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/note.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/tip.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/images/warning.png create mode 100644 spring-cloud-vault/2.1.3.RELEASE/single/spring-cloud-vault.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.html create mode 100644 spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.xml diff --git a/spring-cloud-vault/2.1.3.RELEASE/css/highlight.css b/spring-cloud-vault/2.1.3.RELEASE/css/highlight.css new file mode 100644 index 00000000..3850f8b9 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/css/highlight.css @@ -0,0 +1,35 @@ +/* + code highlight CSS resemblign the Eclipse IDE default color schema + @author Costin Leau +*/ + +.hl-keyword { + color: #7F0055; + font-weight: bold; +} + +.hl-comment { + color: #3F5F5F; + font-style: italic; +} + +.hl-multiline-comment { + color: #3F5FBF; + font-style: italic; +} + +.hl-tag { + color: #3F7F7F; +} + +.hl-attribute { + color: #7F007F; +} + +.hl-value { + color: #2A00FF; +} + +.hl-string { + color: #2A00FF; +} \ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/css/manual-multipage.css b/spring-cloud-vault/2.1.3.RELEASE/css/manual-multipage.css new file mode 100644 index 00000000..b790654b --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/css/manual-multipage.css @@ -0,0 +1,9 @@ +@IMPORT url("manual.css"); + +body.firstpage { + background: url("../images/background.png") no-repeat center top; +} + +div.part h1 { + border-top: none; +} diff --git a/spring-cloud-vault/2.1.3.RELEASE/css/manual-singlepage.css b/spring-cloud-vault/2.1.3.RELEASE/css/manual-singlepage.css new file mode 100644 index 00000000..303192a8 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/css/manual-singlepage.css @@ -0,0 +1,6 @@ +@IMPORT url("manual.css"); + +body { + background: url("../images/background.png") no-repeat center top; +} + diff --git a/spring-cloud-vault/2.1.3.RELEASE/css/manual.css b/spring-cloud-vault/2.1.3.RELEASE/css/manual.css new file mode 100644 index 00000000..20cf07da --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/css/manual.css @@ -0,0 +1,342 @@ +@IMPORT url("highlight.css"); + +html { + padding: 0pt; + margin: 0pt; +} + +body { + color: #333333; + margin: 15px 30px; + font-family: Helvetica, Arial, Freesans, Clean, Sans-serif; + line-height: 1.6; + -webkit-font-smoothing: antialiased; +} + +code { + font-size: 16px; + font-family: Consolas, "Liberation Mono", Courier, monospace; +} + +:not(a) > code { + color: #6D180B; +} + +:not(pre) > code { + background-color: #F2F2F2; + border: 1px solid #CCCCCC; + border-radius: 4px; + padding: 1px 3px 0; + text-shadow: none; + white-space: nowrap; +} + +body > *:first-child { + margin-top: 0 !important; +} + +div { + margin: 0pt; +} + +hr { + border: 1px solid #CCCCCC; + background: #CCCCCC; +} + +h1, h2, h3, h4, h5, h6 { + color: #000000; + cursor: text; + font-weight: bold; + margin: 30px 0 10px; + padding: 0; +} + +h1, h2, h3 { + margin: 40px 0 10px; +} + +h1 { + margin: 70px 0 30px; + padding-top: 20px; +} + +div.part h1 { + border-top: 1px dotted #CCCCCC; +} + +h1, h1 code { + font-size: 32px; +} + +h2, h2 code { + font-size: 24px; +} + +h3, h3 code { + font-size: 20px; +} + +h4, h1 code, h5, h5 code, h6, h6 code { + font-size: 18px; +} + +div.book, div.chapter, div.appendix, div.part, div.preface { + min-width: 300px; + max-width: 1200px; + margin: 0 auto; +} + +p.releaseinfo { + font-weight: bold; + margin-bottom: 40px; + margin-top: 40px; +} + +div.authorgroup { + line-height: 1; +} + +p.copyright { + line-height: 1; + margin-bottom: -5px; +} + +.legalnotice p { + font-style: italic; + font-size: 14px; + line-height: 1; +} + +div.titlepage + p, div.titlepage + p { + margin-top: 0; +} + +pre { + line-height: 1.0; + color: black; +} + +a { + color: #4183C4; + text-decoration: none; +} + +p { + margin: 15px 0; + text-align: left; +} + +ul, ol { + padding-left: 30px; +} + +li p { + margin: 0; +} + +div.table { + margin: 1em; + padding: 0.5em; + text-align: center; +} + +div.table table, div.informaltable table { + display: table; + width: 100%; +} + +div.table td { + padding-left: 7px; + padding-right: 7px; +} + +.sidebar { + line-height: 1.4; + padding: 0 20px; + background-color: #F8F8F8; + border: 1px solid #CCCCCC; + border-radius: 3px 3px 3px 3px; +} + +.sidebar p.title { + color: #6D180B; +} + +pre.programlisting, pre.screen { + font-size: 15px; + padding: 6px 10px; + background-color: #F8F8F8; + border: 1px solid #CCCCCC; + border-radius: 3px 3px 3px 3px; + clear: both; + overflow: auto; + line-height: 1.4; + font-family: Consolas, "Liberation Mono", Courier, monospace; +} + +table { + border-collapse: collapse; + border-spacing: 0; + border: 1px solid #DDDDDD !important; + border-radius: 4px !important; + border-collapse: separate !important; + line-height: 1.6; +} + +table thead { + background: #F5F5F5; +} + +table tr { + border: none; + border-bottom: none; +} + +table th { + font-weight: bold; +} + +table th, table td { + border: none !important; + padding: 6px 13px; +} + +table tr:nth-child(2n) { + background-color: #F8F8F8; +} + +td p { + margin: 0 0 15px 0; +} + +div.table-contents td p { + margin: 0; +} + +div.important *, div.note *, div.tip *, div.warning *, div.navheader *, div.navfooter *, div.calloutlist * { + border: none !important; + background: none !important; + margin: 0; +} + +div.important p, div.note p, div.tip p, div.warning p { + color: #6F6F6F; + line-height: 1.6; +} + +div.important code, div.note code, div.tip code, div.warning code { + background-color: #F2F2F2 !important; + border: 1px solid #CCCCCC !important; + border-radius: 4px !important; + padding: 1px 3px 0 !important; + text-shadow: none !important; + white-space: nowrap !important; +} + +.note th, .tip th, .warning th { + display: none; +} + +.note tr:first-child td, .tip tr:first-child td, .warning tr:first-child td { + border-right: 1px solid #CCCCCC !important; + padding-top: 10px; +} + +div.calloutlist p, div.calloutlist td { + padding: 0; + margin: 0; +} + +div.calloutlist > table > tbody > tr > td:first-child { + padding-left: 10px; + width: 30px !important; +} + +div.important, div.note, div.tip, div.warning { + margin-left: 0px !important; + margin-right: 20px !important; + margin-top: 20px; + margin-bottom: 20px; + padding-top: 10px; + padding-bottom: 10px; +} + +div.toc { + line-height: 1.2; +} + +dl, dt { + margin-top: 1px; + margin-bottom: 0; +} + +div.toc > dl > dt { + font-size: 32px; + font-weight: bold; + margin: 30px 0 10px 0; + display: block; +} + +div.toc > dl > dd > dl > dt { + font-size: 24px; + font-weight: bold; + margin: 20px 0 10px 0; + display: block; +} + +div.toc > dl > dd > dl > dd > dl > dt { + font-weight: bold; + font-size: 20px; + margin: 10px 0 0 0; +} + +tbody.footnotes * { + border: none !important; +} + +div.footnote p { + margin: 0; + line-height: 1; +} + +div.footnote p sup { + margin-right: 6px; + vertical-align: middle; +} + +div.navheader { + border-bottom: 1px solid #CCCCCC; +} + +div.navfooter { + border-top: 1px solid #CCCCCC; +} + +.title { + margin-left: -1em; + padding-left: 1em; +} + +.title > a { + position: absolute; + visibility: hidden; + display: block; + font-size: 0.85em; + margin-top: 0.05em; + margin-left: -1em; + vertical-align: text-top; + color: black; +} + +.title > a:before { + content: "\00A7"; +} + +.title:hover > a, .title > a:hover, .title:hover > a:hover { + visibility: visible; +} + +.title:focus > a, .title > a:focus, .title:focus > a:focus { + outline: 0; +} diff --git a/spring-cloud-vault/2.1.3.RELEASE/ghpages.sh b/spring-cloud-vault/2.1.3.RELEASE/ghpages.sh new file mode 100644 index 00000000..55e76be1 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/ghpages.sh @@ -0,0 +1,330 @@ +#!/bin/bash -x + +set -e + +# Set default props like MAVEN_PATH, ROOT_FOLDER etc. +function set_default_props() { + # The script should be executed from the root folder + ROOT_FOLDER=`pwd` + echo "Current folder is ${ROOT_FOLDER}" + + if [[ ! -e "${ROOT_FOLDER}/.git" ]]; then + echo "You're not in the root folder of the project!" + exit 1 + fi + + # Prop that will let commit the changes + COMMIT_CHANGES="no" + MAVEN_PATH=${MAVEN_PATH:-} + echo "Path to Maven is [${MAVEN_PATH}]" + REPO_NAME=${PWD##*/} + echo "Repo name is [${REPO_NAME}]" + SPRING_CLOUD_STATIC_REPO=${SPRING_CLOUD_STATIC_REPO:-git@github.com:spring-cloud/spring-cloud-static.git} + echo "Spring Cloud Static repo is [${SPRING_CLOUD_STATIC_REPO}" +} + +# Check if gh-pages exists and docs have been built +function check_if_anything_to_sync() { + git remote set-url --push origin `git config remote.origin.url | sed -e 's/^git:/https:/'` + + if ! (git remote set-branches --add origin gh-pages && git fetch -q); then + echo "No gh-pages, so not syncing" + exit 0 + fi + + if ! [ -d docs/target/generated-docs ] && ! [ "${BUILD}" == "yes" ]; then + echo "No gh-pages sources in docs/target/generated-docs, so not syncing" + exit 0 + fi +} + +function retrieve_current_branch() { + # Code getting the name of the current branch. For master we want to publish as we did until now + # https://stackoverflow.com/questions/1593051/how-to-programmatically-determine-the-current-checked-out-git-branch + # If there is a branch already passed will reuse it - otherwise will try to find it + CURRENT_BRANCH=${BRANCH} + if [[ -z "${CURRENT_BRANCH}" ]] ; then + CURRENT_BRANCH=$(git symbolic-ref -q HEAD) + CURRENT_BRANCH=${CURRENT_BRANCH##refs/heads/} + CURRENT_BRANCH=${CURRENT_BRANCH:-HEAD} + fi + echo "Current branch is [${CURRENT_BRANCH}]" + git checkout ${CURRENT_BRANCH} || echo "Failed to check the branch... continuing with the script" +} + +# Switches to the provided value of the release version. We always prefix it with `v` +function switch_to_tag() { + git checkout v${VERSION} +} + +# Build the docs if switch is on +function build_docs_if_applicable() { + if [[ "${BUILD}" == "yes" ]] ; then + ./mvnw clean install -P docs -pl docs -DskipTests + fi +} + +# Get the name of the `docs.main` property +# Get whitelisted branches - assumes that a `docs` module is available under `docs` profile +function retrieve_doc_properties() { + MAIN_ADOC_VALUE=$("${MAVEN_PATH}"mvn -q \ + -Dexec.executable="echo" \ + -Dexec.args='${docs.main}' \ + --non-recursive \ + org.codehaus.mojo:exec-maven-plugin:1.3.1:exec) + echo "Extracted 'main.adoc' from Maven build [${MAIN_ADOC_VALUE}]" + + + WHITELIST_PROPERTY=${WHITELIST_PROPERTY:-"docs.whitelisted.branches"} + WHITELISTED_BRANCHES_VALUE=$("${MAVEN_PATH}"mvn -q \ + -Dexec.executable="echo" \ + -Dexec.args="\${${WHITELIST_PROPERTY}}" \ + org.codehaus.mojo:exec-maven-plugin:1.3.1:exec \ + -P docs \ + -pl docs) + echo "Extracted '${WHITELIST_PROPERTY}' from Maven build [${WHITELISTED_BRANCHES_VALUE}]" +} + +# Stash any outstanding changes +function stash_changes() { + git diff-index --quiet HEAD && dirty=$? || (echo "Failed to check if the current repo is dirty. Assuming that it is." && dirty="1") + if [ "$dirty" != "0" ]; then git stash; fi +} + +# Switch to gh-pages branch to sync it with current branch +function add_docs_from_target() { + local DESTINATION_REPO_FOLDER + if [[ -z "${DESTINATION}" && -z "${CLONE}" ]] ; then + DESTINATION_REPO_FOLDER=${ROOT_FOLDER} + elif [[ "${CLONE}" == "yes" ]]; then + mkdir -p ${ROOT_FOLDER}/target + local clonedStatic=${ROOT_FOLDER}/target/spring-cloud-static + if [[ ! -e "${clonedStatic}/.git" ]]; then + echo "Cloning Spring Cloud Static to target" + git clone ${SPRING_CLOUD_STATIC_REPO} ${clonedStatic} && git checkout gh-pages + else + echo "Spring Cloud Static already cloned - will pull changes" + cd ${clonedStatic} && git checkout gh-pages && git pull origin gh-pages + fi + DESTINATION_REPO_FOLDER=${clonedStatic}/${REPO_NAME} + mkdir -p ${DESTINATION_REPO_FOLDER} + else + if [[ ! -e "${DESTINATION}/.git" ]]; then + echo "[${DESTINATION}] is not a git repository" + exit 1 + fi + DESTINATION_REPO_FOLDER=${DESTINATION}/${REPO_NAME} + mkdir -p ${DESTINATION_REPO_FOLDER} + echo "Destination was provided [${DESTINATION}]" + fi + cd ${DESTINATION_REPO_FOLDER} + git checkout gh-pages + git pull origin gh-pages + + # Add git branches + ################################################################### + if [[ -z "${VERSION}" ]] ; then + copy_docs_for_current_version + else + copy_docs_for_provided_version + fi + commit_changes_if_applicable +} + + +# Copies the docs by using the retrieved properties from Maven build +function copy_docs_for_current_version() { + if [[ "${CURRENT_BRANCH}" == "master" ]] ; then + echo -e "Current branch is master - will copy the current docs only to the root folder" + for f in docs/target/generated-docs/*; do + file=${f#docs/target/generated-docs/*} + if ! git ls-files -i -o --exclude-standard --directory | grep -q ^$file$; then + # Not ignored... + cp -rf $f ${ROOT_FOLDER}/ + git add -A ${ROOT_FOLDER}/$file + fi + done + COMMIT_CHANGES="yes" + else + echo -e "Current branch is [${CURRENT_BRANCH}]" + # https://stackoverflow.com/questions/29300806/a-bash-script-to-check-if-a-string-is-present-in-a-comma-separated-list-of-strin + if [[ ",${WHITELISTED_BRANCHES_VALUE}," = *",${CURRENT_BRANCH},"* ]] ; then + mkdir -p ${ROOT_FOLDER}/${CURRENT_BRANCH} + echo -e "Branch [${CURRENT_BRANCH}] is whitelisted! Will copy the current docs to the [${CURRENT_BRANCH}] folder" + for f in docs/target/generated-docs/*; do + file=${f#docs/target/generated-docs/*} + if ! git ls-files -i -o --exclude-standard --directory | grep -q ^$file$; then + # Not ignored... + # We want users to access 1.0.0.RELEASE/ instead of 1.0.0.RELEASE/spring-cloud.sleuth.html + if [[ "${file}" == "${MAIN_ADOC_VALUE}.html" ]] ; then + # We don't want to copy the spring-cloud-sleuth.html + # we want it to be converted to index.html + cp -rf $f ${ROOT_FOLDER}/${CURRENT_BRANCH}/index.html + git add -A ${ROOT_FOLDER}/${CURRENT_BRANCH}/index.html + else + cp -rf $f ${ROOT_FOLDER}/${CURRENT_BRANCH} + git add -A ${ROOT_FOLDER}/${CURRENT_BRANCH}/$file + fi + fi + done + COMMIT_CHANGES="yes" + else + echo -e "Branch [${CURRENT_BRANCH}] is not on the white list! Check out the Maven [${WHITELIST_PROPERTY}] property in + [docs] module available under [docs] profile. Won't commit any changes to gh-pages for this branch." + fi + fi +} + +# Copies the docs by using the explicitly provided version +function copy_docs_for_provided_version() { + local FOLDER=${DESTINATION_REPO_FOLDER}/${VERSION} + mkdir -p ${FOLDER} + echo -e "Current tag is [v${VERSION}] Will copy the current docs to the [${FOLDER}] folder" + for f in ${ROOT_FOLDER}/docs/target/generated-docs/*; do + file=${f#${ROOT_FOLDER}/docs/target/generated-docs/*} + copy_docs_for_branch ${file} ${FOLDER} + done + COMMIT_CHANGES="yes" + CURRENT_BRANCH="v${VERSION}" +} + +# Copies the docs from target to the provided destination +# Params: +# $1 - file from target +# $2 - destination to which copy the files +function copy_docs_for_branch() { + local file=$1 + local destination=$2 + if ! git ls-files -i -o --exclude-standard --directory | grep -q ^${file}$; then + # Not ignored... + # We want users to access 1.0.0.RELEASE/ instead of 1.0.0.RELEASE/spring-cloud.sleuth.html + if [[ ("${file}" == "${MAIN_ADOC_VALUE}.html") || ("${file}" == "${REPO_NAME}.html") ]] ; then + # We don't want to copy the spring-cloud-sleuth.html + # we want it to be converted to index.html + cp -rf $f ${destination}/index.html + git add -A ${destination}/index.html + else + cp -rf $f ${destination} + git add -A ${destination}/$file + fi + fi +} + +function commit_changes_if_applicable() { + if [[ "${COMMIT_CHANGES}" == "yes" ]] ; then + COMMIT_SUCCESSFUL="no" + git commit -a -m "Sync docs from ${CURRENT_BRANCH} to gh-pages" && COMMIT_SUCCESSFUL="yes" || echo "Failed to commit changes" + + # Uncomment the following push if you want to auto push to + # the gh-pages branch whenever you commit to master locally. + # This is a little extreme. Use with care! + ################################################################### + if [[ "${COMMIT_SUCCESSFUL}" == "yes" ]] ; then + git push origin gh-pages + fi + fi +} + +# Switch back to the previous branch and exit block +function checkout_previous_branch() { + # If -version was provided we need to come back to root project + cd ${ROOT_FOLDER} + git checkout ${CURRENT_BRANCH} || echo "Failed to check the branch... continuing with the script" + if [ "$dirty" != "0" ]; then git stash pop; fi + exit 0 +} + +# Assert if properties have been properly passed +function assert_properties() { +echo "VERSION [${VERSION}], DESTINATION [${DESTINATION}], CLONE [${CLONE}]" +if [[ "${VERSION}" != "" && (-z "${DESTINATION}" && -z "${CLONE}") ]] ; then echo "Version was set but destination / clone was not!"; exit 1;fi +if [[ ("${DESTINATION}" != "" && "${CLONE}" != "") && -z "${VERSION}" ]] ; then echo "Destination / clone was set but version was not!"; exit 1;fi +if [[ "${DESTINATION}" != "" && "${CLONE}" == "yes" ]] ; then echo "Destination and clone was set. Pick one!"; exit 1;fi +} + +# Prints the usage +function print_usage() { +cat </` +- if the destination switch is passed (-d) then the script will check if the provided dir is a git repo and then will + switch to gh-pages of that repo and copy the generated docs to `docs//` + +USAGE: + +You can use the following options: + +-v|--version - the script will apply the whole procedure for a particular library version +-d|--destination - the root of destination folder where the docs should be copied. You have to use the full path. + E.g. point to spring-cloud-static folder. Can't be used with (-c) +-b|--build - will run the standard build process after checking out the branch +-c|--clone - will automatically clone the spring-cloud-static repo instead of providing the destination. + Obviously can't be used with (-d) + +EOF +} + + +# ========================================== +# ____ ____ _____ _____ _____ _______ +# / ____|/ ____| __ \|_ _| __ \__ __| +# | (___ | | | |__) | | | | |__) | | | +# \___ \| | | _ / | | | ___/ | | +# ____) | |____| | \ \ _| |_| | | | +# |_____/ \_____|_| \_\_____|_| |_| +# +# ========================================== + +while [[ $# > 0 ]] +do +key="$1" +case ${key} in + -v|--version) + VERSION="$2" + shift # past argument + ;; + -d|--destination) + DESTINATION="$2" + shift # past argument + ;; + -b|--build) + BUILD="yes" + ;; + -c|--clone) + CLONE="yes" + ;; + -h|--help) + print_usage + exit 0 + ;; + *) + echo "Invalid option: [$1]" + print_usage + exit 1 + ;; +esac +shift # past argument or value +done + +assert_properties +set_default_props +check_if_anything_to_sync +if [[ -z "${VERSION}" ]] ; then + retrieve_current_branch +else + switch_to_tag +fi +build_docs_if_applicable +retrieve_doc_properties +stash_changes +add_docs_from_target +checkout_previous_branch \ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/images/background.png b/spring-cloud-vault/2.1.3.RELEASE/images/background.png new file mode 100644 index 0000000000000000000000000000000000000000..15dca6fbe2669fae3609605e49c69cc414f1b6ed GIT binary patch literal 18255 zcmZ{Mc{tQ-|NlrKgrcaFbPBDOvWBUg7G=wtim_B8Ysgq;M%hj&Dizr#DKZMBkY&bF zQI^rsG?*CsWEtBu%$S+a=XX!f_xC*4>2RIPIp^}n{kiY^y}jPA_v?1U#_HHA$qkYS z1Y(u>@jq=52vKeDlPn+z~j!r2!xcp@J9rZ zo~ZL*W#N2~h3F^Y#kf z79Vq?HYz92POY^z60RQgu$cgc!baLFp8`pJN$ z)TpgHDYO!o(|FCbF@nU|Z4{PyQT_pWk^4ba(@3pLy~5i|7uwlU`v1B%7(o3njiTd=qKqO7b}K-at&!f*f2n8M46&RIPn?wT2jQCY?} ze6G^KcX(b!Y*uXj(zgAp+m$yS9Gsr>(+F2nC60BdVfIQ`)cSJ{^*od zepxlPa|MUm>e9Vgly6ynJN3^PvB=>&xF()rO3xDmHI z=|xsK0?M48ABv)1&|8*aUyhO2#E8jlc2-#f51xWHc^hUwi&%dc@+wWVCpXJq!}S%S zg>L#^WBV(Qw|v9bo1MW5gc=&srYW_5F+__kX%{Z>&RZmXwCdi!gd5#fJ|%lv+{G zr|b#Ts1}Bc(CPkXaIO8<1+}HlegS6DFs7U6?N~4wR!^#(;YIbqQIOqp)Y>Db6o%1i zfzY22V-EN1GJALyq?KWSwMGbU#gV_$)SLlMlxrQPHdgnC(nU9*nIG%)UtAL8sRnL zvIO*k?9`K4fpnym;50z#ebD=+rZ~#B9dpG&=ZI-%{LqY5j8ndz5Bo^s;38&v8 z8(1+}&NV9Y(=RCMwyd1YBBL1Mc{4wI?k1TngzL8oyymA8O_M2Y5c0rtPR>#ek(4}+ zvTI`PjpdGC&F~Syy8RdkeK9)AX8N#B63UrIl;U;paq7n-;aB#n!Um^KDkm6tH=B)> z;3zLTI4#Y?2aYLOw=U)%ARIOAdmMMfhQHaQE8 zl3Cp0zQYq?6o&{k_DNXPel;f2^58wLpT=YKQSuc(*4?S`z@Dr7Qgz$FS> zi@ndTb$lk)7Z!9l#jnB&dk);SrBnVL{_rebeB*2~oq^e;zWdS~RE>Hv&Z771FSI9J z`7tfJM8x*5sOXA1eyweMto(__RVTbyU+|S5HB6d4Dgb*jRGLh3<^SP_w;CaD=Airn z>}rapX06!=({QJ<^CD>ewmorplO*#Ve>)f5@p2FXtSj8Mpa#1cVXgVCAhb)&HQZgO zfVQu&2q4IMN4mO)pTC13+M#|H5NTM8&`jguD_nAjiR*oJ9i%> zS4&QN%lZcXJT1e1N=#qGK$_eAeJ=b0Pj(!BY81~$?SW<-R5^LHJW`}xjV$cQ>zZPC zKx&lIPgkaTQ)c#4Kyjmtk6@>u&~kwQ2TO1ikDO|0e%26uY|$`ZJ&_<<=Iv{O|s*<_~}Z@laTeJVr;$B<`4hA&>B z`VsH7-~=}Ol<9at3?1V^wg6RL>j^EV032~4IaYKQnNnGs;Ssey~SyhcqT&3YZz z^xJp%0v#<&D{~;^r@WJWG&QnVUIZ8B_1fEU$761g0RP4%O(ohIte>|q%@y#fVUTSp z3>LLub23p7)|oran=&|5TltRGRS5ieG(9k&xel^Z*_B-TPiOvby+_(mUYMo9snsY?Ezus;g8M8RHQ1HQKb!kSg93n1fGkNdIc0U!-ysgq$IH3AbRuiz?4Bij zYWh9M<02o0X@!^fPTv3#RsP8U+2+zhe+uFtd;k}gJ{B&)4M?v7*+E_8dAcPbqo_^x zN&n?q>huypF8^2I>P9V?K-3j3cj~Sg3)t*kHmSFYY^Rj0R^WO+zrdA>zb*);SAsKF zzO1Jom~o%=Ys9O930x;UXCGHc@^7Y-ti47gI|()f)IYW z$3fiwh4I*B80cG~U)9X1S;3M^9XBn)VR!|^m!=!!5StHKz1RF)YLD6rKN_34G|QL0 zKgd6Bn6djN$h3Y{Ry2=JT*nJrklI3~GExg!unzW zKobvk_}QhwMzP#-rWz$TVa+W>$uZzVkVFGW1J%yZ0pL961Ci7a9i9N!$n_#r3FezE zOHZ)9o$@3746}*BvD0BoxzP%LJr&y;LV(?#7TH?rU+$3b@WTW60#_?*alt;Tj~z%X zQF(&yC_MUY`Jp#1DJnKFXT!AI5*5$5uc-3GE^)elv9tt&zAc`sIBZVPOodOd+Z*@? zWK(gmvtB75yypEXBLYk`AId00OCj~^1m}D$m@-oSre-{&gxYjaWV+lV4QFU_5@0@j zL6R!$xqlPc&SZURe|EQNpsee&g^;WLTLuD_$RMf}-Td^i%EEfQ1WR<<(6B`%X0%ul z2`V@-^T7|#v|j+;g+5$0u0cmpTQP(T{|vS69iYie+5@#L9^B-_u+ngReT=rR1OmTL zQl6CA=9<629#ARBwi?mA;yXY#kz$+8cUQK`kG*lpP;nG|&N5M6_b)@oA1%Qv7WjPI z(SmcSv8M5!NJZY3RzQr(%zQ%MSHbTc39uFT%-D5$%?=#%HU3Q6g-;4D!R_B*qE#P$ zOXwG@E2Gnc#f_HO06T_@ab6ARqIKGm&AdvT z3b1cEJCIs&T1NEg+Vvj;j6SKtPl&WCxUEL-JF0o+tDCJt++z9Q7%)PB(W5CBK^U|N zRqFH2`*n2X%fIK0V)+?+1L*OXbc59gCH6_eqEW@lBly&2dpvos9YznAH8#^U6@ecj zZafSH-QrDi-&guLMk4iH^}N&i@R3THFYO&m=+(8l!P?3O( z$7nS)&n5?siowwtBgNueMk&~^5GWa^E4}g3$+BR@{HTzgf4TL0;guS1N3q+ar7FWg z3w2gljup*1G0`4xK{n&yaD6xzy090+eA#I4cE{r{-0U$eeiUScQuH#ch1<{XFdl4R zpx2p_M!n_(s?;bBrPz(8w6LSB;n~H@Pq3E9Y0Y>}w<*=Kvv)q+o33O#RX$$;6MU@J%jgsn+3Wf)+-J@e}gPv?Yl%+nih_ZDJ&GFhYI`V zBfZ(KtL_L zSa-p-CPLUDxbB75K&bobQ*(lvj#0mb2z?5#247Q)obHkRLp2kpS0&9p(yMOap%ZaE zQk?9m-l;O_6-rt)-{&zUNJw3@*V;G6gGj3ynuWC0_uj9DyUYD2Z8w>P91szRH!K`T zNIQhRBIun-s-wd zht_q;s;7o#I1yba`Z+|)P?~N5wBXPgr->&+uafcZwDNcUR3TYV*7MX4T!%ebJu&2a zW_$_rN<{itDR*2LY_NZ1)>u)1@~*)9n77rjc}>b)CM zGkLM}d$a^bV9cYD@m(Hr^4K?e%V&%Ae&I)O6P)CnzM1FJJe);nhhGD!j}srT){J*R z9}Y5|zj#4<8Xq6bJ|Do$Zm@e4=LT!=vrRUCoZ(!q?0#J1w!~$7*_S&=Ow;q29_h!86t*aS)z{wq?JrYAmqEIT(g0mwZS8M zX0uLjWbyN=*52U9QuB`tcKls!9PYJ08NbB&#H(JK=Jj<6=8XJM`tywQS7{f|&gQl7L0A(^LH=&ZSHuG5j z)ZCE(4MRDUVp}qmH;TsDkZ$$!&7~RELTD9P-Vit?GxI%-S)(3;shT$=$fSIn)>)!4 zRQb|6f{|e1ENJ8Y@^d$HF1lkoz4R-(Hpp$RqgpP1rTJK;xJ&!EiqksWrATQ;<3VWK z@`uOV*Cc*=9#Y(QBqKif;?F+ktQf&#X%H{6D~LZ$YIJZ|2)_`_{B_w zlW=%8r3Rk7q`r-WJg!2*bHW-21*m;k*{WSs9JGOV!F}Niq^*p>`d-T~-8cFX(5huU zDt!TFB_yA3qmTSt_tMw5{$X-d8nB_ik{0fy| z&jmqt(}En(b$6z!PMk^d%Gryo!u&iK4L3*i3@tl6TT8u3z1ej>dn`fCek^gXkZg)@ z-Mwn$?h*x9@yM5uP|0b!Z*M+RpORodf8g4=I(s)KI^*)6=bW)?9J7){1WK>*R_h8N z1-ILWzEzwFJ@;WD=MI1J^Bh7{VXtS<^?L~+7@4_p)lTxvqF<@*bi)C-EmH&+FMH{bU>nG@d&KSe}Jx6fi zz3>0Ql%3Z64CWeE=M@^D@!u%D9y$x{KPVg`fD(ag#HE;59$}SH((CIf{$S z90>(#8tnaQK$(McyPi6FelH)_)EKuI{y(;Mq8O6+i8}}1D}P&9(%7Ufb4(-N#Z!aj zJGT=wkNYX5B|faCP!XliZ;O7|*7z0LTPGWLs#qRX?L>W*op=jZ68-f1A8A|9DX2?z zuHrJL;ZHwz_j)adWTO{LbQh=VAke(EQ}PeOdGDkmC7AWE{t|&k&p#Y1?Ycnl960v;WRPxkOXVp{lSKXcb#XI#GK2n zC(N7fF^ErWLq8mIV&QEudgMB2=90(bXvMmblq*5xH_PGJ$xK{RGVWK`B2sT1? zCVOeBO;7p$n?Ku6UN<2m?zfEQMNFkci*&7GF%WR!2W#$tPWA?kXwoU&aeI0I;5$Xf zSy$X2Lm}cP95R3OJ-;sC;d)Ii2*Gc;+bP<7IASI^f(Y1%W1D8@7wf$E?SR#G`3d-? zD&k6TaXSN}kM@687!l{_X=h?c|92b-YG;rHxAbzD@0enk6Eq}*r)ACLuc^(rJjP^r z_>~Y<+&>fPe`X-9va9Ckj)v$r-jfZ0cWKBufJfz>NmJ>g`Hnddrp7bu=P@#T&E`^j zsX3(Y5O+qC{AGMPs^=x7P62Dz?78^_umH(weN&5}f$&*3Fyi^!Cnt=Se3WzbboBq% z0w{|OosY;Kb4tVwNhN3@YZb>A%9_ZB!|&x*_T+&M=V^pv+p2CwrDXnIC;(qaGrsXY zfjy-P>wh411asTXAXCi0XSb}OIw)gj0yo2dBlLb}VW7e6i7%x9fd@QpXM-$6 zPGEC+&%v^XbYJ~b6hYkAi36r6M1OSfiR1Q{+^V12<+=wF^1&AB!J?wmt15|>Y(MrZ z&iB&x^O@?_hL1+vaE93%EM&UbBh7v{6pe!a3%|+Mlj&Y zYu?o%IoH4%Z&>q1F;QR0z^;<1rMlWBMp@R-d!H`kEtJf2)m>w(FM0{5yfNJ4mBf7# z*4Xb1Z6dHYU>XiXiL*n_OIdv5b;0<8>56biwqN(&7TJUgzq%X%0S3Rk??XgA10~x? zEYq_O#}K)ksqzX?c%7!YX~}u|%dPh!>H0l-cu}G0lRMyXKLaA}^ndcCn~jk9|DQ<3 zCd#Y?M;mcF+cOfK?1nTZRUH1=HK9Xc-B|lXgy`5oDM&grq7;}^$3U-gZM%{NpTFv_ zWw?xc8Z<;gem`#kOcPb+dVaMS(l`H^vTkbrs`riq=cr-cRa#(mrEOWMhP5~ylhC4N zQO}B|Y%w+5JrwOGWzn`E3TO2Ex}rKoVO18JyMf%5P44**;$cfSkB(O5^TTR{Q6YBZ zpE3ABQH)m(WDGrS8>hc}TtteQd#Mh|);282wUJ($#x4vxVX{(2xxE{boWXI31-(!JZBo_}fsThDyPlTS^^nGXF^tpP;FM~%w#G0ETr5Nh9sTIXVb{P5V0?cZsSQX6N z24!`pnOi^iR}yJwgO&7hyeeLr5(R)~)TEotk$#Q)v^0eBnEwe&G$6H36yOa8Uu5v! zxY(@9Mx~)Vy^efWnh@`E*N%?bm6yT=Gtb4ZgD%DkF7c!J-%?Qi`^JH`{K=@-7H@CpBQ`shI}ngXIP*}-3sRp^ zx|jW9%*);;7 za2c)&5Tq||1nXbOt^H!hi(4|vca)5?EU%QHo-4RH2@TlIe>moVDV9M@}G zgE#^qedD(@@I)h{$g0ru+pjzC3;`1nue1jz%|xp;v|E0m-+;p8{+nI64(jGO`XKQP zf9OnPd)Np5daB=rgGt9}!#6e%u4av;4Dd^FR3X~?R~Az^(sea-A-QPkmV|Ms>3Mt4 z=@7j~8|olEObh3@9P~FQX*Ix1axh^UAq+CYFIv&R4V0QE1=;x0!;vF=>0Y zi*d+|RAB})jTK$z6q>Btc!B1BIE$AuDk{G*d?&!#zx&LQQ}?wk#FejSPT(|J#I!;z zPlsdlTW|silt}{DE9D45a|HR0C}Y#(zp7r!P8T#8D-E|U>L;fZE=Ye9AqOa27Yw6) z4o2q+fd}X#)qxzrpRtqUcO?yHywgtLbGL!tJX#>@zGY!L+|hmed_~saTmMNrFitc5kEbUJ)b6i>a`#B<6vA@{3m6PV%sDy?)pz!AeEc_26LWhe9oh7SYcq3 zQZlx`R&|`0`CbTXjN-ZDddOg7t2E>RA)5(kc*@{iI#p&Cy|c2WvDIpT9;>feuV=CB zwTAWVJHJby!m0jNx54F5!;Xr`9KW^0>Z82qGUXRV0d}B;v0$@D%IzB|Wh$C2_=cY5 z*%u&~(4axYR;;(i7>GKRI~cU3i%;IGUhYuUTh+6K`>i(%uMHlZ_urHZgU6w{0Fk*O%9f>eXpe&GnJ+BO+ru=^X#7>_i%{{La5oqkBzq$ zherm(wRFxkcj$r)3(Uc$dJ+cT0D+-D?_2b=V$jw#i-v$|r>wXK&h4$d?{cD9b-YmL zh_S-}IQ$uEdho^52Br)!gyq@JWHZ-g{MF@3BZ`B>+&l)K{NS$nCfC=*AM=|vi@+KG zgBF9Ynm?i zjJv@it|;8(o}#i8&yu$(B`ZL4q1aO~l(_OmV>oy1IDe3ji`F7usIc>n}bCsw!jv46f?k zaPzw#e*DUQT?4HxV8lGF{Tzn^{kLFFjgp{vb+RF*VK+s)1*aE@aii}`IB&<$g7cgW z9XbBL>fmqs<@DFejOb}$!9`y+9O{hIg3CTJybR?h63m?9re|Fwn8jn~s7yUPSG6zd zk~=htz6)9sq#eenYWfiCabC0h(U%#@6UiyxB<5Hz7v;ggfaR2g!n|s`xN&lYPZ$M& zO54nh$_8=(JOJBejq&70imP_=Z%5%ws%?Uy-jS3Pdy*kH3_#HvvRRt8x?JL0LVzr% z!t1XkK7j2j0o@juepOD%8Y)RQj-Ffw)XP1Q&}4RgLS$QZD^NaoKz0Pi@ZTb}ikB;a z%&$iaN7J1=YrIn!TK~4GByMG-JC+OoHpio$;>LtgK;-*eq+-elBE52-aS|It7_^#7~pwm7ESR+U~T; z$2TlS2HAZK^Z?@O%E_I%qT<_%Bsa$h7?=#7oO7;~M6w7}M$Q?q-u0K_2mec8Odcno zk)zoCD^i4gI?$PDo2*1WsMV#TiE%6UInt^~nV$80<1%w}+b^H|S9U#e>fzvMl{Kub zsThEyupI%QGH*HNsM<*?nzGyE)En>lElv*GGxDHb-_lfNvWzMWp6PNP`r<0I!osxO zt%lG(2cX6PcQ|@}vbO(}Uq+OxixX+nr|=J|8908(2cF?L3gOyf_VDeW3Rec4Re+!}TXdq&-Y@@YSwst71cz#Le_GPldZSw&mGv_KbFe8Pm z4>7iWyJ#i`T?+DMP9JT|laP!IT-iWjyAXh!7rYArZ$nZ~iXQor5Xil%{+vWAGK(h3 z)b%RO-hL$LIs4(HBonFC>mE43MGJKaK>ko@+YqdrPtBMIM15E!*^Bc<_nLx0uUc`wo6+|5@e&@E2dR5#|q8uTwTv(|%6BYDp-(xGCv|AV*N46ZT?| z+GWyq6&k^3sFbJ}+uIK7$M=9R|6gq{P zL9bukyHQ!D{z(g!e8m`(TJ$Vli1~lVyg2!Z- z4IhBuvTZzn11~EYTNEZbZ}=CyqXHH87)yE4K&Pp+C8G{N8C5Fz?a;hZ+)Re$!vdm2 z%K6=S`7@?I?FPp|K?1B9DzTou-Bq*C(6W(LLtD};xz6v7vqN-FhMrryK`Gw4ZW_$b zCIrE%FsXdw*Qxr7kqDFxXa=A7I7OB>YWcy9)Gn7jyqpK6^Egw}@&G8rPIvP#Z7{@` z*ZeL>=KxvXRs<_E_g5Q;(a4N3Yx!zEw7Xm|p}PY6#^CN}Y5kr~TA^u2SY?DZ>b$$#u&f z5-8ngsz?vx1YRFKyHxss&<6c8Bt2PB$}L1r1`kf(;8+;6=N_;y1>~$1yRlU>viMYy zrt%ZCNw%?8_|3(GrQQvzpX0fLWd=KY z^jv-AZ|f2l2$i`cfE+bGt!W(cQa;IKx%O9OM#hasU+G)f7GyiY8nxGbr;Gc;x8AD) z5eRe*Bjc|03Ri8V=27PgtTmlUYh1Jsh&ow9YN>;iDxE3iN9B_aW zl!{Z)-xYibcWT5l*g4x|R9gypCNppdyc;XlCoyZXtFCHq3)=cBVNsNLGeBYv=xE;f zjJ!4mYTR`b37+?39v1?FCg=gLw5t$^!&o;NEV+`TF};LoPXp2_Rf^G9%hZ^KsvLpO z6t#;xsUk6!d~{h+!fvaHl1TW`vj{z4G}Qh4ex-98ERs%8Uf2rZHM?i7yHD%uE^I}S z=Dh2a%Hn}dRP9u0HA~Yedg1)`@*h&i)Z+Vrejl`77{cIk6)^rO!O8SCI^>OO9Xi;d zi<&l>;8T02Za2)?TmqzgL(PSmE?&!S;iEgThq-Ht9~Ck!iM@{8h_kwvsRxt#vTb4+ z@y3QWna3wo7pFI>Vg$_!mCjaVI+n14*FXH%wZDOk-$)E14NXbrZH~!ozvbR4R5ST% zo3w^XFoE#f1}Iin=_;2heFfw1xCJAMUmD_rZi=UzdgzV$Sj}Hr$bXe8z(K2IS&#v6 zW{th3m2A}yoba%rUs6s5`BG`G>wT}BHW4UXf@!T@8YQ}cJcr$6aM6XHw@~z11ft1} z&`q@t-DAai%JUM?IL?~I&jJX0@CXDD?>aSTUO^FUC$l5LO#_kO0ly7bz>?R-EHul# z&rDeRu(@P*_Wb@<)G?(;iqF9Wycqn@9f6A2+c9!JtZmx%edI}?I_9O5#urV;o3%St z1TeFQhV6D-C+;S)W?7U~ij~T&3vz?Ll4_``Rec% zJ&8B%Q>0K^@N$3%WsY6IY%E)ICMI=%XOQ%n=s~SpV!8H>kFnCuNyk$BdAHlKPEuQf zf25bmFpL2pa0OlY#b{D@#NMIP12z^7^DWzU%dl*UgaD-GH_BiFOh&kYnUfXa#-^~K z$W_zPJ3}c}6if6tofomM!h{!*x$Z1naDh7X6I;Zz}y}kS@Zm)!~G)PF* z_;uO`yC@e-yB5l0rfCl!Ym4KC-uAq5N;n949E-*|Yfc7b4^|A6dM-SQ# zO2v=0|D;FGTPsW?Td4=wx_P;}`moZS0kLxp*QG()oQgK?UEQrB!}nj&bBekt z%#Zdo!X+$GuBQl@zi^R~Rc_zvGfooqh5a*z8qbpVV1Mu%mxBj`nBT8x{dK_?Z|+Hg zQ-4v}j7)#+{D+b`?vNkB`m?@!Mx)^9tJNIY3#LETiC3gSyC@%?Td+|qIM1lJXQ4!K z>aYHO-|=zzhJ_E*BTAp69)9$QCP@QFhE$|?-&rQym~W_^-^;=9Zb1e*QX7t1$m zVvn`n97Oj9a_!pUEWp5_UHzXdcvH4vCvs1c?HvX>YKG?`2%13_FE_6J#4)A>)!kx9 zhBY=C%J6LC+9%wVsdQN;qrtyF#^dXrBtSY1dU-10qxLn%SX@$hQnAH`rbmy0UW{KL zFepHSp!z0YW;MEd>O+M_>k9+!X!6hr04Ljb{rmeWS@&I((5HH07mR$jUutx}OjEj( z5jV(qa^Qq3$BLPu3U}CRHUwd+h`kvCOzlJhcoDvlWE;6z&gR^d3ny;$da zLD=TQ5Kk>W(Gzj{l1f=(4ma;*!>g~cQ&T?UdR5mK96B)b#bd+YSkavFDpPgXTN)iv zI$%IiAO0|GXZkSU3{WmP{g=b}HJi9o<5q%9Uw3Q=C)g3XcNm&tz%!CT?MGuy5j+E{ zWk0G8;bjx;N#Cz;^6SJ05!Bs9u75geL!!YIZgpE?=kyPM?hk)yR{L&M@p6 z0=o_0J?pM1{nfkab}xjwy5~~Kcu<&Tv=+K=u9!ACZ{yThf~i_vO@~~4(<69jiT;3Z ztzqQ_dPxb)9Kp!uDR!#`UlF_rkvm5Lt4}_8VflB%p1wiq-nF z+&-22bN1PM>jOah|I2CF8l5VeZd==>J@+1$n}w%((wrVTsfzIwDSm{(t?RfYof(3c z>6CAR+hor^y%9valwt>}JR3LlyCX&C-&zSHu!g2_3aaOj@r2Ca;7m9HyzwWk9zkJGuqm?*-vq5Xby!4a`M$&hr30YX z?F4bxjOmG7)br;)Ul)WOu0>w%){Em8Kb$J{Ki7mOj@HkB5hlCwgUVStwRB(`$msn3 zW68l6_-QmuY@|h*k!h-dE>&&v=30 zIv3(Tl=pJrKH6z|rv)q59=N?as&_Po3H~a==sNM|4X=W#K*8r$N&#WvHVMQ8zDzLd zV)Dt$dm^J%7u}~piF^kD8Yp_Z&Uk|80}tRszg$ALiocA z&U(s2XW__mKc4sym@3MmQf`RaZ2ZcnKKE3-oF85QR&6*9*Yoc#x~^M{;7jY+&Nx1t z9;OP1mj0CKUwb(Wvpa1A;s-a3=aPnOem&7jJ&5aKY2kjAi{EseM4;=;;4Y}e@sWF= zA0G=hridbHd(+pd7ntI!Pli6S)3UB0XF*&6?nyx9LSypblGr5BFXg^bRHDaZeGF zKYA6I?$BJ$!L3>1>)B@=SqdDI3o3txyAWJ%X`+7$fgnGTVp-1)+LLdd#y_o80#604 zYlXS!e-r&*Hpl$YNw?FUCO!B6n`0ac3lmUA*{JK!y4vN-5Z^ntAy0%#PdCo!;3cP# ze=PC+U8O~-JElo5M!ch(!`Q83c7(#bv0mwAFrrrE5)C~5ch4R(H$BOIVbEpddh3J; zWYV{|9gznU$MoW0C(72_{L`{VHwf0)f?kIvSV!PME*{ zhd_id>2bhvo;mP@Wgu3p2Aky|)HjztWISA0VuGkm!N0#4W6x*^BIJJva$+1S*n4!) zCiO7Sgt7Qu7>7JKB)^RP#3H8x*Ka+C5rq*D8&~zJvVh1l@cY*588DzHswso`$^0{< zaeiKC>U(5clg*a4F7Y$QzIfTj!#wdNZk$~Dm((($rpWbbXsHY>Olrl~je|XOJwK=N zJSBwdWUS7&7){b$u-Of~v(u)OBQK6!AROCBQ@p+q)v&k`$%WuAmy`q^%nA*C8_Lt$ zy`sJB_R8ha=<5bQu#C;Iomk~$cR_2=p{VTaMRN^|+#-uw6KJym1SZ1#h}EA(huyCK EKU&lfD*ylh literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/images/callouts/1.png b/spring-cloud-vault/2.1.3.RELEASE/images/callouts/1.png new file mode 100644 index 0000000000000000000000000000000000000000..7d473430b7bec514f7de12f5769fe7c5859e8c5d GIT binary patch literal 329 zcmeAS@N?(olHy`uVBq!ia0vp^JRr;gBp8b2n5}^nQC}X^4DKU-G|w_t}fLBA)Suv#nrW z!^h2QnY_`l!BOq-UXEX{m2up>JTQkX)2m zTvF+fTUlI^nXH#utd~++ke^qgmzgTe~DWM4ffP81J literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/images/callouts/2.png b/spring-cloud-vault/2.1.3.RELEASE/images/callouts/2.png new file mode 100644 index 0000000000000000000000000000000000000000..5d09341b2f6d2ea2d1d5dad5d980f14b4b05dfd2 GIT binary patch literal 353 zcmeAS@N?(olHy`uVBq!ia0vp^JRr;gBp8b2n5}^nQxaY7e*=hH)_rZeB4|imU1$R#1`!P>&$poQl;nzm}mD5ZFopaX|GsS%q*{P~< z;WtmO%lhToBL0i}yfkaOt?EN=nkLNGuU`ywhI5H)L`iUdT1k0gQ7VIjhO(w-Zen_> zZ(@38a<+nro{^q~f~BRtfrY+-p+a&|W^qZSLvCepNoKNMYO!8QX+eHoiC%Jk?!;Y+ zJAlS%fsM;d&r2*R1)67JkeZlkYGj#gX_9E3W@4U_nw*@Ln38B@k(iuhnUeN2eF0kK0(Y1u|9Rc(19XFPiEBhjaDG}zd16s2gM)^$re|(qda7?? zdS-IAf{C7yo`r&?rM`iMzJZ}aa#3b+Nu@(>WpPPnvR-PjUP@^}eqM=Qa(?c_U5Yz^ z#%Y0#%S_KpEGY$=XJL?(l#*ybuErX#^g`ttQfwnX4x42*}TIo_3IbsoNRf>aVMfsJ4-Q{^hZZrE#!3~DHIyIo;*1&0#S#R8GXWt43k48;BRp7)N)S|- z1>C&kGA0Xf^G^6@Z7$n zMFutQvv~;*MUZYF%!pN!TPX!dM|v*>m&a&)K+gzU_K;pxx#tfwf0eF z{6Aql)Y@kWdT@am_mNw@Hu^kjk`}>q?S9@-*pQ9}E$|ZbpD$ zJ7Gs5k(91tmKe$sLWmTGr7Bn~6>1?^s}f2PnR1ciVOW(27K@ZZwFriDU|1uRs#UNC zk|@PmnnA4;FJg6WABDMX_@ZBe_In>oi=V-wDld*vq}M`{&czNeIY^51IYKm z+YndYXy6niGl4=H0i`alZHn}h{(U<^L zrtUaM?H&s8E4km@xW3K}2l{HU9i~Kmth`h+4sGW1O{z!=XlvpWuu5{!5G>RAz< znNpajYLE!4(n`0h>bf?klyFK~l|n4NV{c&BaNx(k-xgpQQV0LH$NLOTvccoMndX$f zkv4mGzNtl?UYK0aBDc10gsL-g8W2sRbk9iJu~UP(7WA#TNlp>SE=W|=i?ba3^wOkX zY1is%HvE3-2vCryds-HJ-mVLw$(AH}m9SyomW73XDgDUw?6|$#yv`%qJ=msel*Vsd z`|NMp%}*;W&Dk-k$XtAVYB3n>$I&|I>ii|Z5HGIbWfAoEvR_xGkdB%u^EKNNweMm8UVjt>++|OBa{aNdr zkhTeJ+;4mFaBq$c85rs58E(yMLLIwHirO}q+Sd!Qw3m#xW&y9rVdPqRh?Qi&xGn8)dVXr!%Zc z@@k>;xsr45PU?g5+RpNiKfik6%9)0JRg>pN=Rf~LS%*%J3sntBdI_ki7mrSgrY^vD z?%WakSLZVrOHS(4IhMeO)hAZ`qU!_Mp^Kl`T85(DsckjoMLA#nV=_NP72jM4aCVNw ztsXF5STjDhYhdzAZ@x-km?7(f@11e;p;vCg#|D~KgRlFCJ{iDQda7PJ;=cu2XOfG+ zz6j|L)Ul6M@PT)tsq8TVCL=<&YucZ z==FL-9C+!x)fov8UwpRWZ~rLo*Uiivij0;`w-$cGJaBl_kilhr-Kmeg`K_}1x&xj} zBcQKVN-2MA=?_2j&!&wDd> zw}p{f$TVAeLb2U>0f{&UE>x@@VD|&aWW35hWduOkAqaC|ZvHiolKf1HK zzu)h>-_Pg!p50|ED_WP3lt81=*6DR>6SZ!PJ@IkW`;%iIE>KG%sj-n}UjrG&0ywSE z>8r;9y%%f5O*rOkZN7-hX|y<(+hQYahEmkw^YXEn4nN}cQ)n7Zo*(gJ4i8QO^?0M3 zP=NP-H46f6rvj{$7$AdRg}dCkwg7H!E3-J-JPw%?%+CYl5tJhE;v@z{yiG(9jVQp! zyePGgi3K3=ScUW`z$Z@G3`RiZ3*dl+FXA~M7zPl84~r!T0&@W&1PcWabt61jj7ktx zm;*e$K+0Oc*?^kV+NZXtlLB;+q#qRs!r?GKEaLkDjRIIElf^iMLLQ~T3$_v@7U2;= z#tMTP4>|&FKk4=nK#UQq_qC7;kn;3N2wuOz@Qj!UK1~#rGC>6M3t&DZ@Ooo$J=PAA zCj7r{JXbqtY4zg*6CU)n1RPX78W<~JDtF&)D5gkxgKi4AsiI&_YM-OUixZ??tpKSn ze5c!qLLw=Z#T+q|BZLqs3`%u1gPQQ^_OJRXsZqwOD&qLO2*a!%fyU`U&AilhSE!u zf#RfW8Nca8?LYcmzi;^J0$aTLuk(_I7B(1E%i{iHi|z|Ja9*KR}4%unPJ zFw4TowlS1#GO3H7Q31*c7>im^52SWUc{QwoqtQYKQqqoI_}z^Db(y?bEU3*;g(Uk< zbhQt9Q;Rl4_Xd*GuUR{_5VHeEE0C#yNL!dhWt>(;lnbF3j@_RUxGA zhlU&%fA8^*!l1Y?gk+ci-WE<{Z}q7&M>qEshlgBmoET)9!8{*KHv&6`TU&?mta6qd z7iwD&9iFFcM~&TiU^y@_(iItM%&Y+Q4fzTJHodO2br<#Qk8o=Fh6?xiG;t(<^tVlGN*YwHYbN*+ux#qerwpu9`;s z-h^IVXo>ux{&d`$r9Z!%mi_6zmY=<_(Aa4VWq+kPR9x~xOWlpzJxnYGn>;_NtFFtp z54GGsQk4p=t-Lq$;+whBb8|*17xjJKQ38{*G>h8VSmBGr5-Z@b}+_3*Xjg7`HBiDzyy{&6?adFeNk#BLg0d5b-3 z9p!F+xWNDCwRfkhhF=kO!^16Ky!0x2slrhor)q_mdPk(;+PiMET zz5h+ansg!r=$v-@J7+7{oa2j2pl#+KRU%es&<_a|W z!QKDvpGsto{Bi1?F{rbP{YmvHRmJgSd->g=lhdE>DT$9i&DZ~hSKGgD<3Nr~x0crR x@l@~8v%fudb7|Fs)}6WGzYSl#_Wjpr@eu7sVJhKCFm=a%+M#HR literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/images/logo.png b/spring-cloud-vault/2.1.3.RELEASE/images/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..ade2ce6ed9d9e9f2f4d9c5729a252ee618a0a5a7 GIT binary patch literal 4387 zcmV+;5!~*HP){P%3MJaDx_;_%u2|NZg!>}aqze!Nxc^y8Ao zaMb9>c)3l4zg^w!(u~7spv{7=)Rn#5sM+hyw%MSF!DHa>*1_JcqtAwz$$7Kao2k-{ z$Ktlp=fbSilJ55Bz}~Eo#%^5i?uh^Z5MW6}K~#90-Cc>2qDT-G%qj|s`%n~65K#I5 zADlwl_5$Q6z@8Veu^l@*Ej;tC%&f&?en^rmW8G4Bfs-$nj#hCGIahUzrMVw+I%xQ$E)R)G83X}t`1ui)Ke0b?i}V~=x;*#OP5^AJ z_OVA5<-$S(*dHs3nS@MY=6>c;q3@Q*^@Wc{Iv$8o7%%=lu>Mmu!n-W>7#}U^c;JPI zcIceuet!P2`VsO2g}6x=;JIIdC*&i)%=!Asvn$`C@XK&1|;bH5D_ z=zH7c!N>)KddJ;g59siDEplU|gd&)!`j@>B<Ren; zZ&4m;WDi^gpt1Gv2zv@ph@g01qCEH@j_rY~NI}KjsHjX%MJEA4+|NkF9jCN)QIRhc zFaLQ2c|!z};lxO_~%A+Qex!?*?#BCYPpKKPI zY^8;41BlDH8Ck6C87V0(Eh9w^6@ery;@8d~7@N5%3D&bI&W)5%c0@q##k7>lV_Tmd zdSptXnJFnrN!I{yxMakbDUX|fdg@WJnp;XPU|!EiuDPM4^)e9poGEjf}cm) zQ6T<|r>a)+C6s`;zm+8Q0)h9IA5I2+zPRKWK##xWH90f{l+8s6PUi_;-+}yxY%qW_ zpq+;jDIBj9-3_RCtVLQ8Qlfc6S#9Zl2_?oe1NdkN)R~2omG>pa#E4!j>XLcm?Homv z)0|1pBko@KhMk9$WCm|6Z@xrINc5&Ax^KW7RoSKZ9md31ze)+imI%u9;l1k3P*$se zQB*}|EF)AlQ+s3l9q}umq*6uHfSQl>hxm| zpk$MFHQ|Ize3VlGK<4Y2*By?DAfD8q1chgsqJWf%4u>l#5$sjHAe?MN@FtB=By8>S z{l+gMS0M8kTOy{7HgpDqa)qoeLq8Iyrv*^7Z*ILgv-I>lSDU1yE;shXv=}u0Bm)79 zpZqyHmaO~`DU)SCU_|?m=93u|FsC%Kn)W)5C8=35QKN++ZrT`%n7|YUMOK|G+@yYz zBsTlUk2m2t-|0W}=uS+>_s~eOomO9eNP&(Tp=ivSZj!ZUx>Nu{loG^10u@~^veRv# zmx6;={>X(lfGBI}VRIH%reoDmG+ED&YsLnu8aM$(K>}kY*{WC@uUGg=h+u|R+ppeQ z8xW0SWbtX~n<7Qc(HS71?mA?&;Jqh|!U`bj9XbqsX$b*$gdCZ6vtd|FipbjbhVnr?e>-4~RyzvF<<-Qs^Xc&1 zMG?)OVl#yvh7FZ<%SeB(RSHMUeR^N=4zyT3l&pu{5o$u;~6g>~~oHNaYV8U>0d+O}rOK%P62>-NULqj@}>^cx{|H`VfP%0dmMM*p1WF zX&7F-oZ#fP%2l0M2J7v2y}j5tt-lDZ!(fW)xl~mt!6pa@qT{k(8D&?Dpg3SeTXh;6 zf~))sUYGV!>A5Fl6kB4L;Y5ruG0!VLN%ntyh9Y>!uB?pF4UL3&H(8sVe5^8A((%`i zD&TE8X^@_Brv#AKv}u7iEW65RY1@Y9KX&$iMCPdhIRDn!vkbDmh(BgVGz>E6X3ukb#p2Dx>^YuoxqN> z&w=TuA#hCAbp}GWYhDjUwWLTfU(G?$^s~;HSU;+R{kpFly^j3+BInx<4KBB1x7JYC zq<$);o)bY?S3fKEx%TA&oqlzKyfMhJHsEOBM5vkH=RD7cW|-B?MI_cw{^7Xc1(m9~ zY|dhW*3%mkt3V{KH|x!_zDoEW{pMW71nBgGRd{1G_98WN0`zS#8>d{w#F$=l%EOAr z%><3QQ|3Oe&L`j+o50)eA0I5EhsJJ-CL4Pp#eODK+j12X5>7tPtJ_F0{3hxA#EBq0 z_hMK!&xF{BCJ#;IRAJKJXvA>xffF#F;@O-dBTNdzspmqpEd}QO8>RCjCxVhZ$Qj=7 zR2}p-3O+iPEC&Ddv3l{56Y;_KSR8ur?jWOew%1`587vFmG)reqt>6);xJOkEPixX_ z{l|b+7-b^&p<-59Q+mbk>LvNW)xz2n&o^6%Q5kc+;MAgscwhSWS<|`zCf*UJUuqoa z<7}JNrV&lKxd)Z!9Qg;2$Q}52x!URT=8B-r)87O|Tk=#LvYxcMhJRYjK97YiKRx*c za9yp+cXdp@JVJ%MGumF%FB?1~_+WQq&dK-ySxOAxpFeD-@#iG-6;v%XIA>!=<*f?Urxr1Pj(NRcREqRRHswF zk;j>n(Teu^{w^dPDOsf5TChaEoY0ZZ0HxLA&?f3eiMsB1rnlg`>2#dD*!qoJFO-O# zDCrWg{cyrF-w{wT!XcoZ6_49SkbCa*A$sQp;){qYC;S(1O3w3cji$AzmFPZyvq-oR zB9zXUx8vCzP2=&Mkk|15Nsl{s2rN>b28Gv_ksGXo2Tx7|t-BV%^X`)si!E0pYw*0d zkugG_qAdWw>pV~oF%cFHS5DfTwX}nDVdUvMW>VPMT=ftWp`2Rh#>gcN;X#OonH{0e zOL_oW%w@gelynN~uV8sJ*A8kU8Ggbe>ACN|&Z+?vZRYo$q3wH25x6ZH0y_Z>zGn@q z+emoZVD*LPpV4o0t@IK&<|`Sd%7^EE+hM!+peeAgujC%P7pzCGt(!;Xv%%^faBH_Ny;(iNv1s|C4 z;d>&5#%14t#C1l6)&Gr!&i#K!Jq$4oFjj-|VjfCJn`i+DF_Z1EJu49V8?S zPwDGv&2QHSrR5O5HXg{G@nB7R5}TH^g2M&sd+LD)RJXytSjbGlvUSlLCDnQI^ADq-=ja;k5rFl-Ml_z)VsGybK8TIasZnEcqLXLuyu~zChc% zL%fec%2=ejbK>iOinblMxi=_y`|4Qa38-k_yc%%b?f12SPL~o`>8RHOeg!~?yA8UI zdPCq>pyRk$361H`|12tC<~>R|`r&Ux7=3_f-}_C1MEoyptpet@ckcq;uZ91Q6(ahB zmSI_8^q;YU1bax!&jo6@9(V!xH$g$gmct4GP2JkGq7VKLLV;pn&(9s!GIhyccg;Y= zB;&be0q?i5@bi3XC zN)ZU(_2cjD^OTzYc6Aza?V^lzbs5IC=Zaqs*DUpq28#7tClK{yXb1Wwu?(E7V(JeM8)nOZvWVMX6F08ci!Lcy`N`3 zRmMkqPWG8hB9T1hF%lKAdbyuT9>n{*eLWY6#T%Du@g&n~JQuNGq$r&!4Flu`Bpp*> zh%RqUHzpvFJTmlZEv{9>@llh3hPZWTc7vHflSqO{yBR^VFdRt3()C6mdFU^lWI(SI zk~M4vs4$DM41J8lf+acP)u|5Q7d9H%x_Cd^XHyaDX=#nXqQj zt>&vFvNyJflaQQ&<7Pgco|~IX%Vp9`mUKGA-Zp( zOJtG50yzv2=0Xrx46(Qj83@V53@*$QjdQ#U%j3e3l*8gOAt(xhqztY^3`s$@h$SN! zBqG*0R&KQ7h!Mrc?dl1;Z?K%-#qz}#48ctnwaJt{-T}%C6K=9*n9P7U2?jzG2&y-_ z1)=T&y^dFcS@bqcC$pFgz^e@N_3!Y2&4rmVrc?^b{#WF$vAX{!YjnaHy1PC8t6j!L zL=U>RZ=0Vuyd59RNX(3d7!LK(`xl6rBPrw5(!bs96XC4+vN`n!pkNhnvKs;x&pmV! z^p5t4F5vmbc<*Tg!?VGlB>@XnzNdTWfhvE25$e1Mo;VNrFPPX7U z(3k?AET0>c;EQjdF;|7qmM;id8Z2DH;$?xdi*jLQS;UTmTiQ;84~KpVQTS}!1G7>???1T1M8Y2Y^v{gyWH4>vrEALt zW@fUDlD9Q{=doHaIiz}LsVtu#Tf|>gNSPn)uUj7xxbS*QsNLaH+;@qq1yM5)eX8Xer{FRzM~ z7xK|ff|w#cs13!6!+4oAeiqo&#|^o&-HT^JJ+1KLT73G&i2y$6Z`@c^KzV`9OsHC8!WcLRbRl_HObYx+233S$HvBP zx5xC8NE3$Tk|?#kKW%jS#1E2l4~Dm9y?iNEMtGE`{31iwDR0{;frQ`P~3kjC$lu_eqZs}wAR(baf^>n-dr`hd)oUmm$gnF zbD^_eYPM#zynGxf-a!tS6u8|n_+WHspz~^faii1kX{e03c}{&}W2fu+^!IEjlU-

MvJZJ$)LTqJA+@mbLxmkyPc#tU=W5xPJ%q2sZXv`v(Ui?>!8Tjh_mSOc$O+ zW<-$ZjJfV@LAsB%Biz5w(;fXV?CW1TB9(ujH2(XqZD*&_2O2L-EZJ~mTUSoq*g)q^ zQ!j3qa>DzQ*dH!xN(0O3n$-7HmkYk_eQXG-gI*K|{dncP!DXswNa?P_Z}nzo#*v#J zQ5S9ROsaZ%ZqC6y?VF!Q1^;o|wu*kH=E=`8B``9)uFtN|s?>Xw*7?*`wfqP}<_A~q zd8VVPq*k-7ZPhbSEogsT%F|x0xuT7xdRv7>Rev?4wv{qrDN}+xS$8V5!!ga&#Y1*BgqL?&c}jPc zG_JlfMSD5I%DQQcHXTbGWQtKpeL6yAB|UI5CQ=~#`}=c}Um;E%R)9u^qI0>&GHQ-g zOm;DCkym+{WF$}@UWrV1mtnTPtu!WtY$r7BOpo|N_#mqWGhK#KR0MD7eW*yPaY&xBTRfcG-E5p&`2dq z875XFdy+3GStd(wD_Mg`dys8Xd_houJju_&*4)mZt2Tk1H)DTRJY^_lf>>*ZU2Th5 zWQ3Ly{;kf91GM2s4Vfv8a-fcsXpb+4t> zmM%11X*>M&PQZNVdARf4d*2x!aq1>jOzQ?>>R)(Ok;sOJ)7jfk$Fdif23? z-}3V78&9qod*O;uGk%fEW^;|k`Lo>bOq2iF72o-IGb2gTw+4B~#iYz(oL}sS7|$R2 zDGfrR{|@~AQJ&v(#4u|ZtJP}t520N48P!$8U;|Vfuq=8>E$w`o2Jf`%eqhqbr%IH1zV?O3uDWqKZId-wMQ*MFefpD5X*w@ zok{kNA?%%$F{M!OUcE^^x{~(wkHK|_*9Yg`KNS88FaVH_sda1Xfs6nE002ovPDHLk FV1jwin)(0$ literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/images/warning.png b/spring-cloud-vault/2.1.3.RELEASE/images/warning.png new file mode 100644 index 0000000000000000000000000000000000000000..0d5b5244605adbb7ab05a1549746a9c35490f95b GIT binary patch literal 2130 zcmbVNYg7|w8V(4q($)50y>JmGlLW#g$xLn}Vd2Si)}#|ptPAQp3Bp-3!-lL0;i^LY?;i#f0m5s49g z3h?3rDQg~EDPlm?FKkgKIcWEK-3X6YU0uzs7H|nq84s39r2!5;pF?SI$QqXy^Ko1x zV~zpENvp@<_Bsd`5MabC#3rvCq&$5dg43yGR zAdy0-rWjC#a1N_+kzUMY#pmogD7!DP(9dEKr3c5ngvUq_6>}Y+w-a81v=eSXnIi_+ zI?U>D1q2C!0zHox#XXKH+@|&rPT*OF5yvY$5J|)WwLqnU)c-5;=UChSlQkaY3@^|g z|J5#YBB}=i+n3Ex9bS$P?xJSKLk)-HHII@;3qG#TG^!+aj>0QkO~7kB0+|yM;YrGB zF>Ge@isQ#73%Tp#k_(tInh3U$uJWY-+DND*o}L-CB5g@#9YWWw~pxZ!Obm>yN#ZHFvL0zA3vNCTJ=t?)~`2O1M{L6un=ml<2x zQEYfifmA?Pz0tqRs^2Utt1pU0BQB1eIY0U_I}c1Y#PP7Ci5s7#IJn}xK{G+{_v^Z+1V#$Erodv>d}ew>RP0wzw+GWkGCBlS1Oj5Z!5NK zUuSR6>pa}RSEZ;qE_w1l#`hQX4E67U6NeP zHZ`T&wj0_H)t|Y1thUqnhub?%e)Y07;a^Tq%FO&iQkR&`qG!dh*2WfW(HuRQj*_DI zeCD1bUA|tMwjOb8E|FRIn$pzEU!2j_N}1Z2ig)vbr5xA0rjC70cmI6*%Uf->hWzaZ z{33HABO5q)vRhzDly2l691@+q3O{}NbSzx+I*k@|L4&3leK#$>u+T#TvTELfKb|IH zc23atf3vmfCa0&TWY@iuoA_Pm<0~ttEC*ut`isb^jXS>X^Sp=l?RXN_OJ*&usGXg$ zTlTv;Ch^vhLDf&+62jl64*&D+=+`sN_dap_1W%p|KQVYIdgPL5uRE9(c4On)DXndL zLNq?%!-u*zmMxyYc4m4Nr>>=A=s}PkJkqr&E^b9>5g+}c1%X}3|WKcg&spcJQ)05zI<<5LTBhNKRg$XRTi2{j)yl_ zj4~kKOvr+m(;vw~9zVh(zC-y9jqQnguz5r7FRq^MyKuXAENp(TAzUVtg&Ts+B_s7) zGn+fN0sG>9GjsPLKTRrvCd`71IZulJ1_1jO9KWbD&_@2UC+LTNpxxrdz#E|j|2nA9 zzB!UTyfAEJ&#%$pQ>QX#8vk@_a5iqukMF;8`wRKe{BI}5$H%OROs4J1#j)|?p|YSh z_SpR^e`VE#F52;WL{!+L(yZLRh40*KS;@box;9(-tE)`mcVp27O*>Z{_Lb*5T3cJA yr~0nPHtg2+UHi&&$8ha;`+hiaUmw&!n@8(?5PqF(KE5>Ym)EG)p&uyBP5%a8^# code { + color: #6D180B; +} + +:not(pre) > code { + background-color: #F2F2F2; + border: 1px solid #CCCCCC; + border-radius: 4px; + padding: 1px 3px 0; + text-shadow: none; + white-space: nowrap; +} + +body > *:first-child { + margin-top: 0 !important; +} + +div { + margin: 0pt; +} + +hr { + border: 1px solid #CCCCCC; + background: #CCCCCC; +} + +h1, h2, h3, h4, h5, h6 { + color: #000000; + cursor: text; + font-weight: bold; + margin: 30px 0 10px; + padding: 0; +} + +h1, h2, h3 { + margin: 40px 0 10px; +} + +h1 { + margin: 70px 0 30px; + padding-top: 20px; +} + +div.part h1 { + border-top: 1px dotted #CCCCCC; +} + +h1, h1 code { + font-size: 32px; +} + +h2, h2 code { + font-size: 24px; +} + +h3, h3 code { + font-size: 20px; +} + +h4, h1 code, h5, h5 code, h6, h6 code { + font-size: 18px; +} + +div.book, div.chapter, div.appendix, div.part, div.preface { + min-width: 300px; + max-width: 1200px; + margin: 0 auto; +} + +p.releaseinfo { + font-weight: bold; + margin-bottom: 40px; + margin-top: 40px; +} + +div.authorgroup { + line-height: 1; +} + +p.copyright { + line-height: 1; + margin-bottom: -5px; +} + +.legalnotice p { + font-style: italic; + font-size: 14px; + line-height: 1; +} + +div.titlepage + p, div.titlepage + p { + margin-top: 0; +} + +pre { + line-height: 1.0; + color: black; +} + +a { + color: #4183C4; + text-decoration: none; +} + +p { + margin: 15px 0; + text-align: left; +} + +ul, ol { + padding-left: 30px; +} + +li p { + margin: 0; +} + +div.table { + margin: 1em; + padding: 0.5em; + text-align: center; +} + +div.table table, div.informaltable table { + display: table; + width: 100%; +} + +div.table td { + padding-left: 7px; + padding-right: 7px; +} + +.sidebar { + line-height: 1.4; + padding: 0 20px; + background-color: #F8F8F8; + border: 1px solid #CCCCCC; + border-radius: 3px 3px 3px 3px; +} + +.sidebar p.title { + color: #6D180B; +} + +pre.programlisting, pre.screen { + font-size: 15px; + padding: 6px 10px; + background-color: #F8F8F8; + border: 1px solid #CCCCCC; + border-radius: 3px 3px 3px 3px; + clear: both; + overflow: auto; + line-height: 1.4; + font-family: Consolas, "Liberation Mono", Courier, monospace; +} + +table { + border-collapse: collapse; + border-spacing: 0; + border: 1px solid #DDDDDD !important; + border-radius: 4px !important; + border-collapse: separate !important; + line-height: 1.6; +} + +table thead { + background: #F5F5F5; +} + +table tr { + border: none; + border-bottom: none; +} + +table th { + font-weight: bold; +} + +table th, table td { + border: none !important; + padding: 6px 13px; +} + +table tr:nth-child(2n) { + background-color: #F8F8F8; +} + +td p { + margin: 0 0 15px 0; +} + +div.table-contents td p { + margin: 0; +} + +div.important *, div.note *, div.tip *, div.warning *, div.navheader *, div.navfooter *, div.calloutlist * { + border: none !important; + background: none !important; + margin: 0; +} + +div.important p, div.note p, div.tip p, div.warning p { + color: #6F6F6F; + line-height: 1.6; +} + +div.important code, div.note code, div.tip code, div.warning code { + background-color: #F2F2F2 !important; + border: 1px solid #CCCCCC !important; + border-radius: 4px !important; + padding: 1px 3px 0 !important; + text-shadow: none !important; + white-space: nowrap !important; +} + +.note th, .tip th, .warning th { + display: none; +} + +.note tr:first-child td, .tip tr:first-child td, .warning tr:first-child td { + border-right: 1px solid #CCCCCC !important; + padding-top: 10px; +} + +div.calloutlist p, div.calloutlist td { + padding: 0; + margin: 0; +} + +div.calloutlist > table > tbody > tr > td:first-child { + padding-left: 10px; + width: 30px !important; +} + +div.important, div.note, div.tip, div.warning { + margin-left: 0px !important; + margin-right: 20px !important; + margin-top: 20px; + margin-bottom: 20px; + padding-top: 10px; + padding-bottom: 10px; +} + +div.toc { + line-height: 1.2; +} + +dl, dt { + margin-top: 1px; + margin-bottom: 0; +} + +div.toc > dl > dt { + font-size: 32px; + font-weight: bold; + margin: 30px 0 10px 0; + display: block; +} + +div.toc > dl > dd > dl > dt { + font-size: 24px; + font-weight: bold; + margin: 20px 0 10px 0; + display: block; +} + +div.toc > dl > dd > dl > dd > dl > dt { + font-weight: bold; + font-size: 20px; + margin: 10px 0 0 0; +} + +tbody.footnotes * { + border: none !important; +} + +div.footnote p { + margin: 0; + line-height: 1; +} + +div.footnote p sup { + margin-right: 6px; + vertical-align: middle; +} + +div.navheader { + border-bottom: 1px solid #CCCCCC; +} + +div.navfooter { + border-top: 1px solid #CCCCCC; +} + +.title { + margin-left: -1em; + padding-left: 1em; +} + +.title > a { + position: absolute; + visibility: hidden; + display: block; + font-size: 0.85em; + margin-top: 0.05em; + margin-left: -1em; + vertical-align: text-top; + color: black; +} + +.title > a:before { + content: "\00A7"; +} + +.title:hover > a, .title > a:hover, .title:hover > a:hover { + visibility: visible; +} + +.title:focus > a, .title > a:focus, .title:focus > a:focus { + outline: 0; +} diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/images/background.png b/spring-cloud-vault/2.1.3.RELEASE/multi/images/background.png new file mode 100644 index 0000000000000000000000000000000000000000..15dca6fbe2669fae3609605e49c69cc414f1b6ed GIT binary patch literal 18255 zcmZ{Mc{tQ-|NlrKgrcaFbPBDOvWBUg7G=wtim_B8Ysgq;M%hj&Dizr#DKZMBkY&bF zQI^rsG?*CsWEtBu%$S+a=XX!f_xC*4>2RIPIp^}n{kiY^y}jPA_v?1U#_HHA$qkYS z1Y(u>@jq=52vKeDlPn+z~j!r2!xcp@J9rZ zo~ZL*W#N2~h3F^Y#kf z79Vq?HYz92POY^z60RQgu$cgc!baLFp8`pJN$ z)TpgHDYO!o(|FCbF@nU|Z4{PyQT_pWk^4ba(@3pLy~5i|7uwlU`v1B%7(o3njiTd=qKqO7b}K-at&!f*f2n8M46&RIPn?wT2jQCY?} ze6G^KcX(b!Y*uXj(zgAp+m$yS9Gsr>(+F2nC60BdVfIQ`)cSJ{^*od zepxlPa|MUm>e9Vgly6ynJN3^PvB=>&xF()rO3xDmHI z=|xsK0?M48ABv)1&|8*aUyhO2#E8jlc2-#f51xWHc^hUwi&%dc@+wWVCpXJq!}S%S zg>L#^WBV(Qw|v9bo1MW5gc=&srYW_5F+__kX%{Z>&RZmXwCdi!gd5#fJ|%lv+{G zr|b#Ts1}Bc(CPkXaIO8<1+}HlegS6DFs7U6?N~4wR!^#(;YIbqQIOqp)Y>Db6o%1i zfzY22V-EN1GJALyq?KWSwMGbU#gV_$)SLlMlxrQPHdgnC(nU9*nIG%)UtAL8sRnL zvIO*k?9`K4fpnym;50z#ebD=+rZ~#B9dpG&=ZI-%{LqY5j8ndz5Bo^s;38&v8 z8(1+}&NV9Y(=RCMwyd1YBBL1Mc{4wI?k1TngzL8oyymA8O_M2Y5c0rtPR>#ek(4}+ zvTI`PjpdGC&F~Syy8RdkeK9)AX8N#B63UrIl;U;paq7n-;aB#n!Um^KDkm6tH=B)> z;3zLTI4#Y?2aYLOw=U)%ARIOAdmMMfhQHaQE8 zl3Cp0zQYq?6o&{k_DNXPel;f2^58wLpT=YKQSuc(*4?S`z@Dr7Qgz$FS> zi@ndTb$lk)7Z!9l#jnB&dk);SrBnVL{_rebeB*2~oq^e;zWdS~RE>Hv&Z771FSI9J z`7tfJM8x*5sOXA1eyweMto(__RVTbyU+|S5HB6d4Dgb*jRGLh3<^SP_w;CaD=Airn z>}rapX06!=({QJ<^CD>ewmorplO*#Ve>)f5@p2FXtSj8Mpa#1cVXgVCAhb)&HQZgO zfVQu&2q4IMN4mO)pTC13+M#|H5NTM8&`jguD_nAjiR*oJ9i%> zS4&QN%lZcXJT1e1N=#qGK$_eAeJ=b0Pj(!BY81~$?SW<-R5^LHJW`}xjV$cQ>zZPC zKx&lIPgkaTQ)c#4Kyjmtk6@>u&~kwQ2TO1ikDO|0e%26uY|$`ZJ&_<<=Iv{O|s*<_~}Z@laTeJVr;$B<`4hA&>B z`VsH7-~=}Ol<9at3?1V^wg6RL>j^EV032~4IaYKQnNnGs;Ssey~SyhcqT&3YZz z^xJp%0v#<&D{~;^r@WJWG&QnVUIZ8B_1fEU$761g0RP4%O(ohIte>|q%@y#fVUTSp z3>LLub23p7)|oran=&|5TltRGRS5ieG(9k&xel^Z*_B-TPiOvby+_(mUYMo9snsY?Ezus;g8M8RHQ1HQKb!kSg93n1fGkNdIc0U!-ysgq$IH3AbRuiz?4Bij zYWh9M<02o0X@!^fPTv3#RsP8U+2+zhe+uFtd;k}gJ{B&)4M?v7*+E_8dAcPbqo_^x zN&n?q>huypF8^2I>P9V?K-3j3cj~Sg3)t*kHmSFYY^Rj0R^WO+zrdA>zb*);SAsKF zzO1Jom~o%=Ys9O930x;UXCGHc@^7Y-ti47gI|()f)IYW z$3fiwh4I*B80cG~U)9X1S;3M^9XBn)VR!|^m!=!!5StHKz1RF)YLD6rKN_34G|QL0 zKgd6Bn6djN$h3Y{Ry2=JT*nJrklI3~GExg!unzW zKobvk_}QhwMzP#-rWz$TVa+W>$uZzVkVFGW1J%yZ0pL961Ci7a9i9N!$n_#r3FezE zOHZ)9o$@3746}*BvD0BoxzP%LJr&y;LV(?#7TH?rU+$3b@WTW60#_?*alt;Tj~z%X zQF(&yC_MUY`Jp#1DJnKFXT!AI5*5$5uc-3GE^)elv9tt&zAc`sIBZVPOodOd+Z*@? zWK(gmvtB75yypEXBLYk`AId00OCj~^1m}D$m@-oSre-{&gxYjaWV+lV4QFU_5@0@j zL6R!$xqlPc&SZURe|EQNpsee&g^;WLTLuD_$RMf}-Td^i%EEfQ1WR<<(6B`%X0%ul z2`V@-^T7|#v|j+;g+5$0u0cmpTQP(T{|vS69iYie+5@#L9^B-_u+ngReT=rR1OmTL zQl6CA=9<629#ARBwi?mA;yXY#kz$+8cUQK`kG*lpP;nG|&N5M6_b)@oA1%Qv7WjPI z(SmcSv8M5!NJZY3RzQr(%zQ%MSHbTc39uFT%-D5$%?=#%HU3Q6g-;4D!R_B*qE#P$ zOXwG@E2Gnc#f_HO06T_@ab6ARqIKGm&AdvT z3b1cEJCIs&T1NEg+Vvj;j6SKtPl&WCxUEL-JF0o+tDCJt++z9Q7%)PB(W5CBK^U|N zRqFH2`*n2X%fIK0V)+?+1L*OXbc59gCH6_eqEW@lBly&2dpvos9YznAH8#^U6@ecj zZafSH-QrDi-&guLMk4iH^}N&i@R3THFYO&m=+(8l!P?3O( z$7nS)&n5?siowwtBgNueMk&~^5GWa^E4}g3$+BR@{HTzgf4TL0;guS1N3q+ar7FWg z3w2gljup*1G0`4xK{n&yaD6xzy090+eA#I4cE{r{-0U$eeiUScQuH#ch1<{XFdl4R zpx2p_M!n_(s?;bBrPz(8w6LSB;n~H@Pq3E9Y0Y>}w<*=Kvv)q+o33O#RX$$;6MU@J%jgsn+3Wf)+-J@e}gPv?Yl%+nih_ZDJ&GFhYI`V zBfZ(KtL_L zSa-p-CPLUDxbB75K&bobQ*(lvj#0mb2z?5#247Q)obHkRLp2kpS0&9p(yMOap%ZaE zQk?9m-l;O_6-rt)-{&zUNJw3@*V;G6gGj3ynuWC0_uj9DyUYD2Z8w>P91szRH!K`T zNIQhRBIun-s-wd zht_q;s;7o#I1yba`Z+|)P?~N5wBXPgr->&+uafcZwDNcUR3TYV*7MX4T!%ebJu&2a zW_$_rN<{itDR*2LY_NZ1)>u)1@~*)9n77rjc}>b)CM zGkLM}d$a^bV9cYD@m(Hr^4K?e%V&%Ae&I)O6P)CnzM1FJJe);nhhGD!j}srT){J*R z9}Y5|zj#4<8Xq6bJ|Do$Zm@e4=LT!=vrRUCoZ(!q?0#J1w!~$7*_S&=Ow;q29_h!86t*aS)z{wq?JrYAmqEIT(g0mwZS8M zX0uLjWbyN=*52U9QuB`tcKls!9PYJ08NbB&#H(JK=Jj<6=8XJM`tywQS7{f|&gQl7L0A(^LH=&ZSHuG5j z)ZCE(4MRDUVp}qmH;TsDkZ$$!&7~RELTD9P-Vit?GxI%-S)(3;shT$=$fSIn)>)!4 zRQb|6f{|e1ENJ8Y@^d$HF1lkoz4R-(Hpp$RqgpP1rTJK;xJ&!EiqksWrATQ;<3VWK z@`uOV*Cc*=9#Y(QBqKif;?F+ktQf&#X%H{6D~LZ$YIJZ|2)_`_{B_w zlW=%8r3Rk7q`r-WJg!2*bHW-21*m;k*{WSs9JGOV!F}Niq^*p>`d-T~-8cFX(5huU zDt!TFB_yA3qmTSt_tMw5{$X-d8nB_ik{0fy| z&jmqt(}En(b$6z!PMk^d%Gryo!u&iK4L3*i3@tl6TT8u3z1ej>dn`fCek^gXkZg)@ z-Mwn$?h*x9@yM5uP|0b!Z*M+RpORodf8g4=I(s)KI^*)6=bW)?9J7){1WK>*R_h8N z1-ILWzEzwFJ@;WD=MI1J^Bh7{VXtS<^?L~+7@4_p)lTxvqF<@*bi)C-EmH&+FMH{bU>nG@d&KSe}Jx6fi zz3>0Ql%3Z64CWeE=M@^D@!u%D9y$x{KPVg`fD(ag#HE;59$}SH((CIf{$S z90>(#8tnaQK$(McyPi6FelH)_)EKuI{y(;Mq8O6+i8}}1D}P&9(%7Ufb4(-N#Z!aj zJGT=wkNYX5B|faCP!XliZ;O7|*7z0LTPGWLs#qRX?L>W*op=jZ68-f1A8A|9DX2?z zuHrJL;ZHwz_j)adWTO{LbQh=VAke(EQ}PeOdGDkmC7AWE{t|&k&p#Y1?Ycnl960v;WRPxkOXVp{lSKXcb#XI#GK2n zC(N7fF^ErWLq8mIV&QEudgMB2=90(bXvMmblq*5xH_PGJ$xK{RGVWK`B2sT1? zCVOeBO;7p$n?Ku6UN<2m?zfEQMNFkci*&7GF%WR!2W#$tPWA?kXwoU&aeI0I;5$Xf zSy$X2Lm}cP95R3OJ-;sC;d)Ii2*Gc;+bP<7IASI^f(Y1%W1D8@7wf$E?SR#G`3d-? zD&k6TaXSN}kM@687!l{_X=h?c|92b-YG;rHxAbzD@0enk6Eq}*r)ACLuc^(rJjP^r z_>~Y<+&>fPe`X-9va9Ckj)v$r-jfZ0cWKBufJfz>NmJ>g`Hnddrp7bu=P@#T&E`^j zsX3(Y5O+qC{AGMPs^=x7P62Dz?78^_umH(weN&5}f$&*3Fyi^!Cnt=Se3WzbboBq% z0w{|OosY;Kb4tVwNhN3@YZb>A%9_ZB!|&x*_T+&M=V^pv+p2CwrDXnIC;(qaGrsXY zfjy-P>wh411asTXAXCi0XSb}OIw)gj0yo2dBlLb}VW7e6i7%x9fd@QpXM-$6 zPGEC+&%v^XbYJ~b6hYkAi36r6M1OSfiR1Q{+^V12<+=wF^1&AB!J?wmt15|>Y(MrZ z&iB&x^O@?_hL1+vaE93%EM&UbBh7v{6pe!a3%|+Mlj&Y zYu?o%IoH4%Z&>q1F;QR0z^;<1rMlWBMp@R-d!H`kEtJf2)m>w(FM0{5yfNJ4mBf7# z*4Xb1Z6dHYU>XiXiL*n_OIdv5b;0<8>56biwqN(&7TJUgzq%X%0S3Rk??XgA10~x? zEYq_O#}K)ksqzX?c%7!YX~}u|%dPh!>H0l-cu}G0lRMyXKLaA}^ndcCn~jk9|DQ<3 zCd#Y?M;mcF+cOfK?1nTZRUH1=HK9Xc-B|lXgy`5oDM&grq7;}^$3U-gZM%{NpTFv_ zWw?xc8Z<;gem`#kOcPb+dVaMS(l`H^vTkbrs`riq=cr-cRa#(mrEOWMhP5~ylhC4N zQO}B|Y%w+5JrwOGWzn`E3TO2Ex}rKoVO18JyMf%5P44**;$cfSkB(O5^TTR{Q6YBZ zpE3ABQH)m(WDGrS8>hc}TtteQd#Mh|);282wUJ($#x4vxVX{(2xxE{boWXI31-(!JZBo_}fsThDyPlTS^^nGXF^tpP;FM~%w#G0ETr5Nh9sTIXVb{P5V0?cZsSQX6N z24!`pnOi^iR}yJwgO&7hyeeLr5(R)~)TEotk$#Q)v^0eBnEwe&G$6H36yOa8Uu5v! zxY(@9Mx~)Vy^efWnh@`E*N%?bm6yT=Gtb4ZgD%DkF7c!J-%?Qi`^JH`{K=@-7H@CpBQ`shI}ngXIP*}-3sRp^ zx|jW9%*);;7 za2c)&5Tq||1nXbOt^H!hi(4|vca)5?EU%QHo-4RH2@TlIe>moVDV9M@}G zgE#^qedD(@@I)h{$g0ru+pjzC3;`1nue1jz%|xp;v|E0m-+;p8{+nI64(jGO`XKQP zf9OnPd)Np5daB=rgGt9}!#6e%u4av;4Dd^FR3X~?R~Az^(sea-A-QPkmV|Ms>3Mt4 z=@7j~8|olEObh3@9P~FQX*Ix1axh^UAq+CYFIv&R4V0QE1=;x0!;vF=>0Y zi*d+|RAB})jTK$z6q>Btc!B1BIE$AuDk{G*d?&!#zx&LQQ}?wk#FejSPT(|J#I!;z zPlsdlTW|silt}{DE9D45a|HR0C}Y#(zp7r!P8T#8D-E|U>L;fZE=Ye9AqOa27Yw6) z4o2q+fd}X#)qxzrpRtqUcO?yHywgtLbGL!tJX#>@zGY!L+|hmed_~saTmMNrFitc5kEbUJ)b6i>a`#B<6vA@{3m6PV%sDy?)pz!AeEc_26LWhe9oh7SYcq3 zQZlx`R&|`0`CbTXjN-ZDddOg7t2E>RA)5(kc*@{iI#p&Cy|c2WvDIpT9;>feuV=CB zwTAWVJHJby!m0jNx54F5!;Xr`9KW^0>Z82qGUXRV0d}B;v0$@D%IzB|Wh$C2_=cY5 z*%u&~(4axYR;;(i7>GKRI~cU3i%;IGUhYuUTh+6K`>i(%uMHlZ_urHZgU6w{0Fk*O%9f>eXpe&GnJ+BO+ru=^X#7>_i%{{La5oqkBzq$ zherm(wRFxkcj$r)3(Uc$dJ+cT0D+-D?_2b=V$jw#i-v$|r>wXK&h4$d?{cD9b-YmL zh_S-}IQ$uEdho^52Br)!gyq@JWHZ-g{MF@3BZ`B>+&l)K{NS$nCfC=*AM=|vi@+KG zgBF9Ynm?i zjJv@it|;8(o}#i8&yu$(B`ZL4q1aO~l(_OmV>oy1IDe3ji`F7usIc>n}bCsw!jv46f?k zaPzw#e*DUQT?4HxV8lGF{Tzn^{kLFFjgp{vb+RF*VK+s)1*aE@aii}`IB&<$g7cgW z9XbBL>fmqs<@DFejOb}$!9`y+9O{hIg3CTJybR?h63m?9re|Fwn8jn~s7yUPSG6zd zk~=htz6)9sq#eenYWfiCabC0h(U%#@6UiyxB<5Hz7v;ggfaR2g!n|s`xN&lYPZ$M& zO54nh$_8=(JOJBejq&70imP_=Z%5%ws%?Uy-jS3Pdy*kH3_#HvvRRt8x?JL0LVzr% z!t1XkK7j2j0o@juepOD%8Y)RQj-Ffw)XP1Q&}4RgLS$QZD^NaoKz0Pi@ZTb}ikB;a z%&$iaN7J1=YrIn!TK~4GByMG-JC+OoHpio$;>LtgK;-*eq+-elBE52-aS|It7_^#7~pwm7ESR+U~T; z$2TlS2HAZK^Z?@O%E_I%qT<_%Bsa$h7?=#7oO7;~M6w7}M$Q?q-u0K_2mec8Odcno zk)zoCD^i4gI?$PDo2*1WsMV#TiE%6UInt^~nV$80<1%w}+b^H|S9U#e>fzvMl{Kub zsThEyupI%QGH*HNsM<*?nzGyE)En>lElv*GGxDHb-_lfNvWzMWp6PNP`r<0I!osxO zt%lG(2cX6PcQ|@}vbO(}Uq+OxixX+nr|=J|8908(2cF?L3gOyf_VDeW3Rec4Re+!}TXdq&-Y@@YSwst71cz#Le_GPldZSw&mGv_KbFe8Pm z4>7iWyJ#i`T?+DMP9JT|laP!IT-iWjyAXh!7rYArZ$nZ~iXQor5Xil%{+vWAGK(h3 z)b%RO-hL$LIs4(HBonFC>mE43MGJKaK>ko@+YqdrPtBMIM15E!*^Bc<_nLx0uUc`wo6+|5@e&@E2dR5#|q8uTwTv(|%6BYDp-(xGCv|AV*N46ZT?| z+GWyq6&k^3sFbJ}+uIK7$M=9R|6gq{P zL9bukyHQ!D{z(g!e8m`(TJ$Vli1~lVyg2!Z- z4IhBuvTZzn11~EYTNEZbZ}=CyqXHH87)yE4K&Pp+C8G{N8C5Fz?a;hZ+)Re$!vdm2 z%K6=S`7@?I?FPp|K?1B9DzTou-Bq*C(6W(LLtD};xz6v7vqN-FhMrryK`Gw4ZW_$b zCIrE%FsXdw*Qxr7kqDFxXa=A7I7OB>YWcy9)Gn7jyqpK6^Egw}@&G8rPIvP#Z7{@` z*ZeL>=KxvXRs<_E_g5Q;(a4N3Yx!zEw7Xm|p}PY6#^CN}Y5kr~TA^u2SY?DZ>b$$#u&f z5-8ngsz?vx1YRFKyHxss&<6c8Bt2PB$}L1r1`kf(;8+;6=N_;y1>~$1yRlU>viMYy zrt%ZCNw%?8_|3(GrQQvzpX0fLWd=KY z^jv-AZ|f2l2$i`cfE+bGt!W(cQa;IKx%O9OM#hasU+G)f7GyiY8nxGbr;Gc;x8AD) z5eRe*Bjc|03Ri8V=27PgtTmlUYh1Jsh&ow9YN>;iDxE3iN9B_aW zl!{Z)-xYibcWT5l*g4x|R9gypCNppdyc;XlCoyZXtFCHq3)=cBVNsNLGeBYv=xE;f zjJ!4mYTR`b37+?39v1?FCg=gLw5t$^!&o;NEV+`TF};LoPXp2_Rf^G9%hZ^KsvLpO z6t#;xsUk6!d~{h+!fvaHl1TW`vj{z4G}Qh4ex-98ERs%8Uf2rZHM?i7yHD%uE^I}S z=Dh2a%Hn}dRP9u0HA~Yedg1)`@*h&i)Z+Vrejl`77{cIk6)^rO!O8SCI^>OO9Xi;d zi<&l>;8T02Za2)?TmqzgL(PSmE?&!S;iEgThq-Ht9~Ck!iM@{8h_kwvsRxt#vTb4+ z@y3QWna3wo7pFI>Vg$_!mCjaVI+n14*FXH%wZDOk-$)E14NXbrZH~!ozvbR4R5ST% zo3w^XFoE#f1}Iin=_;2heFfw1xCJAMUmD_rZi=UzdgzV$Sj}Hr$bXe8z(K2IS&#v6 zW{th3m2A}yoba%rUs6s5`BG`G>wT}BHW4UXf@!T@8YQ}cJcr$6aM6XHw@~z11ft1} z&`q@t-DAai%JUM?IL?~I&jJX0@CXDD?>aSTUO^FUC$l5LO#_kO0ly7bz>?R-EHul# z&rDeRu(@P*_Wb@<)G?(;iqF9Wycqn@9f6A2+c9!JtZmx%edI}?I_9O5#urV;o3%St z1TeFQhV6D-C+;S)W?7U~ij~T&3vz?Ll4_``Rec% zJ&8B%Q>0K^@N$3%WsY6IY%E)ICMI=%XOQ%n=s~SpV!8H>kFnCuNyk$BdAHlKPEuQf zf25bmFpL2pa0OlY#b{D@#NMIP12z^7^DWzU%dl*UgaD-GH_BiFOh&kYnUfXa#-^~K z$W_zPJ3}c}6if6tofomM!h{!*x$Z1naDh7X6I;Zz}y}kS@Zm)!~G)PF* z_;uO`yC@e-yB5l0rfCl!Ym4KC-uAq5N;n949E-*|Yfc7b4^|A6dM-SQ# zO2v=0|D;FGTPsW?Td4=wx_P;}`moZS0kLxp*QG()oQgK?UEQrB!}nj&bBekt z%#Zdo!X+$GuBQl@zi^R~Rc_zvGfooqh5a*z8qbpVV1Mu%mxBj`nBT8x{dK_?Z|+Hg zQ-4v}j7)#+{D+b`?vNkB`m?@!Mx)^9tJNIY3#LETiC3gSyC@%?Td+|qIM1lJXQ4!K z>aYHO-|=zzhJ_E*BTAp69)9$QCP@QFhE$|?-&rQym~W_^-^;=9Zb1e*QX7t1$m zVvn`n97Oj9a_!pUEWp5_UHzXdcvH4vCvs1c?HvX>YKG?`2%13_FE_6J#4)A>)!kx9 zhBY=C%J6LC+9%wVsdQN;qrtyF#^dXrBtSY1dU-10qxLn%SX@$hQnAH`rbmy0UW{KL zFepHSp!z0YW;MEd>O+M_>k9+!X!6hr04Ljb{rmeWS@&I((5HH07mR$jUutx}OjEj( z5jV(qa^Qq3$BLPu3U}CRHUwd+h`kvCOzlJhcoDvlWE;6z&gR^d3ny;$da zLD=TQ5Kk>W(Gzj{l1f=(4ma;*!>g~cQ&T?UdR5mK96B)b#bd+YSkavFDpPgXTN)iv zI$%IiAO0|GXZkSU3{WmP{g=b}HJi9o<5q%9Uw3Q=C)g3XcNm&tz%!CT?MGuy5j+E{ zWk0G8;bjx;N#Cz;^6SJ05!Bs9u75geL!!YIZgpE?=kyPM?hk)yR{L&M@p6 z0=o_0J?pM1{nfkab}xjwy5~~Kcu<&Tv=+K=u9!ACZ{yThf~i_vO@~~4(<69jiT;3Z ztzqQ_dPxb)9Kp!uDR!#`UlF_rkvm5Lt4}_8VflB%p1wiq-nF z+&-22bN1PM>jOah|I2CF8l5VeZd==>J@+1$n}w%((wrVTsfzIwDSm{(t?RfYof(3c z>6CAR+hor^y%9valwt>}JR3LlyCX&C-&zSHu!g2_3aaOj@r2Ca;7m9HyzwWk9zkJGuqm?*-vq5Xby!4a`M$&hr30YX z?F4bxjOmG7)br;)Ul)WOu0>w%){Em8Kb$J{Ki7mOj@HkB5hlCwgUVStwRB(`$msn3 zW68l6_-QmuY@|h*k!h-dE>&&v=30 zIv3(Tl=pJrKH6z|rv)q59=N?as&_Po3H~a==sNM|4X=W#K*8r$N&#WvHVMQ8zDzLd zV)Dt$dm^J%7u}~piF^kD8Yp_Z&Uk|80}tRszg$ALiocA z&U(s2XW__mKc4sym@3MmQf`RaZ2ZcnKKE3-oF85QR&6*9*Yoc#x~^M{;7jY+&Nx1t z9;OP1mj0CKUwb(Wvpa1A;s-a3=aPnOem&7jJ&5aKY2kjAi{EseM4;=;;4Y}e@sWF= zA0G=hridbHd(+pd7ntI!Pli6S)3UB0XF*&6?nyx9LSypblGr5BFXg^bRHDaZeGF zKYA6I?$BJ$!L3>1>)B@=SqdDI3o3txyAWJ%X`+7$fgnGTVp-1)+LLdd#y_o80#604 zYlXS!e-r&*Hpl$YNw?FUCO!B6n`0ac3lmUA*{JK!y4vN-5Z^ntAy0%#PdCo!;3cP# ze=PC+U8O~-JElo5M!ch(!`Q83c7(#bv0mwAFrrrE5)C~5ch4R(H$BOIVbEpddh3J; zWYV{|9gznU$MoW0C(72_{L`{VHwf0)f?kIvSV!PME*{ zhd_id>2bhvo;mP@Wgu3p2Aky|)HjztWISA0VuGkm!N0#4W6x*^BIJJva$+1S*n4!) zCiO7Sgt7Qu7>7JKB)^RP#3H8x*Ka+C5rq*D8&~zJvVh1l@cY*588DzHswso`$^0{< zaeiKC>U(5clg*a4F7Y$QzIfTj!#wdNZk$~Dm((($rpWbbXsHY>Olrl~je|XOJwK=N zJSBwdWUS7&7){b$u-Of~v(u)OBQK6!AROCBQ@p+q)v&k`$%WuAmy`q^%nA*C8_Lt$ zy`sJB_R8ha=<5bQu#C;Iomk~$cR_2=p{VTaMRN^|+#-uw6KJym1SZ1#h}EA(huyCK EKU&lfD*ylh literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/images/callouts/1.png b/spring-cloud-vault/2.1.3.RELEASE/multi/images/callouts/1.png new file mode 100644 index 0000000000000000000000000000000000000000..7d473430b7bec514f7de12f5769fe7c5859e8c5d GIT binary patch literal 329 zcmeAS@N?(olHy`uVBq!ia0vp^JRr;gBp8b2n5}^nQC}X^4DKU-G|w_t}fLBA)Suv#nrW z!^h2QnY_`l!BOq-UXEX{m2up>JTQkX)2m zTvF+fTUlI^nXH#utd~++ke^qgmzgTe~DWM4ffP81J literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/images/callouts/2.png b/spring-cloud-vault/2.1.3.RELEASE/multi/images/callouts/2.png new file mode 100644 index 0000000000000000000000000000000000000000..5d09341b2f6d2ea2d1d5dad5d980f14b4b05dfd2 GIT binary patch literal 353 zcmeAS@N?(olHy`uVBq!ia0vp^JRr;gBp8b2n5}^nQxaY7e*=hH)_rZeB4|imU1$R#1`!P>&$poQl;nzm}mD5ZFopaX|GsS%q*{P~< z;WtmO%lhToBL0i}yfkaOt?EN=nkLNGuU`ywhI5H)L`iUdT1k0gQ7VIjhO(w-Zen_> zZ(@38a<+nro{^q~f~BRtfrY+-p+a&|W^qZSLvCepNoKNMYO!8QX+eHoiC%Jk?!;Y+ zJAlS%fsM;d&r2*R1)67JkeZlkYGj#gX_9E3W@4U_nw*@Ln38B@k(iuhnUeN2eF0kK0(Y1u|9Rc(19XFPiEBhjaDG}zd16s2gM)^$re|(qda7?? zdS-IAf{C7yo`r&?rM`iMzJZ}aa#3b+Nu@(>WpPPnvR-PjUP@^}eqM=Qa(?c_U5Yz^ z#%Y0#%S_KpEGY$=XJL?(l#*ybuErX#^g`ttQfwnX4x42*}TIo_3IbsoNRf>aVMfsJ4-Q{^hZZrE#!3~DHIyIo;*1&0#S#R8GXWt43k48;BRp7)N)S|- z1>C&kGA0Xf^G^6@Z7$n zMFutQvv~;*MUZYF%!pN!TPX!dM|v*>m&a&)K+gzU_K;pxx#tfwf0eF z{6Aql)Y@kWdT@am_mNw@Hu^kjk`}>q?S9@-*pQ9}E$|ZbpD$ zJ7Gs5k(91tmKe$sLWmTGr7Bn~6>1?^s}f2PnR1ciVOW(27K@ZZwFriDU|1uRs#UNC zk|@PmnnA4;FJg6WABDMX_@ZBe_In>oi=V-wDld*vq}M`{&czNeIY^51IYKm z+YndYXy6niGl4=H0i`alZHn}h{(U<^L zrtUaM?H&s8E4km@xW3K}2l{HU9i~Kmth`h+4sGW1O{z!=XlvpWuu5{!5G>RAz< znNpajYLE!4(n`0h>bf?klyFK~l|n4NV{c&BaNx(k-xgpQQV0LH$NLOTvccoMndX$f zkv4mGzNtl?UYK0aBDc10gsL-g8W2sRbk9iJu~UP(7WA#TNlp>SE=W|=i?ba3^wOkX zY1is%HvE3-2vCryds-HJ-mVLw$(AH}m9SyomW73XDgDUw?6|$#yv`%qJ=msel*Vsd z`|NMp%}*;W&Dk-k$XtAVYB3n>$I&|I>ii|Z5HGIbWfAoEvR_xGkdB%u^EKNNweMm8UVjt>++|OBa{aNdr zkhTeJ+;4mFaBq$c85rs58E(yMLLIwHirO}q+Sd!Qw3m#xW&y9rVdPqRh?Qi&xGn8)dVXr!%Zc z@@k>;xsr45PU?g5+RpNiKfik6%9)0JRg>pN=Rf~LS%*%J3sntBdI_ki7mrSgrY^vD z?%WakSLZVrOHS(4IhMeO)hAZ`qU!_Mp^Kl`T85(DsckjoMLA#nV=_NP72jM4aCVNw ztsXF5STjDhYhdzAZ@x-km?7(f@11e;p;vCg#|D~KgRlFCJ{iDQda7PJ;=cu2XOfG+ zz6j|L)Ul6M@PT)tsq8TVCL=<&YucZ z==FL-9C+!x)fov8UwpRWZ~rLo*Uiivij0;`w-$cGJaBl_kilhr-Kmeg`K_}1x&xj} zBcQKVN-2MA=?_2j&!&wDd> zw}p{f$TVAeLb2U>0f{&UE>x@@VD|&aWW35hWduOkAqaC|ZvHiolKf1HK zzu)h>-_Pg!p50|ED_WP3lt81=*6DR>6SZ!PJ@IkW`;%iIE>KG%sj-n}UjrG&0ywSE z>8r;9y%%f5O*rOkZN7-hX|y<(+hQYahEmkw^YXEn4nN}cQ)n7Zo*(gJ4i8QO^?0M3 zP=NP-H46f6rvj{$7$AdRg}dCkwg7H!E3-J-JPw%?%+CYl5tJhE;v@z{yiG(9jVQp! zyePGgi3K3=ScUW`z$Z@G3`RiZ3*dl+FXA~M7zPl84~r!T0&@W&1PcWabt61jj7ktx zm;*e$K+0Oc*?^kV+NZXtlLB;+q#qRs!r?GKEaLkDjRIIElf^iMLLQ~T3$_v@7U2;= z#tMTP4>|&FKk4=nK#UQq_qC7;kn;3N2wuOz@Qj!UK1~#rGC>6M3t&DZ@Ooo$J=PAA zCj7r{JXbqtY4zg*6CU)n1RPX78W<~JDtF&)D5gkxgKi4AsiI&_YM-OUixZ??tpKSn ze5c!qLLw=Z#T+q|BZLqs3`%u1gPQQ^_OJRXsZqwOD&qLO2*a!%fyU`U&AilhSE!u zf#RfW8Nca8?LYcmzi;^J0$aTLuk(_I7B(1E%i{iHi|z|Ja9*KR}4%unPJ zFw4TowlS1#GO3H7Q31*c7>im^52SWUc{QwoqtQYKQqqoI_}z^Db(y?bEU3*;g(Uk< zbhQt9Q;Rl4_Xd*GuUR{_5VHeEE0C#yNL!dhWt>(;lnbF3j@_RUxGA zhlU&%fA8^*!l1Y?gk+ci-WE<{Z}q7&M>qEshlgBmoET)9!8{*KHv&6`TU&?mta6qd z7iwD&9iFFcM~&TiU^y@_(iItM%&Y+Q4fzTJHodO2br<#Qk8o=Fh6?xiG;t(<^tVlGN*YwHYbN*+ux#qerwpu9`;s z-h^IVXo>ux{&d`$r9Z!%mi_6zmY=<_(Aa4VWq+kPR9x~xOWlpzJxnYGn>;_NtFFtp z54GGsQk4p=t-Lq$;+whBb8|*17xjJKQ38{*G>h8VSmBGr5-Z@b}+_3*Xjg7`HBiDzyy{&6?adFeNk#BLg0d5b-3 z9p!F+xWNDCwRfkhhF=kO!^16Ky!0x2slrhor)q_mdPk(;+PiMET zz5h+ansg!r=$v-@J7+7{oa2j2pl#+KRU%es&<_a|W z!QKDvpGsto{Bi1?F{rbP{YmvHRmJgSd->g=lhdE>DT$9i&DZ~hSKGgD<3Nr~x0crR x@l@~8v%fudb7|Fs)}6WGzYSl#_Wjpr@eu7sVJhKCFm=a%+M#HR literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/images/logo.png b/spring-cloud-vault/2.1.3.RELEASE/multi/images/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..ade2ce6ed9d9e9f2f4d9c5729a252ee618a0a5a7 GIT binary patch literal 4387 zcmV+;5!~*HP){P%3MJaDx_;_%u2|NZg!>}aqze!Nxc^y8Ao zaMb9>c)3l4zg^w!(u~7spv{7=)Rn#5sM+hyw%MSF!DHa>*1_JcqtAwz$$7Kao2k-{ z$Ktlp=fbSilJ55Bz}~Eo#%^5i?uh^Z5MW6}K~#90-Cc>2qDT-G%qj|s`%n~65K#I5 zADlwl_5$Q6z@8Veu^l@*Ej;tC%&f&?en^rmW8G4Bfs-$nj#hCGIahUzrMVw+I%xQ$E)R)G83X}t`1ui)Ke0b?i}V~=x;*#OP5^AJ z_OVA5<-$S(*dHs3nS@MY=6>c;q3@Q*^@Wc{Iv$8o7%%=lu>Mmu!n-W>7#}U^c;JPI zcIceuet!P2`VsO2g}6x=;JIIdC*&i)%=!Asvn$`C@XK&1|;bH5D_ z=zH7c!N>)KddJ;g59siDEplU|gd&)!`j@>B<Ren; zZ&4m;WDi^gpt1Gv2zv@ph@g01qCEH@j_rY~NI}KjsHjX%MJEA4+|NkF9jCN)QIRhc zFaLQ2c|!z};lxO_~%A+Qex!?*?#BCYPpKKPI zY^8;41BlDH8Ck6C87V0(Eh9w^6@ery;@8d~7@N5%3D&bI&W)5%c0@q##k7>lV_Tmd zdSptXnJFnrN!I{yxMakbDUX|fdg@WJnp;XPU|!EiuDPM4^)e9poGEjf}cm) zQ6T<|r>a)+C6s`;zm+8Q0)h9IA5I2+zPRKWK##xWH90f{l+8s6PUi_;-+}yxY%qW_ zpq+;jDIBj9-3_RCtVLQ8Qlfc6S#9Zl2_?oe1NdkN)R~2omG>pa#E4!j>XLcm?Homv z)0|1pBko@KhMk9$WCm|6Z@xrINc5&Ax^KW7RoSKZ9md31ze)+imI%u9;l1k3P*$se zQB*}|EF)AlQ+s3l9q}umq*6uHfSQl>hxm| zpk$MFHQ|Ize3VlGK<4Y2*By?DAfD8q1chgsqJWf%4u>l#5$sjHAe?MN@FtB=By8>S z{l+gMS0M8kTOy{7HgpDqa)qoeLq8Iyrv*^7Z*ILgv-I>lSDU1yE;shXv=}u0Bm)79 zpZqyHmaO~`DU)SCU_|?m=93u|FsC%Kn)W)5C8=35QKN++ZrT`%n7|YUMOK|G+@yYz zBsTlUk2m2t-|0W}=uS+>_s~eOomO9eNP&(Tp=ivSZj!ZUx>Nu{loG^10u@~^veRv# zmx6;={>X(lfGBI}VRIH%reoDmG+ED&YsLnu8aM$(K>}kY*{WC@uUGg=h+u|R+ppeQ z8xW0SWbtX~n<7Qc(HS71?mA?&;Jqh|!U`bj9XbqsX$b*$gdCZ6vtd|FipbjbhVnr?e>-4~RyzvF<<-Qs^Xc&1 zMG?)OVl#yvh7FZ<%SeB(RSHMUeR^N=4zyT3l&pu{5o$u;~6g>~~oHNaYV8U>0d+O}rOK%P62>-NULqj@}>^cx{|H`VfP%0dmMM*p1WF zX&7F-oZ#fP%2l0M2J7v2y}j5tt-lDZ!(fW)xl~mt!6pa@qT{k(8D&?Dpg3SeTXh;6 zf~))sUYGV!>A5Fl6kB4L;Y5ruG0!VLN%ntyh9Y>!uB?pF4UL3&H(8sVe5^8A((%`i zD&TE8X^@_Brv#AKv}u7iEW65RY1@Y9KX&$iMCPdhIRDn!vkbDmh(BgVGz>E6X3ukb#p2Dx>^YuoxqN> z&w=TuA#hCAbp}GWYhDjUwWLTfU(G?$^s~;HSU;+R{kpFly^j3+BInx<4KBB1x7JYC zq<$);o)bY?S3fKEx%TA&oqlzKyfMhJHsEOBM5vkH=RD7cW|-B?MI_cw{^7Xc1(m9~ zY|dhW*3%mkt3V{KH|x!_zDoEW{pMW71nBgGRd{1G_98WN0`zS#8>d{w#F$=l%EOAr z%><3QQ|3Oe&L`j+o50)eA0I5EhsJJ-CL4Pp#eODK+j12X5>7tPtJ_F0{3hxA#EBq0 z_hMK!&xF{BCJ#;IRAJKJXvA>xffF#F;@O-dBTNdzspmqpEd}QO8>RCjCxVhZ$Qj=7 zR2}p-3O+iPEC&Ddv3l{56Y;_KSR8ur?jWOew%1`587vFmG)reqt>6);xJOkEPixX_ z{l|b+7-b^&p<-59Q+mbk>LvNW)xz2n&o^6%Q5kc+;MAgscwhSWS<|`zCf*UJUuqoa z<7}JNrV&lKxd)Z!9Qg;2$Q}52x!URT=8B-r)87O|Tk=#LvYxcMhJRYjK97YiKRx*c za9yp+cXdp@JVJ%MGumF%FB?1~_+WQq&dK-ySxOAxpFeD-@#iG-6;v%XIA>!=<*f?Urxr1Pj(NRcREqRRHswF zk;j>n(Teu^{w^dPDOsf5TChaEoY0ZZ0HxLA&?f3eiMsB1rnlg`>2#dD*!qoJFO-O# zDCrWg{cyrF-w{wT!XcoZ6_49SkbCa*A$sQp;){qYC;S(1O3w3cji$AzmFPZyvq-oR zB9zXUx8vCzP2=&Mkk|15Nsl{s2rN>b28Gv_ksGXo2Tx7|t-BV%^X`)si!E0pYw*0d zkugG_qAdWw>pV~oF%cFHS5DfTwX}nDVdUvMW>VPMT=ftWp`2Rh#>gcN;X#OonH{0e zOL_oW%w@gelynN~uV8sJ*A8kU8Ggbe>ACN|&Z+?vZRYo$q3wH25x6ZH0y_Z>zGn@q z+emoZVD*LPpV4o0t@IK&<|`Sd%7^EE+hM!+peeAgujC%P7pzCGt(!;Xv%%^faBH_Ny;(iNv1s|C4 z;d>&5#%14t#C1l6)&Gr!&i#K!Jq$4oFjj-|VjfCJn`i+DF_Z1EJu49V8?S zPwDGv&2QHSrR5O5HXg{G@nB7R5}TH^g2M&sd+LD)RJXytSjbGlvUSlLCDnQI^ADq-=ja;k5rFl-Ml_z)VsGybK8TIasZnEcqLXLuyu~zChc% zL%fec%2=ejbK>iOinblMxi=_y`|4Qa38-k_yc%%b?f12SPL~o`>8RHOeg!~?yA8UI zdPCq>pyRk$361H`|12tC<~>R|`r&Ux7=3_f-}_C1MEoyptpet@ckcq;uZ91Q6(ahB zmSI_8^q;YU1bax!&jo6@9(V!xH$g$gmct4GP2JkGq7VKLLV;pn&(9s!GIhyccg;Y= zB;&be0q?i5@bi3XC zN)ZU(_2cjD^OTzYc6Aza?V^lzbs5IC=Zaqs*DUpq28#7tClK{yXb1Wwu?(E7V(JeM8)nOZvWVMX6F08ci!Lcy`N`3 zRmMkqPWG8hB9T1hF%lKAdbyuT9>n{*eLWY6#T%Du@g&n~JQuNGq$r&!4Flu`Bpp*> zh%RqUHzpvFJTmlZEv{9>@llh3hPZWTc7vHflSqO{yBR^VFdRt3()C6mdFU^lWI(SI zk~M4vs4$DM41J8lf+acP)u|5Q7d9H%x_Cd^XHyaDX=#nXqQj zt>&vFvNyJflaQQ&<7Pgco|~IX%Vp9`mUKGA-Zp( zOJtG50yzv2=0Xrx46(Qj83@V53@*$QjdQ#U%j3e3l*8gOAt(xhqztY^3`s$@h$SN! zBqG*0R&KQ7h!Mrc?dl1;Z?K%-#qz}#48ctnwaJt{-T}%C6K=9*n9P7U2?jzG2&y-_ z1)=T&y^dFcS@bqcC$pFgz^e@N_3!Y2&4rmVrc?^b{#WF$vAX{!YjnaHy1PC8t6j!L zL=U>RZ=0Vuyd59RNX(3d7!LK(`xl6rBPrw5(!bs96XC4+vN`n!pkNhnvKs;x&pmV! z^p5t4F5vmbc<*Tg!?VGlB>@XnzNdTWfhvE25$e1Mo;VNrFPPX7U z(3k?AET0>c;EQjdF;|7qmM;id8Z2DH;$?xdi*jLQS;UTmTiQ;84~KpVQTS}!1G7>???1T1M8Y2Y^v{gyWH4>vrEALt zW@fUDlD9Q{=doHaIiz}LsVtu#Tf|>gNSPn)uUj7xxbS*QsNLaH+;@qq1yM5)eX8Xer{FRzM~ z7xK|ff|w#cs13!6!+4oAeiqo&#|^o&-HT^JJ+1KLT73G&i2y$6Z`@c^KzV`9OsHC8!WcLRbRl_HObYx+233S$HvBP zx5xC8NE3$Tk|?#kKW%jS#1E2l4~Dm9y?iNEMtGE`{31iwDR0{;frQ`P~3kjC$lu_eqZs}wAR(baf^>n-dr`hd)oUmm$gnF zbD^_eYPM#zynGxf-a!tS6u8|n_+WHspz~^faii1kX{e03c}{&}W2fu+^!IEjlU-

MvJZJ$)LTqJA+@mbLxmkyPc#tU=W5xPJ%q2sZXv`v(Ui?>!8Tjh_mSOc$O+ zW<-$ZjJfV@LAsB%Biz5w(;fXV?CW1TB9(ujH2(XqZD*&_2O2L-EZJ~mTUSoq*g)q^ zQ!j3qa>DzQ*dH!xN(0O3n$-7HmkYk_eQXG-gI*K|{dncP!DXswNa?P_Z}nzo#*v#J zQ5S9ROsaZ%ZqC6y?VF!Q1^;o|wu*kH=E=`8B``9)uFtN|s?>Xw*7?*`wfqP}<_A~q zd8VVPq*k-7ZPhbSEogsT%F|x0xuT7xdRv7>Rev?4wv{qrDN}+xS$8V5!!ga&#Y1*BgqL?&c}jPc zG_JlfMSD5I%DQQcHXTbGWQtKpeL6yAB|UI5CQ=~#`}=c}Um;E%R)9u^qI0>&GHQ-g zOm;DCkym+{WF$}@UWrV1mtnTPtu!WtY$r7BOpo|N_#mqWGhK#KR0MD7eW*yPaY&xBTRfcG-E5p&`2dq z875XFdy+3GStd(wD_Mg`dys8Xd_houJju_&*4)mZt2Tk1H)DTRJY^_lf>>*ZU2Th5 zWQ3Ly{;kf91GM2s4Vfv8a-fcsXpb+4t> zmM%11X*>M&PQZNVdARf4d*2x!aq1>jOzQ?>>R)(Ok;sOJ)7jfk$Fdif23? z-}3V78&9qod*O;uGk%fEW^;|k`Lo>bOq2iF72o-IGb2gTw+4B~#iYz(oL}sS7|$R2 zDGfrR{|@~AQJ&v(#4u|ZtJP}t520N48P!$8U;|Vfuq=8>E$w`o2Jf`%eqhqbr%IH1zV?O3uDWqKZId-wMQ*MFefpD5X*w@ zok{kNA?%%$F{M!OUcE^^x{~(wkHK|_*9Yg`KNS88FaVH_sda1Xfs6nE002ovPDHLk FV1jwin)(0$ literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/images/warning.png b/spring-cloud-vault/2.1.3.RELEASE/multi/images/warning.png new file mode 100644 index 0000000000000000000000000000000000000000..0d5b5244605adbb7ab05a1549746a9c35490f95b GIT binary patch literal 2130 zcmbVNYg7|w8V(4q($)50y>JmGlLW#g$xLn}Vd2Si)}#|ptPAQp3Bp-3!-lL0;i^LY?;i#f0m5s49g z3h?3rDQg~EDPlm?FKkgKIcWEK-3X6YU0uzs7H|nq84s39r2!5;pF?SI$QqXy^Ko1x zV~zpENvp@<_Bsd`5MabC#3rvCq&$5dg43yGR zAdy0-rWjC#a1N_+kzUMY#pmogD7!DP(9dEKr3c5ngvUq_6>}Y+w-a81v=eSXnIi_+ zI?U>D1q2C!0zHox#XXKH+@|&rPT*OF5yvY$5J|)WwLqnU)c-5;=UChSlQkaY3@^|g z|J5#YBB}=i+n3Ex9bS$P?xJSKLk)-HHII@;3qG#TG^!+aj>0QkO~7kB0+|yM;YrGB zF>Ge@isQ#73%Tp#k_(tInh3U$uJWY-+DND*o}L-CB5g@#9YWWw~pxZ!Obm>yN#ZHFvL0zA3vNCTJ=t?)~`2O1M{L6un=ml<2x zQEYfifmA?Pz0tqRs^2Utt1pU0BQB1eIY0U_I}c1Y#PP7Ci5s7#IJn}xK{G+{_v^Z+1V#$Erodv>d}ew>RP0wzw+GWkGCBlS1Oj5Z!5NK zUuSR6>pa}RSEZ;qE_w1l#`hQX4E67U6NeP zHZ`T&wj0_H)t|Y1thUqnhub?%e)Y07;a^Tq%FO&iQkR&`qG!dh*2WfW(HuRQj*_DI zeCD1bUA|tMwjOb8E|FRIn$pzEU!2j_N}1Z2ig)vbr5xA0rjC70cmI6*%Uf->hWzaZ z{33HABO5q)vRhzDly2l691@+q3O{}NbSzx+I*k@|L4&3leK#$>u+T#TvTELfKb|IH zc23atf3vmfCa0&TWY@iuoA_Pm<0~ttEC*ut`isb^jXS>X^Sp=l?RXN_OJ*&usGXg$ zTlTv;Ch^vhLDf&+62jl64*&D+=+`sN_dap_1W%p|KQVYIdgPL5uRE9(c4On)DXndL zLNq?%!-u*zmMxyYc4m4Nr>>=A=s}PkJkqr&E^b9>5g+}c1%X}3|WKcg&spcJQ)05zI<<5LTBhNKRg$XRTi2{j)yl_ zj4~kKOvr+m(;vw~9zVh(zC-y9jqQnguz5r7FRq^MyKuXAENp(TAzUVtg&Ts+B_s7) zGn+fN0sG>9GjsPLKTRrvCd`71IZulJ1_1jO9KWbD&_@2UC+LTNpxxrdz#E|j|2nA9 zzB!UTyfAEJ&#%$pQ>QX#8vk@_a5iqukMF;8`wRKe{BI}5$H%OROs4J1#j)|?p|YSh z_SpR^e`VE#F52;WL{!+L(yZLRh40*KS;@box;9(-tE)`mcVp27O*>Z{_Lb*5T3cJA yr~0nPHtg2+UHi&&$8ha;`+hiaUmw&!n@8(?5PqF(KE5>Ym)EG)p&uyBP5%a8^# + + 2. Client Side Usage

2. Client Side Usage

To use these features in an application, just build it as a Spring +Boot application that depends on spring-cloud-vault-config (e.g. see +the test cases). Example Maven configuration:

Example 2.1. pom.xml

<parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>2.0.0.RELEASE</version>
+    <relativePath /> <!-- lookup parent from repository -->
+</parent>
+
+<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-starter-vault-config</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+    <dependency>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-test</artifactId>
+        <scope>test</scope>
+    </dependency>
+</dependencies>
+
+<build>
+    <plugins>
+        <plugin>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-maven-plugin</artifactId>
+        </plugin>
+    </plugins>
+</build>
+
+<!-- repositories also needed for snapshots and milestones -->

Then you can create a standard Spring Boot application, like this simple HTTP server:

@SpringBootApplication
+@RestController
+public class Application {
+
+    @RequestMapping("/")
+    public String home() {
+        return "Hello World!";
+    }
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+}

When it runs it will pick up the external configuration from the +default local Vault server on port 8200 if it is running. To modify +the startup behavior you can change the location of the Vault server +using bootstrap.properties (like application.properties but for +the bootstrap phase of an application context), e.g.

Example 2.2. bootstrap.yml

spring.cloud.vault:
+    host: localhost
+    port: 8200
+    scheme: https
+    uri: https://localhost:8200
+    connection-timeout: 5000
+    read-timeout: 15000
+    config:
+        order: -10

  • host sets the hostname of the Vault host. The host name will be used +for SSL certificate validation
  • port sets the Vault port
  • scheme setting the scheme to http will use plain HTTP. +Supported schemes are http and https.
  • uri configure the Vault endpoint with an URI. Takes precedence over host/port/scheme configuration
  • connection-timeout sets the connection timeout in milliseconds
  • read-timeout sets the read timeout in milliseconds
  • config.order sets the order for the property source

Enabling further integrations requires additional dependencies and +configuration. Depending on how you have set up Vault you might need +additional configuration like +SSL and +authentication.

If the application imports the spring-boot-starter-actuator project, the +status of the vault server will be available via the /health endpoint.

The vault health indicator can be enabled or disabled through the property management.health.vault.enabled (default to true).

2.1 Authentication

Vault requires an authentication mechanism to authorize client requests.

Spring Cloud Vault supports multiple authentication mechanisms to authenticate applications with Vault.

For a quickstart, use the root token printed by the Vault initialization.

Example 2.3. bootstrap.yml

spring.cloud.vault:
+    token: 19aefa97-cccc-bbbb-aaaa-225940e63d76

[Warning]Warning

Consider carefully your security requirements. Static token authentication is fine if you want quickly get started with Vault, but a static token is not protected any further. Any disclosure to unintended parties allows Vault use with the associated token roles.

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi__quick_start.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi__quick_start.html new file mode 100644 index 00000000..e967cdc6 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi__quick_start.html @@ -0,0 +1,37 @@ + + + 1. Quick Start

1. Quick Start

Prerequisites

To get started with Vault and this guide you need a +*NIX-like operating systems that provides:

  • wget, openssl and unzip
  • at least Java 7 and a properly configured JAVA_HOME environment variable

Install Vault

$ src/test/bash/install_vault.sh

Create SSL certificates for Vault

$ src/test/bash/create_certificates.sh
[Note]Note

create_certificates.sh creates certificates in work/ca and a JKS truststore work/keystore.jks. If you want to run Spring Cloud Vault using this quickstart guide you need to configure the truststore the spring.cloud.vault.ssl.trust-store property to file:work/keystore.jks.

Start Vault server

$ src/test/bash/local_run_vault.sh

Vault is started listening on 0.0.0.0:8200 using the inmem storage and +https. +Vault is sealed and not initialized when starting up.

[Note]Note

If you want to run tests, leave Vault uninitialized. The tests will +initialize Vault and create a root token 00000000-0000-0000-0000-000000000000.

If you want to use Vault for your application or give it a try then you need to initialize it first.

$ export VAULT_ADDR="https://localhost:8200"
+$ export VAULT_SKIP_VERIFY=true # Don't do this for production
+$ vault init

You should see something like:

Key 1: 7149c6a2e16b8833f6eb1e76df03e47f6113a3288b3093faf5033d44f0e70fe701
+Key 2: 901c534c7988c18c20435a85213c683bdcf0efcd82e38e2893779f152978c18c02
+Key 3: 03ff3948575b1165a20c20ee7c3e6edf04f4cdbe0e82dbff5be49c63f98bc03a03
+Key 4: 216ae5cc3ddaf93ceb8e1d15bb9fc3176653f5b738f5f3d1ee00cd7dccbe926e04
+Key 5: b2898fc8130929d569c1677ee69dc5f3be57d7c4b494a6062693ce0b1c4d93d805
+Initial Root Token: 19aefa97-cccc-bbbb-aaaa-225940e63d76
+
+Vault initialized with 5 keys and a key threshold of 3. Please
+securely distribute the above keys. When the Vault is re-sealed,
+restarted, or stopped, you must provide at least 3 of these keys
+to unseal it again.
+
+Vault does not store the master key. Without at least 3 keys,
+your Vault will remain permanently sealed.

Vault will initialize and return a set of unsealing keys and the root token. +Pick 3 keys and unseal Vault. Store the Vault token in the VAULT_TOKEN + environment variable.

$ vault unseal (Key 1)
+$ vault unseal (Key 2)
+$ vault unseal (Key 3)
+$ export VAULT_TOKEN=(Root token)
+# Required to run Spring Cloud Vault tests after manual initialization
+$ vault token-create -id="00000000-0000-0000-0000-000000000000" -policy="root"

Spring Cloud Vault accesses different resources. By default, the secret +backend is enabled which accesses secret config settings via JSON endpoints.

The HTTP service has resources in the form:

/secret/{application}/{profile}
+/secret/{application}
+/secret/{defaultContext}/{profile}
+/secret/{defaultContext}

where the "application" is injected as the spring.application.name in the +SpringApplication (i.e. what is normally "application" in a regular +Spring Boot app), "profile" is an active profile (or comma-separated +list of properties). Properties retrieved from Vault will be used "as-is" +without further prefixing of the property names.

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi__service_registry_configuration.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi__service_registry_configuration.html new file mode 100644 index 00000000..b0fb9734 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi__service_registry_configuration.html @@ -0,0 +1,17 @@ + + + 7. Service Registry Configuration

7. Service Registry Configuration

You can use a DiscoveryClient (such as from Spring Cloud Consul) to locate +a Vault server by setting spring.cloud.vault.discovery.enabled=true (default false). +The net result of that is that your apps need a bootstrap.yml (or an environment variable) +with the appropriate discovery configuration. +The benefit is that the Vault can change its co-ordinates, as long as the discovery service +is a fixed point. The default service id is vault but you can change that on the client with +spring.cloud.vault.discovery.serviceId.

The discovery client implementations all support some kind of metadata map +(e.g. for Eureka we have eureka.instance.metadataMap). Some additional properties of the service +may need to be configured in its service registration metadata so that clients can connect +correctly. Service registries that do not provide details about transport layer security +need to provide a scheme metadata entry to be set either to https or http. +If no scheme is configured and the service is not exposed as secure service, then +configuration defaults to spring.cloud.vault.scheme which is https when it’s not set.

spring.cloud.vault.discovery:
+    enabled: true
+    service-id: my-vault-service
\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_pr01.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_pr01.html new file mode 100644 index 00000000..1d099ff5 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_pr01.html @@ -0,0 +1,3 @@ + + +

© 2016-2019 The original authors.

[Note]Note

Copies of this document may be made for your own use and for distribution to others, provided that you do not charge any fee for such copies and further provided that each copy contains this Copyright Notice, whether distributed in print or electronically.

Spring Cloud Vault Config provides client-side support for externalized configuration in a distributed system. With HashiCorp’s Vault you have a central place to manage external secret properties for applications across all environments. Vault can manage static and dynamic secrets such as username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, MongoDB, Consul, AWS and more.

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_spring-cloud-vault.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_spring-cloud-vault.html new file mode 100644 index 00000000..591fec23 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_spring-cloud-vault.html @@ -0,0 +1,3 @@ + + + Spring Cloud Vault \ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault-lease-renewal.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault-lease-renewal.html new file mode 100644 index 00000000..7b7255f8 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault-lease-renewal.html @@ -0,0 +1,22 @@ + + + 10. Lease lifecycle management (renewal and revocation)

10. Lease lifecycle management (renewal and revocation)

With every secret, Vault creates a lease: +metadata containing information such as a time duration, +renewability, and more.

Vault promises that the data will be valid for the given duration, +or Time To Live (TTL). Once the lease is expired, Vault can +revoke the data, and the consumer of the secret can no longer +be certain that it is valid.

Spring Cloud Vault maintains a lease lifecycle beyond +the creation of login tokens and secrets. That said, +login tokens and secrets associated with a lease +are scheduled for renewal just before the lease expires +until terminal expiry. +Application shutdown revokes obtained login tokens and renewable +leases.

Secret service and database backends (such as MongoDB or MySQL) +usually generate a renewable lease so generated credentials will +be disabled on application shutdown.

[Note]Note

Static tokens are not renewed or revoked.

Lease renewal and revocation is enabled by default and can +be disabled by setting spring.cloud.vault.config.lifecycle.enabled +to false. This is not recommended as leases can expire and +Spring Cloud Vault cannot longer access Vault or services +using generated credentials and valid credentials remain active +after application shutdown.

spring.cloud.vault:
+    config.lifecycle.enabled: true

See also: Vault Documentation: Lease, Renew, and Revoke

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.authentication.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.authentication.html new file mode 100644 index 00000000..0161337c --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.authentication.html @@ -0,0 +1,199 @@ + + + 3. Authentication methods

3. Authentication methods

Different organizations have different requirements for security +and authentication. Vault reflects that need by shipping multiple authentication +methods. Spring Cloud Vault supports token and AppId authentication.

3.1 Token authentication

Tokens are the core method for authentication within Vault. +Token authentication requires a static token to be provided using the +Bootstrap Application Context.

[Note]Note

Token authentication is the default authentication method. +If a token is disclosed an unintended party gains access to Vault and +can access secrets for the intended client.

Example 3.1. bootstrap.yml

spring.cloud.vault:
+    authentication: TOKEN
+    token: 00000000-0000-0000-0000-000000000000

  • authentication setting this value to TOKEN selects the Token +authentication method
  • token sets the static token to use

See also: Vault Documentation: Tokens

3.2 AppId authentication

Vault supports AppId +authentication that consists of two hard to guess tokens. The AppId +defaults to spring.application.name that is statically configured. +The second token is the UserId which is a part determined by the application, +usually related to the runtime environment. IP address, Mac address or a +Docker container name are good examples. Spring Cloud Vault Config supports +IP address, Mac address and static UserId’s (e.g. supplied via System properties). +The IP and Mac address are represented as Hex-encoded SHA256 hash.

IP address-based UserId’s use the local host’s IP address.

Example 3.2. bootstrap.yml using SHA256 IP-Address UserId’s

spring.cloud.vault:
+    authentication: APPID
+    app-id:
+        user-id: IP_ADDRESS

  • authentication setting this value to APPID selects the AppId +authentication method
  • app-id-path sets the path of the AppId mount to use
  • user-id sets the UserId method. Possible values are IP_ADDRESS, +MAC_ADDRESS or a class name implementing a custom AppIdUserIdMechanism

The corresponding command to generate the IP address UserId from a command line is:

$ echo -n 192.168.99.1 | sha256sum
[Note]Note

Including the line break of echo leads to a different hash value +so make sure to include the -n flag.

Mac address-based UserId’s obtain their network device from the +localhost-bound device. The configuration also allows specifying +a network-interface hint to pick the right device. The value of +network-interface is optional and can be either an interface +name or interface index (0-based).

Example 3.3. bootstrap.yml using SHA256 Mac-Address UserId’s

spring.cloud.vault:
+    authentication: APPID
+    app-id:
+        user-id: MAC_ADDRESS
+        network-interface: eth0

  • network-interface sets network interface to obtain the physical address

The corresponding command to generate the IP address UserId from a command line is:

$ echo -n 0AFEDE1234AC | sha256sum
[Note]Note

The Mac address is specified uppercase and without colons. +Including the line break of echo leads to a different hash value +so make sure to include the -n flag.

3.2.1 Custom UserId

The UserId generation is an open mechanism. You can set +spring.cloud.vault.app-id.user-id to any string and the configured +value will be used as static UserId.

A more advanced approach lets you set spring.cloud.vault.app-id.user-id to a +classname. This class must be on your classpath and must implement +the org.springframework.cloud.vault.AppIdUserIdMechanism interface +and the createUserId method. Spring Cloud Vault will obtain the UserId +by calling createUserId each time it authenticates using AppId to +obtain a token.

Example 3.4. bootstrap.yml

spring.cloud.vault:
+    authentication: APPID
+    app-id:
+        user-id: com.examlple.MyUserIdMechanism

Example 3.5. MyUserIdMechanism.java

public class MyUserIdMechanism implements AppIdUserIdMechanism {
+
+  @Override
+  public String createUserId() {
+    String userId = ...
+    return userId;
+  }
+}

See also: Vault Documentation: Using the App ID auth backend

3.3 AppRole authentication

AppRole is intended for machine +authentication, like the deprecated (since Vault 0.6.1) Section 3.2, “AppId authentication”. +AppRole authentication consists of two hard to guess (secret) tokens: RoleId and SecretId.

Spring Vault supports various AppRole scenarios (push/pull mode and wrapped).

RoleId and optionally SecretId must be provided by configuration, +Spring Vault will not look up these or create a custom SecretId.

Example 3.6. bootstrap.yml with AppRole authentication properties

spring.cloud.vault:
+    authentication: APPROLE
+    app-role:
+        role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52

The following scenarios are supported along the required configuration details:

Table 3.1. Configuration

Method

RoleId

SecretId

RoleName

Token

Provided RoleId/SecretId

Provided

Provided

  

Provided RoleId without SecretId

Provided

   

Provided RoleId, Pull SecretId

Provided

Provided

Provided

Provided

Pull RoleId, provided SecretId

 

Provided

Provided

Provided

Full Pull Mode

  

Provided

Provided

Wrapped

   

Provided

Wrapped RoleId, provided SecretId

Provided

  

Provided

Provided RoleId, wrapped SecretId

 

Provided

 

Provided


Table 3.2. Pull/Push/Wrapped Matrix

RoleId

SecretId

Supported

Provided

Provided

Provided

Pull

Provided

Wrapped

Provided

Absent

Pull

Provided

Pull

Pull

Pull

Wrapped

Pull

Absent

Wrapped

Provided

Wrapped

Pull

Wrapped

Wrapped

Wrapped

Absent


[Note]Note

You can use still all combinations of push/pull/wrapped modes by providing a configured AppRoleAuthentication bean within the bootstrap context. Spring Cloud Vault cannot derive all possible AppRole combinations from the configuration properties.

[Important]Important

AppRole authentication is limited to simple pull mode using reactive infrastructure. Full pull mode is not yet supported. Using Spring Cloud Vault with the Spring WebFlux stack enables Vault’s reactive auto-configuration which can be disabled by setting spring.cloud.vault.reactive.enabled=false.

Example 3.7. bootstrap.yml with all AppRole authentication properties

spring.cloud.vault:
+    authentication: APPROLE
+    app-role:
+        role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52
+        secret-id: 1696536f-1976-73b1-b241-0b4213908d39
+        role: my-role
+        app-role-path: approle

  • role-id sets the RoleId.
  • secret-id sets the SecretId. SecretId can be omitted if AppRole is configured without requiring SecretId (See bind_secret_id).
  • role: sets the AppRole name for pull mode.
  • app-role-path sets the path of the approle authentication mount to use.

See also: Vault Documentation: Using the AppRole auth backend

3.4 AWS-EC2 authentication

The aws-ec2 +auth backend provides a secure introduction mechanism +for AWS EC2 instances, allowing automated retrieval of a Vault +token. Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats AWS as a Trusted Third Party and uses the +cryptographically signed dynamic metadata information that uniquely +represents each EC2 instance.

Example 3.8. bootstrap.yml using AWS-EC2 Authentication

spring.cloud.vault:
+    authentication: AWS_EC2

AWS-EC2 authentication enables nonce by default to follow +the Trust On First Use (TOFU) principle. Any unintended party that +gains access to the PKCS#7 identity metadata can authenticate +against Vault.

During the first login, Spring Cloud Vault generates a nonce +that is stored in the auth backend aside the instance Id. +Re-authentication requires the same nonce to be sent. Any other +party does not have the nonce and can raise an alert in Vault for +further investigation.

The nonce is kept in memory and is lost during application restart. +You can configure a static nonce with spring.cloud.vault.aws-ec2.nonce.

AWS-EC2 authentication roles are optional and default to the AMI. +You can configure the authentication role by setting the +spring.cloud.vault.aws-ec2.role property.

Example 3.9. bootstrap.yml with configured role

spring.cloud.vault:
+    authentication: AWS_EC2
+    aws-ec2:
+        role: application-server

Example 3.10. bootstrap.yml with all AWS EC2 authentication properties

spring.cloud.vault:
+    authentication: AWS_EC2
+    aws-ec2:
+        role: application-server
+        aws-ec2-path: aws-ec2
+        identity-document: http://...
+        nonce: my-static-nonce

  • authentication setting this value to AWS_EC2 selects the AWS EC2 +authentication method
  • role sets the name of the role against which the login is being attempted.
  • aws-ec2-path sets the path of the AWS EC2 mount to use
  • identity-document sets URL of the PKCS#7 AWS EC2 identity document
  • nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation

See also: Vault Documentation: Using the aws auth backend

3.5 AWS-IAM authentication

The aws backend provides a secure +authentication mechanism for AWS IAM roles, allowing the automatic authentication with +vault based on the current IAM role of the running application. + Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats AWS as a Trusted Third Party and uses the +4 pieces of information signed by the caller with their IAM credentials + to verify that the caller is indeed using that IAM role.

The current IAM role the application is running in is automatically calculated. +If you are running your application on AWS ECS then the application +will use the IAM role assigned to the ECS task of the running container. +If you are running your application naked on top of an EC2 instance then +the IAM role used will be the one assigned to the EC2 instance.

When using the AWS-IAM authentication you must create a role in Vault +and assign it to your IAM role. An empty role defaults to +the friendly name the current IAM role.

Example 3.11. bootstrap.yml with required AWS-IAM Authentication properties

spring.cloud.vault:
+    authentication: AWS_IAM

Example 3.12. bootstrap.yml with all AWS-IAM Authentication properties

spring.cloud.vault:
+    authentication: AWS_IAM
+    aws-iam:
+        role: my-dev-role
+        aws-path: aws
+        server-id: some.server.name

  • role sets the name of the role against which the login is being attempted. This should be bound to your IAM role. If one is not supplied then the friendly name of the current IAM user will be used as the vault role.
  • aws-path sets the path of the AWS mount to use
  • server-id sets the value to use for the X-Vault-AWS-IAM-Server-ID header preventing certain types of replay attacks.

AWS-IAM requires the AWS Java SDK dependency (com.amazonaws:aws-java-sdk-core) +as the authentication implementation uses AWS SDK types for credentials and request signing.

See also: Vault Documentation: Using the aws auth backend

3.6 Azure MSI authentication

The azure +auth backend provides a secure introduction mechanism +for Azure VM instances, allowing automated retrieval of a Vault +token. Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats Azure as a Trusted Third Party and uses the +managed service identity and instance metadata information that can be +bound to a VM instance.

Example 3.13. bootstrap.yml with required Azure Authentication properties

spring.cloud.vault:
+    authentication: AZURE_MSI
+    azure-msi:
+        role: my-dev-role

Example 3.14. bootstrap.yml with all Azure Authentication properties

spring.cloud.vault:
+    authentication: AZURE_MSI
+    azure-msi:
+        role: my-dev-role
+        azure-path: aws

  • role sets the name of the role against which the login is being attempted.
  • azure-path sets the path of the Azure mount to use

Azure MSI authentication fetches environmental details about the virtual machine +(subscription Id, resource group, VM name) from the instance metadata service.

See also: Vault Documentation: Using the azure auth backend

3.7 TLS certificate authentication

The cert auth backend allows authentication using SSL/TLS client +certificates that are either signed by a CA or self-signed.

To enable cert authentication you need to:

  1. Use SSL, see Chapter 9, Vault Client SSL configuration
  2. Configure a Java Keystore that contains the client +certificate and the private key
  3. Set the spring.cloud.vault.authentication to CERT

Example 3.15. bootstrap.yml

spring.cloud.vault:
+    authentication: CERT
+    ssl:
+        key-store: classpath:keystore.jks
+        key-store-password: changeit
+        cert-auth-path: cert

See also: Vault Documentation: Using the Cert auth backend

3.8 Cubbyhole authentication

Cubbyhole authentication uses Vault primitives to provide a secured authentication +workflow. Cubbyhole authentication uses tokens as primary login method. +An ephemeral token is used to obtain a second, login VaultToken from Vault’s +Cubbyhole secret backend. The login token is usually longer-lived and used to +interact with Vault. The login token will be retrieved from a wrapped +response stored at /cubbyhole/response.

Creating a wrapped token

[Note]Note

Response Wrapping for token creation requires Vault 0.6.0 or higher.

Example 3.16. Creating and storing tokens

$ vault token-create -wrap-ttl="10m"
+Key                            Value
+---                            -----
+wrapping_token:                397ccb93-ff6c-b17b-9389-380b01ca2645
+wrapping_token_ttl:            0h10m0s
+wrapping_token_creation_time:  2016-09-18 20:29:48.652957077 +0200 CEST
+wrapped_accessor:              46b6aebb-187f-932a-26d7-4f3d86a68319

Example 3.17. bootstrap.yml

spring.cloud.vault:
+    authentication: CUBBYHOLE
+    token: 397ccb93-ff6c-b17b-9389-380b01ca2645

See also:

3.9 GCP-GCE authentication

The gcp +auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP GCE (Google Compute Engine) authentication creates a signature in the form of a +JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance +is obtained from the GCE metadata service using Instance identification. +This API creates a JSON Web Token that can be used to confirm the instance identity.

Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats GCP as a Trusted Third Party and uses the +cryptographically signed dynamic metadata information that uniquely +represents each GCP service account.

Example 3.18. bootstrap.yml with required GCP-GCE Authentication properties

spring.cloud.vault:
+    authentication: GCP_GCE
+    gcp-gce:
+        role: my-dev-role

Example 3.19. bootstrap.yml with all GCP-GCE Authentication properties

spring.cloud.vault:
+    authentication: GCP_GCE
+    gcp-gce:
+        gcp-path: gcp
+        role: my-dev-role
+        service-account: my-service@projectid.iam.gserviceaccount.com

  • role sets the name of the role against which the login is being attempted.
  • gcp-path sets the path of the GCP mount to use
  • service-account allows overriding the service account Id to a specific value. Defaults to the default service account.

See also:

3.10 GCP-IAM authentication

The gcp +auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT) +for a service account. A JWT for a service account is obtained by +calling GCP IAM’s projects.serviceAccounts.signJwt API. The caller authenticates against GCP IAM +and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party.

IAM credentials can be obtained from either the runtime environment +, specifically the GOOGLE_APPLICATION_CREDENTIALS +environment variable, the Google Compute metadata service, +or supplied externally as e.g. JSON or base64 encoded. +JSON is the preferred form as it carries the project id and +service account identifier required for calling projects.serviceAccounts.signJwt.

Example 3.20. bootstrap.yml with required GCP-IAM Authentication properties

spring.cloud.vault:
+    authentication: GCP_IAM
+    gcp-iam:
+        role: my-dev-role

Example 3.21. bootstrap.yml with all GCP-IAM Authentication properties

spring.cloud.vault:
+    authentication: GCP_IAM
+    gcp-iam:
+        credentials:
+            location: classpath:credentials.json
+            encoded-key: e+KApn0=
+        gcp-path: gcp
+        jwt-validity: 15m
+        project-id: my-project-id
+        role: my-dev-role
+        service-account: my-service@projectid.iam.gserviceaccount.com

  • role sets the name of the role against which the login is being attempted.
  • credentials.location path to the credentials resource that contains Google credentials in JSON format.
  • credentials.encoded-key the base64 encoded contents of an OAuth2 account private key in the JSON format.
  • gcp-path sets the path of the GCP mount to use
  • jwt-validity configures the JWT token validity. Defaults to 15 minutes.
  • project-id allows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential.
  • service-account allows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential.

GCP IAM authentication requires the Google Cloud Java SDK dependency +(com.google.apis:google-api-services-iam and com.google.auth:google-auth-library-oauth2-http) +as the authentication implementation uses Google APIs for credentials and JWT signing.

[Note]Note

Google credentials require an OAuth 2 token maintaining the token lifecycle. All API +is synchronous therefore, GcpIamAuthentication does not support AuthenticationSteps which is +required for reactive usage.

See also:

3.11 Kubernetes authentication

Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token. +The authentication is role based and the role is bound to a service account name and a namespace.

A file containing a JWT token for a pod’s service account is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.

Example 3.22. bootstrap.yml with all Kubernetes authentication properties

spring.cloud.vault:
+    authentication: KUBERNETES
+    kubernetes:
+        role: my-dev-role
+        kubernetes-path: kubernetes
+        service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token

  • role sets the Role.
  • kubernetes-path sets the path of the Kubernetes mount to use.
  • service-account-token-file sets the location of the file containing the Kubernetes Service Account Token. Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token.

See also:

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.configurer.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.configurer.html new file mode 100644 index 00000000..0ef48ed2 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.configurer.html @@ -0,0 +1,22 @@ + + + 6. Configure PropertySourceLocator behavior

6. Configure PropertySourceLocator behavior

Spring Cloud Vault uses property-based configuration to create PropertySources +for generic and discovered secret backends.

Discovered backends provide VaultSecretBackendDescriptor beans to describe the configuration +state to use secret backend as PropertySource. A SecretBackendMetadataFactory is required +to create a SecretBackendMetadata object which contains path, name and property transformation +configuration.

SecretBackendMetadata is used to back a particular PropertySource.

You can register an arbitrary number of beans implementing VaultConfigurer for customization. +Default generic and discovered backend registration is disabled if Spring Cloud Vault discovers +at least one VaultConfigurer bean. You can however enable default registration with +SecretBackendConfigurer.registerDefaultGenericSecretBackends() and SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends().

public class CustomizationBean implements VaultConfigurer {
+
+    @Override
+    public void addSecretBackends(SecretBackendConfigurer configurer) {
+
+        configurer.add("secret/my-application");
+
+        configurer.registerDefaultGenericSecretBackends(false);
+        configurer.registerDefaultDiscoveredSecretBackends(true);
+    }
+}
[Note]Note

All customization is required to happen in the bootstrap context. Add your configuration +classes to META-INF/spring.factories at org.springframework.cloud.bootstrap.BootstrapConfiguration +in your application.

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.database-backends.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.database-backends.html new file mode 100644 index 00000000..24abe8a8 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.database-backends.html @@ -0,0 +1,103 @@ + + + 5. Database backends

5. Database backends

Vault supports several database secret backends to generate database +credentials dynamically based on configured roles. This means +services that need to access a database no longer need to configure +credentials: they can request them from Vault, and use Vault’s leasing +mechanism to more easily roll keys.

Spring Cloud Vault integrates with these backends:

Using a database secret backend requires to enable the +backend in the configuration and the spring-cloud-vault-config-databases +dependency.

Vault ships since 0.7.1 with a dedicated database secret backend that allows +database integration via plugins. You can use that specific backend by using the +generic database backend. Make sure to specify the appropriate +backend path, e.g. spring.cloud.vault.mysql.role.backend=database.

Example 5.1. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-databases</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

[Note]Note

Enabling multiple JDBC-compliant databases will generate credentials +and store them by default in the same property keys hence property names for +JDBC secrets need to be configured separately.

5.1 Database

Spring Cloud Vault can obtain credentials for any database listed at +https://www.vaultproject.io/api/secret/databases/index.html. +The integration can be enabled by setting +spring.cloud.vault.database.enabled=true (default false) and +providing the role name with spring.cloud.vault.database.role=….

While the database backend is a generic one, spring.cloud.vault.database +specifically targets JDBC databases. Username and password are +stored in spring.datasource.username and spring.datasource.password +so using Spring Boot will pick up the generated credentials +for your DataSource without further configuration. +You can configure the property names by setting +spring.cloud.vault.database.username-property and +spring.cloud.vault.database.password-property.

spring.cloud.vault:
+    database:
+        enabled: true
+        role: readonly
+        backend: database
+        username-property: spring.datasource.username
+        password-property: spring.datasource.password
  • enabled setting this value to true enables the Database backend config usage
  • role sets the role name of the Database role definition
  • backend sets the path of the Database mount to use
  • username-property sets the property name in which the Database username is stored
  • password-property sets the property name in which the Database password is stored

See also: Vault Documentation: Database Secrets backend

[Warning]Warning

Spring Cloud Vault does not support getting new credentials and +configuring your DataSource with them when the maximum lease time +has been reached. That is, if max_ttl of the Database role in Vault +is set to 24h that means that 24 hours after your application has +started it can no longer authenticate with the database.

5.2 Apache Cassandra

[Note]Note

The cassandra backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as cassandra.

Spring Cloud Vault can obtain credentials for Apache Cassandra. +The integration can be enabled by setting +spring.cloud.vault.cassandra.enabled=true (default false) and +providing the role name with spring.cloud.vault.cassandra.role=….

Username and password are stored in spring.data.cassandra.username +and spring.data.cassandra.password so using Spring Boot will pick +up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.cassandra.username-property and +spring.cloud.vault.cassandra.password-property.

spring.cloud.vault:
+    cassandra:
+        enabled: true
+        role: readonly
+        backend: cassandra
+        username-property: spring.data.cassandra.username
+        password-property: spring.data.cassandra.password
  • enabled setting this value to true enables the Cassandra backend config usage
  • role sets the role name of the Cassandra role definition
  • backend sets the path of the Cassandra mount to use
  • username-property sets the property name in which the Cassandra username is stored
  • password-property sets the property name in which the Cassandra password is stored

See also: Vault Documentation: Setting up Apache Cassandra with Vault

5.3 MongoDB

[Note]Note

The mongodb backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as mongodb.

Spring Cloud Vault can obtain credentials for MongoDB. +The integration can be enabled by setting +spring.cloud.vault.mongodb.enabled=true (default false) and +providing the role name with spring.cloud.vault.mongodb.role=….

Username and password are stored in spring.data.mongodb.username +and spring.data.mongodb.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.mongodb.username-property and +spring.cloud.vault.mongodb.password-property.

spring.cloud.vault:
+    mongodb:
+        enabled: true
+        role: readonly
+        backend: mongodb
+        username-property: spring.data.mongodb.username
+        password-property: spring.data.mongodb.password
  • enabled setting this value to true enables the MongodB backend config usage
  • role sets the role name of the MongoDB role definition
  • backend sets the path of the MongoDB mount to use
  • username-property sets the property name in which the MongoDB username is stored
  • password-property sets the property name in which the MongoDB password is stored

See also: Vault Documentation: Setting up MongoDB with Vault

5.4 MySQL

[Note]Note

The mysql backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as mysql. +Configuration for spring.cloud.vault.mysql will be removed in a future version.

Spring Cloud Vault can obtain credentials for MySQL. +The integration can be enabled by setting +spring.cloud.vault.mysql.enabled=true (default false) and +providing the role name with spring.cloud.vault.mysql.role=….

Username and password are stored in spring.datasource.username +and spring.datasource.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.mysql.username-property and +spring.cloud.vault.mysql.password-property.

spring.cloud.vault:
+    mysql:
+        enabled: true
+        role: readonly
+        backend: mysql
+        username-property: spring.datasource.username
+        password-property: spring.datasource.password
  • enabled setting this value to true enables the MySQL backend config usage
  • role sets the role name of the MySQL role definition
  • backend sets the path of the MySQL mount to use
  • username-property sets the property name in which the MySQL username is stored
  • password-property sets the property name in which the MySQL password is stored

See also: Vault Documentation: Setting up MySQL with Vault

5.5 PostgreSQL

[Note]Note

The postgresql backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as postgresql. +Configuration for spring.cloud.vault.postgresql will be removed in a future version.

Spring Cloud Vault can obtain credentials for PostgreSQL. +The integration can be enabled by setting +spring.cloud.vault.postgresql.enabled=true (default false) and +providing the role name with spring.cloud.vault.postgresql.role=….

Username and password are stored in spring.datasource.username +and spring.datasource.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.postgresql.username-property and +spring.cloud.vault.postgresql.password-property.

spring.cloud.vault:
+    postgresql:
+        enabled: true
+        role: readonly
+        backend: postgresql
+        username-property: spring.datasource.username
+        password-property: spring.datasource.password
  • enabled setting this value to true enables the PostgreSQL backend config usage
  • role sets the role name of the PostgreSQL role definition
  • backend sets the path of the PostgreSQL mount to use
  • username-property sets the property name in which the PostgreSQL username is stored
  • password-property sets the property name in which the PostgreSQL password is stored

See also: Vault Documentation: Setting up PostgreSQL with Vault

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.html new file mode 100644 index 00000000..e3bb03fa --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.backends.html @@ -0,0 +1,99 @@ + + + 4. Secret Backends

4. Secret Backends

4.1 Generic Backend

Spring Cloud Vault supports at the basic level the generic secret +backend. The generic secret backend allows storage of arbitrary +values as key-value store. A single context can store one or many +key-value tuples. Contexts can be organized hierarchically. +Spring Cloud Vault allows using the Application name +and a default context name (application) in combination with active +profiles.

/secret/{application}/{profile}
+/secret/{application}
+/secret/{default-context}/{profile}
+/secret/{default-context}

The application name is determined by the properties:

  • spring.cloud.vault.generic.application-name
  • spring.cloud.vault.application-name
  • spring.application.name

Secrets can be obtained from other contexts within the generic backend by adding their +paths to the application name, separated by commas. For example, given the application +name usefulapp,mysql1,projectx/aws, each of these folders will be used:

  • /secret/usefulapp
  • /secret/mysql1
  • /secret/projectx/aws

Spring Cloud Vault adds all active profiles to the list of possible context paths. +No active profiles will skip accessing contexts with a profile name.

Properties are exposed like they are stored (i.e. without additional prefixes).

spring.cloud.vault:
+    generic:
+        enabled: true
+        backend: secret
+        profile-separator: '/'
+        default-context: application
+        application-name: my-app
  • enabled setting this value to false disables the secret backend +config usage
  • backend sets the path of the secret mount to use
  • default-context sets the context name used by all applications
  • application-name overrides the application name for use in the generic backend
  • profile-separator separates the profile name from the context in +property sources with profiles
[Note]Note

The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable generic secret backend usage for non-versioned key-value backends and kv secret backend usage for versioned key-value backends.

See also: Vault Documentation: Using the KV Secrets Engine - Version 1 (generic secret backend)

4.2 Versioned Key-Value Backend

Spring Cloud Vault supports the versioned Key-Value secret +backend. The key-value backend allows storage of arbitrary +values as key-value store. A single context can store one or many +key-value tuples. Contexts can be organized hierarchically. +Spring Cloud Vault allows using the Application name +and a default context name (application) in combination with active +profiles.

/secret/{application}/{profile}
+/secret/{application}
+/secret/{default-context}/{profile}
+/secret/{default-context}

The application name is determined by the properties:

  • spring.cloud.vault.kv.application-name
  • spring.cloud.vault.application-name
  • spring.application.name

Secrets can be obtained from other contexts within the key-value backend by adding their +paths to the application name, separated by commas. For example, given the application +name usefulapp,mysql1,projectx/aws, each of these folders will be used:

  • /secret/usefulapp
  • /secret/mysql1
  • /secret/projectx/aws

Spring Cloud Vault adds all active profiles to the list of possible context paths. +No active profiles will skip accessing contexts with a profile name.

Properties are exposed like they are stored (i.e. without additional prefixes).

[Note]Note

Spring Cloud Vault adds the data/ context between the mount path and the actual context path.

spring.cloud.vault:
+    kv:
+        enabled: true
+        backend: secret
+        profile-separator: '/'
+        default-context: application
+        application-name: my-app
  • enabled setting this value to false disables the secret backend +config usage
  • backend sets the path of the secret mount to use
  • default-context sets the context name used by all applications
  • application-name overrides the application name for use in the generic backend
  • profile-separator separates the profile name from the context in +property sources with profiles
[Note]Note

The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable generic secret backend usage for non-versioned key-value backends and kv secret backend usage for versioned key-value backends.

See also: Vault Documentation: Using the KV Secrets Engine - Version 2 (versioned key-value backend)

4.3 Consul

Spring Cloud Vault can obtain credentials for HashiCorp Consul. +The Consul integration requires the spring-cloud-vault-config-consul +dependency.

Example 4.1. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-consul</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

The integration can be enabled by setting +spring.cloud.vault.consul.enabled=true (default false) and +providing the role name with spring.cloud.vault.consul.role=….

The obtained token is stored in spring.cloud.consul.token +so using Spring Cloud Consul can pick up the generated +credentials without further configuration. You can configure +the property name by setting spring.cloud.vault.consul.token-property.

spring.cloud.vault:
+    consul:
+        enabled: true
+        role: readonly
+        backend: consul
+        token-property: spring.cloud.consul.token
  • enabled setting this value to true enables the Consul backend config usage
  • role sets the role name of the Consul role definition
  • backend sets the path of the Consul mount to use
  • token-property sets the property name in which the Consul ACL token is stored

See also: Vault Documentation: Setting up Consul with Vault

4.4 RabbitMQ

Spring Cloud Vault can obtain credentials for RabbitMQ.

The RabbitMQ integration requires the spring-cloud-vault-config-rabbitmq +dependency.

Example 4.2. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-rabbitmq</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

The integration can be enabled by setting +spring.cloud.vault.rabbitmq.enabled=true (default false) +and providing the role name with spring.cloud.vault.rabbitmq.role=….

Username and password are stored in spring.rabbitmq.username +and spring.rabbitmq.password so using Spring Boot will pick up the generated +credentials without further configuration. You can configure the property names +by setting spring.cloud.vault.rabbitmq.username-property and +spring.cloud.vault.rabbitmq.password-property.

spring.cloud.vault:
+    rabbitmq:
+        enabled: true
+        role: readonly
+        backend: rabbitmq
+        username-property: spring.rabbitmq.username
+        password-property: spring.rabbitmq.password
  • enabled setting this value to true enables the RabbitMQ backend config usage
  • role sets the role name of the RabbitMQ role definition
  • backend sets the path of the RabbitMQ mount to use
  • username-property sets the property name in which the RabbitMQ username is stored
  • password-property sets the property name in which the RabbitMQ password is stored

See also: Vault Documentation: Setting up RabbitMQ with Vault

4.5 AWS

Spring Cloud Vault can obtain credentials for AWS.

The AWS integration requires the spring-cloud-vault-config-aws +dependency.

Example 4.3. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-aws</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

The integration can be enabled by setting +spring.cloud.vault.aws=true (default false) +and providing the role name with spring.cloud.vault.aws.role=….

The access key and secret key are stored in cloud.aws.credentials.accessKey +and cloud.aws.credentials.secretKey so using Spring Cloud AWS will pick up the generated +credentials without further configuration. You can configure the property names +by setting spring.cloud.vault.aws.access-key-property and +spring.cloud.vault.aws.secret-key-property.

spring.cloud.vault:
+    aws:
+        enabled: true
+        role: readonly
+        backend: aws
+        access-key-property: cloud.aws.credentials.accessKey
+        secret-key-property: cloud.aws.credentials.secretKey
  • enabled setting this value to true enables the AWS backend config usage
  • role sets the role name of the AWS role definition
  • backend sets the path of the AWS mount to use
  • access-key-property sets the property name in which the AWS access key is stored
  • secret-key-property sets the property name in which the AWS secret key is stored

See also: Vault Documentation: Setting up AWS with Vault

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.fail-fast.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.fail-fast.html new file mode 100644 index 00000000..6272e366 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.fail-fast.html @@ -0,0 +1,8 @@ + + + 8. Vault Client Fail Fast

8. Vault Client Fail Fast

In some cases, it may be desirable to fail startup of a service if +it cannot connect to the Vault Server. If this is the desired +behavior, set the bootstrap configuration property +spring.cloud.vault.fail-fast=true and the client will halt with +an Exception.

spring.cloud.vault:
+    fail-fast: true
\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.ssl.html b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.ssl.html new file mode 100644 index 00000000..b628a1b0 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/multi/multi_vault.config.ssl.html @@ -0,0 +1,13 @@ + + + 9. Vault Client SSL configuration

9. Vault Client SSL configuration

SSL can be configured declaratively by setting various properties. +You can set either javax.net.ssl.trustStore to configure +JVM-wide SSL settings or spring.cloud.vault.ssl.trust-store +to set SSL settings only for Spring Cloud Vault Config.

spring.cloud.vault:
+    ssl:
+        trust-store: classpath:keystore.jks
+        trust-store-password: changeit
  • trust-store sets the resource for the trust-store. SSL-secured Vault +communication will validate the Vault SSL certificate with the specified +trust-store.
  • trust-store-password sets the trust-store password

Please note that configuring spring.cloud.vault.ssl.* can be only +applied when either Apache Http Components or the OkHttp client +is on your class-path.

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/css/highlight.css b/spring-cloud-vault/2.1.3.RELEASE/single/css/highlight.css new file mode 100644 index 00000000..3850f8b9 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/single/css/highlight.css @@ -0,0 +1,35 @@ +/* + code highlight CSS resemblign the Eclipse IDE default color schema + @author Costin Leau +*/ + +.hl-keyword { + color: #7F0055; + font-weight: bold; +} + +.hl-comment { + color: #3F5F5F; + font-style: italic; +} + +.hl-multiline-comment { + color: #3F5FBF; + font-style: italic; +} + +.hl-tag { + color: #3F7F7F; +} + +.hl-attribute { + color: #7F007F; +} + +.hl-value { + color: #2A00FF; +} + +.hl-string { + color: #2A00FF; +} \ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/css/manual-multipage.css b/spring-cloud-vault/2.1.3.RELEASE/single/css/manual-multipage.css new file mode 100644 index 00000000..b790654b --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/single/css/manual-multipage.css @@ -0,0 +1,9 @@ +@IMPORT url("manual.css"); + +body.firstpage { + background: url("../images/background.png") no-repeat center top; +} + +div.part h1 { + border-top: none; +} diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/css/manual-singlepage.css b/spring-cloud-vault/2.1.3.RELEASE/single/css/manual-singlepage.css new file mode 100644 index 00000000..303192a8 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/single/css/manual-singlepage.css @@ -0,0 +1,6 @@ +@IMPORT url("manual.css"); + +body { + background: url("../images/background.png") no-repeat center top; +} + diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/css/manual.css b/spring-cloud-vault/2.1.3.RELEASE/single/css/manual.css new file mode 100644 index 00000000..20cf07da --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/single/css/manual.css @@ -0,0 +1,342 @@ +@IMPORT url("highlight.css"); + +html { + padding: 0pt; + margin: 0pt; +} + +body { + color: #333333; + margin: 15px 30px; + font-family: Helvetica, Arial, Freesans, Clean, Sans-serif; + line-height: 1.6; + -webkit-font-smoothing: antialiased; +} + +code { + font-size: 16px; + font-family: Consolas, "Liberation Mono", Courier, monospace; +} + +:not(a) > code { + color: #6D180B; +} + +:not(pre) > code { + background-color: #F2F2F2; + border: 1px solid #CCCCCC; + border-radius: 4px; + padding: 1px 3px 0; + text-shadow: none; + white-space: nowrap; +} + +body > *:first-child { + margin-top: 0 !important; +} + +div { + margin: 0pt; +} + +hr { + border: 1px solid #CCCCCC; + background: #CCCCCC; +} + +h1, h2, h3, h4, h5, h6 { + color: #000000; + cursor: text; + font-weight: bold; + margin: 30px 0 10px; + padding: 0; +} + +h1, h2, h3 { + margin: 40px 0 10px; +} + +h1 { + margin: 70px 0 30px; + padding-top: 20px; +} + +div.part h1 { + border-top: 1px dotted #CCCCCC; +} + +h1, h1 code { + font-size: 32px; +} + +h2, h2 code { + font-size: 24px; +} + +h3, h3 code { + font-size: 20px; +} + +h4, h1 code, h5, h5 code, h6, h6 code { + font-size: 18px; +} + +div.book, div.chapter, div.appendix, div.part, div.preface { + min-width: 300px; + max-width: 1200px; + margin: 0 auto; +} + +p.releaseinfo { + font-weight: bold; + margin-bottom: 40px; + margin-top: 40px; +} + +div.authorgroup { + line-height: 1; +} + +p.copyright { + line-height: 1; + margin-bottom: -5px; +} + +.legalnotice p { + font-style: italic; + font-size: 14px; + line-height: 1; +} + +div.titlepage + p, div.titlepage + p { + margin-top: 0; +} + +pre { + line-height: 1.0; + color: black; +} + +a { + color: #4183C4; + text-decoration: none; +} + +p { + margin: 15px 0; + text-align: left; +} + +ul, ol { + padding-left: 30px; +} + +li p { + margin: 0; +} + +div.table { + margin: 1em; + padding: 0.5em; + text-align: center; +} + +div.table table, div.informaltable table { + display: table; + width: 100%; +} + +div.table td { + padding-left: 7px; + padding-right: 7px; +} + +.sidebar { + line-height: 1.4; + padding: 0 20px; + background-color: #F8F8F8; + border: 1px solid #CCCCCC; + border-radius: 3px 3px 3px 3px; +} + +.sidebar p.title { + color: #6D180B; +} + +pre.programlisting, pre.screen { + font-size: 15px; + padding: 6px 10px; + background-color: #F8F8F8; + border: 1px solid #CCCCCC; + border-radius: 3px 3px 3px 3px; + clear: both; + overflow: auto; + line-height: 1.4; + font-family: Consolas, "Liberation Mono", Courier, monospace; +} + +table { + border-collapse: collapse; + border-spacing: 0; + border: 1px solid #DDDDDD !important; + border-radius: 4px !important; + border-collapse: separate !important; + line-height: 1.6; +} + +table thead { + background: #F5F5F5; +} + +table tr { + border: none; + border-bottom: none; +} + +table th { + font-weight: bold; +} + +table th, table td { + border: none !important; + padding: 6px 13px; +} + +table tr:nth-child(2n) { + background-color: #F8F8F8; +} + +td p { + margin: 0 0 15px 0; +} + +div.table-contents td p { + margin: 0; +} + +div.important *, div.note *, div.tip *, div.warning *, div.navheader *, div.navfooter *, div.calloutlist * { + border: none !important; + background: none !important; + margin: 0; +} + +div.important p, div.note p, div.tip p, div.warning p { + color: #6F6F6F; + line-height: 1.6; +} + +div.important code, div.note code, div.tip code, div.warning code { + background-color: #F2F2F2 !important; + border: 1px solid #CCCCCC !important; + border-radius: 4px !important; + padding: 1px 3px 0 !important; + text-shadow: none !important; + white-space: nowrap !important; +} + +.note th, .tip th, .warning th { + display: none; +} + +.note tr:first-child td, .tip tr:first-child td, .warning tr:first-child td { + border-right: 1px solid #CCCCCC !important; + padding-top: 10px; +} + +div.calloutlist p, div.calloutlist td { + padding: 0; + margin: 0; +} + +div.calloutlist > table > tbody > tr > td:first-child { + padding-left: 10px; + width: 30px !important; +} + +div.important, div.note, div.tip, div.warning { + margin-left: 0px !important; + margin-right: 20px !important; + margin-top: 20px; + margin-bottom: 20px; + padding-top: 10px; + padding-bottom: 10px; +} + +div.toc { + line-height: 1.2; +} + +dl, dt { + margin-top: 1px; + margin-bottom: 0; +} + +div.toc > dl > dt { + font-size: 32px; + font-weight: bold; + margin: 30px 0 10px 0; + display: block; +} + +div.toc > dl > dd > dl > dt { + font-size: 24px; + font-weight: bold; + margin: 20px 0 10px 0; + display: block; +} + +div.toc > dl > dd > dl > dd > dl > dt { + font-weight: bold; + font-size: 20px; + margin: 10px 0 0 0; +} + +tbody.footnotes * { + border: none !important; +} + +div.footnote p { + margin: 0; + line-height: 1; +} + +div.footnote p sup { + margin-right: 6px; + vertical-align: middle; +} + +div.navheader { + border-bottom: 1px solid #CCCCCC; +} + +div.navfooter { + border-top: 1px solid #CCCCCC; +} + +.title { + margin-left: -1em; + padding-left: 1em; +} + +.title > a { + position: absolute; + visibility: hidden; + display: block; + font-size: 0.85em; + margin-top: 0.05em; + margin-left: -1em; + vertical-align: text-top; + color: black; +} + +.title > a:before { + content: "\00A7"; +} + +.title:hover > a, .title > a:hover, .title:hover > a:hover { + visibility: visible; +} + +.title:focus > a, .title > a:focus, .title:focus > a:focus { + outline: 0; +} diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/images/background.png b/spring-cloud-vault/2.1.3.RELEASE/single/images/background.png new file mode 100644 index 0000000000000000000000000000000000000000..15dca6fbe2669fae3609605e49c69cc414f1b6ed GIT binary patch literal 18255 zcmZ{Mc{tQ-|NlrKgrcaFbPBDOvWBUg7G=wtim_B8Ysgq;M%hj&Dizr#DKZMBkY&bF zQI^rsG?*CsWEtBu%$S+a=XX!f_xC*4>2RIPIp^}n{kiY^y}jPA_v?1U#_HHA$qkYS z1Y(u>@jq=52vKeDlPn+z~j!r2!xcp@J9rZ zo~ZL*W#N2~h3F^Y#kf z79Vq?HYz92POY^z60RQgu$cgc!baLFp8`pJN$ z)TpgHDYO!o(|FCbF@nU|Z4{PyQT_pWk^4ba(@3pLy~5i|7uwlU`v1B%7(o3njiTd=qKqO7b}K-at&!f*f2n8M46&RIPn?wT2jQCY?} ze6G^KcX(b!Y*uXj(zgAp+m$yS9Gsr>(+F2nC60BdVfIQ`)cSJ{^*od zepxlPa|MUm>e9Vgly6ynJN3^PvB=>&xF()rO3xDmHI z=|xsK0?M48ABv)1&|8*aUyhO2#E8jlc2-#f51xWHc^hUwi&%dc@+wWVCpXJq!}S%S zg>L#^WBV(Qw|v9bo1MW5gc=&srYW_5F+__kX%{Z>&RZmXwCdi!gd5#fJ|%lv+{G zr|b#Ts1}Bc(CPkXaIO8<1+}HlegS6DFs7U6?N~4wR!^#(;YIbqQIOqp)Y>Db6o%1i zfzY22V-EN1GJALyq?KWSwMGbU#gV_$)SLlMlxrQPHdgnC(nU9*nIG%)UtAL8sRnL zvIO*k?9`K4fpnym;50z#ebD=+rZ~#B9dpG&=ZI-%{LqY5j8ndz5Bo^s;38&v8 z8(1+}&NV9Y(=RCMwyd1YBBL1Mc{4wI?k1TngzL8oyymA8O_M2Y5c0rtPR>#ek(4}+ zvTI`PjpdGC&F~Syy8RdkeK9)AX8N#B63UrIl;U;paq7n-;aB#n!Um^KDkm6tH=B)> z;3zLTI4#Y?2aYLOw=U)%ARIOAdmMMfhQHaQE8 zl3Cp0zQYq?6o&{k_DNXPel;f2^58wLpT=YKQSuc(*4?S`z@Dr7Qgz$FS> zi@ndTb$lk)7Z!9l#jnB&dk);SrBnVL{_rebeB*2~oq^e;zWdS~RE>Hv&Z771FSI9J z`7tfJM8x*5sOXA1eyweMto(__RVTbyU+|S5HB6d4Dgb*jRGLh3<^SP_w;CaD=Airn z>}rapX06!=({QJ<^CD>ewmorplO*#Ve>)f5@p2FXtSj8Mpa#1cVXgVCAhb)&HQZgO zfVQu&2q4IMN4mO)pTC13+M#|H5NTM8&`jguD_nAjiR*oJ9i%> zS4&QN%lZcXJT1e1N=#qGK$_eAeJ=b0Pj(!BY81~$?SW<-R5^LHJW`}xjV$cQ>zZPC zKx&lIPgkaTQ)c#4Kyjmtk6@>u&~kwQ2TO1ikDO|0e%26uY|$`ZJ&_<<=Iv{O|s*<_~}Z@laTeJVr;$B<`4hA&>B z`VsH7-~=}Ol<9at3?1V^wg6RL>j^EV032~4IaYKQnNnGs;Ssey~SyhcqT&3YZz z^xJp%0v#<&D{~;^r@WJWG&QnVUIZ8B_1fEU$761g0RP4%O(ohIte>|q%@y#fVUTSp z3>LLub23p7)|oran=&|5TltRGRS5ieG(9k&xel^Z*_B-TPiOvby+_(mUYMo9snsY?Ezus;g8M8RHQ1HQKb!kSg93n1fGkNdIc0U!-ysgq$IH3AbRuiz?4Bij zYWh9M<02o0X@!^fPTv3#RsP8U+2+zhe+uFtd;k}gJ{B&)4M?v7*+E_8dAcPbqo_^x zN&n?q>huypF8^2I>P9V?K-3j3cj~Sg3)t*kHmSFYY^Rj0R^WO+zrdA>zb*);SAsKF zzO1Jom~o%=Ys9O930x;UXCGHc@^7Y-ti47gI|()f)IYW z$3fiwh4I*B80cG~U)9X1S;3M^9XBn)VR!|^m!=!!5StHKz1RF)YLD6rKN_34G|QL0 zKgd6Bn6djN$h3Y{Ry2=JT*nJrklI3~GExg!unzW zKobvk_}QhwMzP#-rWz$TVa+W>$uZzVkVFGW1J%yZ0pL961Ci7a9i9N!$n_#r3FezE zOHZ)9o$@3746}*BvD0BoxzP%LJr&y;LV(?#7TH?rU+$3b@WTW60#_?*alt;Tj~z%X zQF(&yC_MUY`Jp#1DJnKFXT!AI5*5$5uc-3GE^)elv9tt&zAc`sIBZVPOodOd+Z*@? zWK(gmvtB75yypEXBLYk`AId00OCj~^1m}D$m@-oSre-{&gxYjaWV+lV4QFU_5@0@j zL6R!$xqlPc&SZURe|EQNpsee&g^;WLTLuD_$RMf}-Td^i%EEfQ1WR<<(6B`%X0%ul z2`V@-^T7|#v|j+;g+5$0u0cmpTQP(T{|vS69iYie+5@#L9^B-_u+ngReT=rR1OmTL zQl6CA=9<629#ARBwi?mA;yXY#kz$+8cUQK`kG*lpP;nG|&N5M6_b)@oA1%Qv7WjPI z(SmcSv8M5!NJZY3RzQr(%zQ%MSHbTc39uFT%-D5$%?=#%HU3Q6g-;4D!R_B*qE#P$ zOXwG@E2Gnc#f_HO06T_@ab6ARqIKGm&AdvT z3b1cEJCIs&T1NEg+Vvj;j6SKtPl&WCxUEL-JF0o+tDCJt++z9Q7%)PB(W5CBK^U|N zRqFH2`*n2X%fIK0V)+?+1L*OXbc59gCH6_eqEW@lBly&2dpvos9YznAH8#^U6@ecj zZafSH-QrDi-&guLMk4iH^}N&i@R3THFYO&m=+(8l!P?3O( z$7nS)&n5?siowwtBgNueMk&~^5GWa^E4}g3$+BR@{HTzgf4TL0;guS1N3q+ar7FWg z3w2gljup*1G0`4xK{n&yaD6xzy090+eA#I4cE{r{-0U$eeiUScQuH#ch1<{XFdl4R zpx2p_M!n_(s?;bBrPz(8w6LSB;n~H@Pq3E9Y0Y>}w<*=Kvv)q+o33O#RX$$;6MU@J%jgsn+3Wf)+-J@e}gPv?Yl%+nih_ZDJ&GFhYI`V zBfZ(KtL_L zSa-p-CPLUDxbB75K&bobQ*(lvj#0mb2z?5#247Q)obHkRLp2kpS0&9p(yMOap%ZaE zQk?9m-l;O_6-rt)-{&zUNJw3@*V;G6gGj3ynuWC0_uj9DyUYD2Z8w>P91szRH!K`T zNIQhRBIun-s-wd zht_q;s;7o#I1yba`Z+|)P?~N5wBXPgr->&+uafcZwDNcUR3TYV*7MX4T!%ebJu&2a zW_$_rN<{itDR*2LY_NZ1)>u)1@~*)9n77rjc}>b)CM zGkLM}d$a^bV9cYD@m(Hr^4K?e%V&%Ae&I)O6P)CnzM1FJJe);nhhGD!j}srT){J*R z9}Y5|zj#4<8Xq6bJ|Do$Zm@e4=LT!=vrRUCoZ(!q?0#J1w!~$7*_S&=Ow;q29_h!86t*aS)z{wq?JrYAmqEIT(g0mwZS8M zX0uLjWbyN=*52U9QuB`tcKls!9PYJ08NbB&#H(JK=Jj<6=8XJM`tywQS7{f|&gQl7L0A(^LH=&ZSHuG5j z)ZCE(4MRDUVp}qmH;TsDkZ$$!&7~RELTD9P-Vit?GxI%-S)(3;shT$=$fSIn)>)!4 zRQb|6f{|e1ENJ8Y@^d$HF1lkoz4R-(Hpp$RqgpP1rTJK;xJ&!EiqksWrATQ;<3VWK z@`uOV*Cc*=9#Y(QBqKif;?F+ktQf&#X%H{6D~LZ$YIJZ|2)_`_{B_w zlW=%8r3Rk7q`r-WJg!2*bHW-21*m;k*{WSs9JGOV!F}Niq^*p>`d-T~-8cFX(5huU zDt!TFB_yA3qmTSt_tMw5{$X-d8nB_ik{0fy| z&jmqt(}En(b$6z!PMk^d%Gryo!u&iK4L3*i3@tl6TT8u3z1ej>dn`fCek^gXkZg)@ z-Mwn$?h*x9@yM5uP|0b!Z*M+RpORodf8g4=I(s)KI^*)6=bW)?9J7){1WK>*R_h8N z1-ILWzEzwFJ@;WD=MI1J^Bh7{VXtS<^?L~+7@4_p)lTxvqF<@*bi)C-EmH&+FMH{bU>nG@d&KSe}Jx6fi zz3>0Ql%3Z64CWeE=M@^D@!u%D9y$x{KPVg`fD(ag#HE;59$}SH((CIf{$S z90>(#8tnaQK$(McyPi6FelH)_)EKuI{y(;Mq8O6+i8}}1D}P&9(%7Ufb4(-N#Z!aj zJGT=wkNYX5B|faCP!XliZ;O7|*7z0LTPGWLs#qRX?L>W*op=jZ68-f1A8A|9DX2?z zuHrJL;ZHwz_j)adWTO{LbQh=VAke(EQ}PeOdGDkmC7AWE{t|&k&p#Y1?Ycnl960v;WRPxkOXVp{lSKXcb#XI#GK2n zC(N7fF^ErWLq8mIV&QEudgMB2=90(bXvMmblq*5xH_PGJ$xK{RGVWK`B2sT1? zCVOeBO;7p$n?Ku6UN<2m?zfEQMNFkci*&7GF%WR!2W#$tPWA?kXwoU&aeI0I;5$Xf zSy$X2Lm}cP95R3OJ-;sC;d)Ii2*Gc;+bP<7IASI^f(Y1%W1D8@7wf$E?SR#G`3d-? zD&k6TaXSN}kM@687!l{_X=h?c|92b-YG;rHxAbzD@0enk6Eq}*r)ACLuc^(rJjP^r z_>~Y<+&>fPe`X-9va9Ckj)v$r-jfZ0cWKBufJfz>NmJ>g`Hnddrp7bu=P@#T&E`^j zsX3(Y5O+qC{AGMPs^=x7P62Dz?78^_umH(weN&5}f$&*3Fyi^!Cnt=Se3WzbboBq% z0w{|OosY;Kb4tVwNhN3@YZb>A%9_ZB!|&x*_T+&M=V^pv+p2CwrDXnIC;(qaGrsXY zfjy-P>wh411asTXAXCi0XSb}OIw)gj0yo2dBlLb}VW7e6i7%x9fd@QpXM-$6 zPGEC+&%v^XbYJ~b6hYkAi36r6M1OSfiR1Q{+^V12<+=wF^1&AB!J?wmt15|>Y(MrZ z&iB&x^O@?_hL1+vaE93%EM&UbBh7v{6pe!a3%|+Mlj&Y zYu?o%IoH4%Z&>q1F;QR0z^;<1rMlWBMp@R-d!H`kEtJf2)m>w(FM0{5yfNJ4mBf7# z*4Xb1Z6dHYU>XiXiL*n_OIdv5b;0<8>56biwqN(&7TJUgzq%X%0S3Rk??XgA10~x? zEYq_O#}K)ksqzX?c%7!YX~}u|%dPh!>H0l-cu}G0lRMyXKLaA}^ndcCn~jk9|DQ<3 zCd#Y?M;mcF+cOfK?1nTZRUH1=HK9Xc-B|lXgy`5oDM&grq7;}^$3U-gZM%{NpTFv_ zWw?xc8Z<;gem`#kOcPb+dVaMS(l`H^vTkbrs`riq=cr-cRa#(mrEOWMhP5~ylhC4N zQO}B|Y%w+5JrwOGWzn`E3TO2Ex}rKoVO18JyMf%5P44**;$cfSkB(O5^TTR{Q6YBZ zpE3ABQH)m(WDGrS8>hc}TtteQd#Mh|);282wUJ($#x4vxVX{(2xxE{boWXI31-(!JZBo_}fsThDyPlTS^^nGXF^tpP;FM~%w#G0ETr5Nh9sTIXVb{P5V0?cZsSQX6N z24!`pnOi^iR}yJwgO&7hyeeLr5(R)~)TEotk$#Q)v^0eBnEwe&G$6H36yOa8Uu5v! zxY(@9Mx~)Vy^efWnh@`E*N%?bm6yT=Gtb4ZgD%DkF7c!J-%?Qi`^JH`{K=@-7H@CpBQ`shI}ngXIP*}-3sRp^ zx|jW9%*);;7 za2c)&5Tq||1nXbOt^H!hi(4|vca)5?EU%QHo-4RH2@TlIe>moVDV9M@}G zgE#^qedD(@@I)h{$g0ru+pjzC3;`1nue1jz%|xp;v|E0m-+;p8{+nI64(jGO`XKQP zf9OnPd)Np5daB=rgGt9}!#6e%u4av;4Dd^FR3X~?R~Az^(sea-A-QPkmV|Ms>3Mt4 z=@7j~8|olEObh3@9P~FQX*Ix1axh^UAq+CYFIv&R4V0QE1=;x0!;vF=>0Y zi*d+|RAB})jTK$z6q>Btc!B1BIE$AuDk{G*d?&!#zx&LQQ}?wk#FejSPT(|J#I!;z zPlsdlTW|silt}{DE9D45a|HR0C}Y#(zp7r!P8T#8D-E|U>L;fZE=Ye9AqOa27Yw6) z4o2q+fd}X#)qxzrpRtqUcO?yHywgtLbGL!tJX#>@zGY!L+|hmed_~saTmMNrFitc5kEbUJ)b6i>a`#B<6vA@{3m6PV%sDy?)pz!AeEc_26LWhe9oh7SYcq3 zQZlx`R&|`0`CbTXjN-ZDddOg7t2E>RA)5(kc*@{iI#p&Cy|c2WvDIpT9;>feuV=CB zwTAWVJHJby!m0jNx54F5!;Xr`9KW^0>Z82qGUXRV0d}B;v0$@D%IzB|Wh$C2_=cY5 z*%u&~(4axYR;;(i7>GKRI~cU3i%;IGUhYuUTh+6K`>i(%uMHlZ_urHZgU6w{0Fk*O%9f>eXpe&GnJ+BO+ru=^X#7>_i%{{La5oqkBzq$ zherm(wRFxkcj$r)3(Uc$dJ+cT0D+-D?_2b=V$jw#i-v$|r>wXK&h4$d?{cD9b-YmL zh_S-}IQ$uEdho^52Br)!gyq@JWHZ-g{MF@3BZ`B>+&l)K{NS$nCfC=*AM=|vi@+KG zgBF9Ynm?i zjJv@it|;8(o}#i8&yu$(B`ZL4q1aO~l(_OmV>oy1IDe3ji`F7usIc>n}bCsw!jv46f?k zaPzw#e*DUQT?4HxV8lGF{Tzn^{kLFFjgp{vb+RF*VK+s)1*aE@aii}`IB&<$g7cgW z9XbBL>fmqs<@DFejOb}$!9`y+9O{hIg3CTJybR?h63m?9re|Fwn8jn~s7yUPSG6zd zk~=htz6)9sq#eenYWfiCabC0h(U%#@6UiyxB<5Hz7v;ggfaR2g!n|s`xN&lYPZ$M& zO54nh$_8=(JOJBejq&70imP_=Z%5%ws%?Uy-jS3Pdy*kH3_#HvvRRt8x?JL0LVzr% z!t1XkK7j2j0o@juepOD%8Y)RQj-Ffw)XP1Q&}4RgLS$QZD^NaoKz0Pi@ZTb}ikB;a z%&$iaN7J1=YrIn!TK~4GByMG-JC+OoHpio$;>LtgK;-*eq+-elBE52-aS|It7_^#7~pwm7ESR+U~T; z$2TlS2HAZK^Z?@O%E_I%qT<_%Bsa$h7?=#7oO7;~M6w7}M$Q?q-u0K_2mec8Odcno zk)zoCD^i4gI?$PDo2*1WsMV#TiE%6UInt^~nV$80<1%w}+b^H|S9U#e>fzvMl{Kub zsThEyupI%QGH*HNsM<*?nzGyE)En>lElv*GGxDHb-_lfNvWzMWp6PNP`r<0I!osxO zt%lG(2cX6PcQ|@}vbO(}Uq+OxixX+nr|=J|8908(2cF?L3gOyf_VDeW3Rec4Re+!}TXdq&-Y@@YSwst71cz#Le_GPldZSw&mGv_KbFe8Pm z4>7iWyJ#i`T?+DMP9JT|laP!IT-iWjyAXh!7rYArZ$nZ~iXQor5Xil%{+vWAGK(h3 z)b%RO-hL$LIs4(HBonFC>mE43MGJKaK>ko@+YqdrPtBMIM15E!*^Bc<_nLx0uUc`wo6+|5@e&@E2dR5#|q8uTwTv(|%6BYDp-(xGCv|AV*N46ZT?| z+GWyq6&k^3sFbJ}+uIK7$M=9R|6gq{P zL9bukyHQ!D{z(g!e8m`(TJ$Vli1~lVyg2!Z- z4IhBuvTZzn11~EYTNEZbZ}=CyqXHH87)yE4K&Pp+C8G{N8C5Fz?a;hZ+)Re$!vdm2 z%K6=S`7@?I?FPp|K?1B9DzTou-Bq*C(6W(LLtD};xz6v7vqN-FhMrryK`Gw4ZW_$b zCIrE%FsXdw*Qxr7kqDFxXa=A7I7OB>YWcy9)Gn7jyqpK6^Egw}@&G8rPIvP#Z7{@` z*ZeL>=KxvXRs<_E_g5Q;(a4N3Yx!zEw7Xm|p}PY6#^CN}Y5kr~TA^u2SY?DZ>b$$#u&f z5-8ngsz?vx1YRFKyHxss&<6c8Bt2PB$}L1r1`kf(;8+;6=N_;y1>~$1yRlU>viMYy zrt%ZCNw%?8_|3(GrQQvzpX0fLWd=KY z^jv-AZ|f2l2$i`cfE+bGt!W(cQa;IKx%O9OM#hasU+G)f7GyiY8nxGbr;Gc;x8AD) z5eRe*Bjc|03Ri8V=27PgtTmlUYh1Jsh&ow9YN>;iDxE3iN9B_aW zl!{Z)-xYibcWT5l*g4x|R9gypCNppdyc;XlCoyZXtFCHq3)=cBVNsNLGeBYv=xE;f zjJ!4mYTR`b37+?39v1?FCg=gLw5t$^!&o;NEV+`TF};LoPXp2_Rf^G9%hZ^KsvLpO z6t#;xsUk6!d~{h+!fvaHl1TW`vj{z4G}Qh4ex-98ERs%8Uf2rZHM?i7yHD%uE^I}S z=Dh2a%Hn}dRP9u0HA~Yedg1)`@*h&i)Z+Vrejl`77{cIk6)^rO!O8SCI^>OO9Xi;d zi<&l>;8T02Za2)?TmqzgL(PSmE?&!S;iEgThq-Ht9~Ck!iM@{8h_kwvsRxt#vTb4+ z@y3QWna3wo7pFI>Vg$_!mCjaVI+n14*FXH%wZDOk-$)E14NXbrZH~!ozvbR4R5ST% zo3w^XFoE#f1}Iin=_;2heFfw1xCJAMUmD_rZi=UzdgzV$Sj}Hr$bXe8z(K2IS&#v6 zW{th3m2A}yoba%rUs6s5`BG`G>wT}BHW4UXf@!T@8YQ}cJcr$6aM6XHw@~z11ft1} z&`q@t-DAai%JUM?IL?~I&jJX0@CXDD?>aSTUO^FUC$l5LO#_kO0ly7bz>?R-EHul# z&rDeRu(@P*_Wb@<)G?(;iqF9Wycqn@9f6A2+c9!JtZmx%edI}?I_9O5#urV;o3%St z1TeFQhV6D-C+;S)W?7U~ij~T&3vz?Ll4_``Rec% zJ&8B%Q>0K^@N$3%WsY6IY%E)ICMI=%XOQ%n=s~SpV!8H>kFnCuNyk$BdAHlKPEuQf zf25bmFpL2pa0OlY#b{D@#NMIP12z^7^DWzU%dl*UgaD-GH_BiFOh&kYnUfXa#-^~K z$W_zPJ3}c}6if6tofomM!h{!*x$Z1naDh7X6I;Zz}y}kS@Zm)!~G)PF* z_;uO`yC@e-yB5l0rfCl!Ym4KC-uAq5N;n949E-*|Yfc7b4^|A6dM-SQ# zO2v=0|D;FGTPsW?Td4=wx_P;}`moZS0kLxp*QG()oQgK?UEQrB!}nj&bBekt z%#Zdo!X+$GuBQl@zi^R~Rc_zvGfooqh5a*z8qbpVV1Mu%mxBj`nBT8x{dK_?Z|+Hg zQ-4v}j7)#+{D+b`?vNkB`m?@!Mx)^9tJNIY3#LETiC3gSyC@%?Td+|qIM1lJXQ4!K z>aYHO-|=zzhJ_E*BTAp69)9$QCP@QFhE$|?-&rQym~W_^-^;=9Zb1e*QX7t1$m zVvn`n97Oj9a_!pUEWp5_UHzXdcvH4vCvs1c?HvX>YKG?`2%13_FE_6J#4)A>)!kx9 zhBY=C%J6LC+9%wVsdQN;qrtyF#^dXrBtSY1dU-10qxLn%SX@$hQnAH`rbmy0UW{KL zFepHSp!z0YW;MEd>O+M_>k9+!X!6hr04Ljb{rmeWS@&I((5HH07mR$jUutx}OjEj( z5jV(qa^Qq3$BLPu3U}CRHUwd+h`kvCOzlJhcoDvlWE;6z&gR^d3ny;$da zLD=TQ5Kk>W(Gzj{l1f=(4ma;*!>g~cQ&T?UdR5mK96B)b#bd+YSkavFDpPgXTN)iv zI$%IiAO0|GXZkSU3{WmP{g=b}HJi9o<5q%9Uw3Q=C)g3XcNm&tz%!CT?MGuy5j+E{ zWk0G8;bjx;N#Cz;^6SJ05!Bs9u75geL!!YIZgpE?=kyPM?hk)yR{L&M@p6 z0=o_0J?pM1{nfkab}xjwy5~~Kcu<&Tv=+K=u9!ACZ{yThf~i_vO@~~4(<69jiT;3Z ztzqQ_dPxb)9Kp!uDR!#`UlF_rkvm5Lt4}_8VflB%p1wiq-nF z+&-22bN1PM>jOah|I2CF8l5VeZd==>J@+1$n}w%((wrVTsfzIwDSm{(t?RfYof(3c z>6CAR+hor^y%9valwt>}JR3LlyCX&C-&zSHu!g2_3aaOj@r2Ca;7m9HyzwWk9zkJGuqm?*-vq5Xby!4a`M$&hr30YX z?F4bxjOmG7)br;)Ul)WOu0>w%){Em8Kb$J{Ki7mOj@HkB5hlCwgUVStwRB(`$msn3 zW68l6_-QmuY@|h*k!h-dE>&&v=30 zIv3(Tl=pJrKH6z|rv)q59=N?as&_Po3H~a==sNM|4X=W#K*8r$N&#WvHVMQ8zDzLd zV)Dt$dm^J%7u}~piF^kD8Yp_Z&Uk|80}tRszg$ALiocA z&U(s2XW__mKc4sym@3MmQf`RaZ2ZcnKKE3-oF85QR&6*9*Yoc#x~^M{;7jY+&Nx1t z9;OP1mj0CKUwb(Wvpa1A;s-a3=aPnOem&7jJ&5aKY2kjAi{EseM4;=;;4Y}e@sWF= zA0G=hridbHd(+pd7ntI!Pli6S)3UB0XF*&6?nyx9LSypblGr5BFXg^bRHDaZeGF zKYA6I?$BJ$!L3>1>)B@=SqdDI3o3txyAWJ%X`+7$fgnGTVp-1)+LLdd#y_o80#604 zYlXS!e-r&*Hpl$YNw?FUCO!B6n`0ac3lmUA*{JK!y4vN-5Z^ntAy0%#PdCo!;3cP# ze=PC+U8O~-JElo5M!ch(!`Q83c7(#bv0mwAFrrrE5)C~5ch4R(H$BOIVbEpddh3J; zWYV{|9gznU$MoW0C(72_{L`{VHwf0)f?kIvSV!PME*{ zhd_id>2bhvo;mP@Wgu3p2Aky|)HjztWISA0VuGkm!N0#4W6x*^BIJJva$+1S*n4!) zCiO7Sgt7Qu7>7JKB)^RP#3H8x*Ka+C5rq*D8&~zJvVh1l@cY*588DzHswso`$^0{< zaeiKC>U(5clg*a4F7Y$QzIfTj!#wdNZk$~Dm((($rpWbbXsHY>Olrl~je|XOJwK=N zJSBwdWUS7&7){b$u-Of~v(u)OBQK6!AROCBQ@p+q)v&k`$%WuAmy`q^%nA*C8_Lt$ zy`sJB_R8ha=<5bQu#C;Iomk~$cR_2=p{VTaMRN^|+#-uw6KJym1SZ1#h}EA(huyCK EKU&lfD*ylh literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/images/callouts/1.png b/spring-cloud-vault/2.1.3.RELEASE/single/images/callouts/1.png new file mode 100644 index 0000000000000000000000000000000000000000..7d473430b7bec514f7de12f5769fe7c5859e8c5d GIT binary patch literal 329 zcmeAS@N?(olHy`uVBq!ia0vp^JRr;gBp8b2n5}^nQC}X^4DKU-G|w_t}fLBA)Suv#nrW z!^h2QnY_`l!BOq-UXEX{m2up>JTQkX)2m zTvF+fTUlI^nXH#utd~++ke^qgmzgTe~DWM4ffP81J literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/images/callouts/2.png b/spring-cloud-vault/2.1.3.RELEASE/single/images/callouts/2.png new file mode 100644 index 0000000000000000000000000000000000000000..5d09341b2f6d2ea2d1d5dad5d980f14b4b05dfd2 GIT binary patch literal 353 zcmeAS@N?(olHy`uVBq!ia0vp^JRr;gBp8b2n5}^nQxaY7e*=hH)_rZeB4|imU1$R#1`!P>&$poQl;nzm}mD5ZFopaX|GsS%q*{P~< z;WtmO%lhToBL0i}yfkaOt?EN=nkLNGuU`ywhI5H)L`iUdT1k0gQ7VIjhO(w-Zen_> zZ(@38a<+nro{^q~f~BRtfrY+-p+a&|W^qZSLvCepNoKNMYO!8QX+eHoiC%Jk?!;Y+ zJAlS%fsM;d&r2*R1)67JkeZlkYGj#gX_9E3W@4U_nw*@Ln38B@k(iuhnUeN2eF0kK0(Y1u|9Rc(19XFPiEBhjaDG}zd16s2gM)^$re|(qda7?? zdS-IAf{C7yo`r&?rM`iMzJZ}aa#3b+Nu@(>WpPPnvR-PjUP@^}eqM=Qa(?c_U5Yz^ z#%Y0#%S_KpEGY$=XJL?(l#*ybuErX#^g`ttQfwnX4x42*}TIo_3IbsoNRf>aVMfsJ4-Q{^hZZrE#!3~DHIyIo;*1&0#S#R8GXWt43k48;BRp7)N)S|- z1>C&kGA0Xf^G^6@Z7$n zMFutQvv~;*MUZYF%!pN!TPX!dM|v*>m&a&)K+gzU_K;pxx#tfwf0eF z{6Aql)Y@kWdT@am_mNw@Hu^kjk`}>q?S9@-*pQ9}E$|ZbpD$ zJ7Gs5k(91tmKe$sLWmTGr7Bn~6>1?^s}f2PnR1ciVOW(27K@ZZwFriDU|1uRs#UNC zk|@PmnnA4;FJg6WABDMX_@ZBe_In>oi=V-wDld*vq}M`{&czNeIY^51IYKm z+YndYXy6niGl4=H0i`alZHn}h{(U<^L zrtUaM?H&s8E4km@xW3K}2l{HU9i~Kmth`h+4sGW1O{z!=XlvpWuu5{!5G>RAz< znNpajYLE!4(n`0h>bf?klyFK~l|n4NV{c&BaNx(k-xgpQQV0LH$NLOTvccoMndX$f zkv4mGzNtl?UYK0aBDc10gsL-g8W2sRbk9iJu~UP(7WA#TNlp>SE=W|=i?ba3^wOkX zY1is%HvE3-2vCryds-HJ-mVLw$(AH}m9SyomW73XDgDUw?6|$#yv`%qJ=msel*Vsd z`|NMp%}*;W&Dk-k$XtAVYB3n>$I&|I>ii|Z5HGIbWfAoEvR_xGkdB%u^EKNNweMm8UVjt>++|OBa{aNdr zkhTeJ+;4mFaBq$c85rs58E(yMLLIwHirO}q+Sd!Qw3m#xW&y9rVdPqRh?Qi&xGn8)dVXr!%Zc z@@k>;xsr45PU?g5+RpNiKfik6%9)0JRg>pN=Rf~LS%*%J3sntBdI_ki7mrSgrY^vD z?%WakSLZVrOHS(4IhMeO)hAZ`qU!_Mp^Kl`T85(DsckjoMLA#nV=_NP72jM4aCVNw ztsXF5STjDhYhdzAZ@x-km?7(f@11e;p;vCg#|D~KgRlFCJ{iDQda7PJ;=cu2XOfG+ zz6j|L)Ul6M@PT)tsq8TVCL=<&YucZ z==FL-9C+!x)fov8UwpRWZ~rLo*Uiivij0;`w-$cGJaBl_kilhr-Kmeg`K_}1x&xj} zBcQKVN-2MA=?_2j&!&wDd> zw}p{f$TVAeLb2U>0f{&UE>x@@VD|&aWW35hWduOkAqaC|ZvHiolKf1HK zzu)h>-_Pg!p50|ED_WP3lt81=*6DR>6SZ!PJ@IkW`;%iIE>KG%sj-n}UjrG&0ywSE z>8r;9y%%f5O*rOkZN7-hX|y<(+hQYahEmkw^YXEn4nN}cQ)n7Zo*(gJ4i8QO^?0M3 zP=NP-H46f6rvj{$7$AdRg}dCkwg7H!E3-J-JPw%?%+CYl5tJhE;v@z{yiG(9jVQp! zyePGgi3K3=ScUW`z$Z@G3`RiZ3*dl+FXA~M7zPl84~r!T0&@W&1PcWabt61jj7ktx zm;*e$K+0Oc*?^kV+NZXtlLB;+q#qRs!r?GKEaLkDjRIIElf^iMLLQ~T3$_v@7U2;= z#tMTP4>|&FKk4=nK#UQq_qC7;kn;3N2wuOz@Qj!UK1~#rGC>6M3t&DZ@Ooo$J=PAA zCj7r{JXbqtY4zg*6CU)n1RPX78W<~JDtF&)D5gkxgKi4AsiI&_YM-OUixZ??tpKSn ze5c!qLLw=Z#T+q|BZLqs3`%u1gPQQ^_OJRXsZqwOD&qLO2*a!%fyU`U&AilhSE!u zf#RfW8Nca8?LYcmzi;^J0$aTLuk(_I7B(1E%i{iHi|z|Ja9*KR}4%unPJ zFw4TowlS1#GO3H7Q31*c7>im^52SWUc{QwoqtQYKQqqoI_}z^Db(y?bEU3*;g(Uk< zbhQt9Q;Rl4_Xd*GuUR{_5VHeEE0C#yNL!dhWt>(;lnbF3j@_RUxGA zhlU&%fA8^*!l1Y?gk+ci-WE<{Z}q7&M>qEshlgBmoET)9!8{*KHv&6`TU&?mta6qd z7iwD&9iFFcM~&TiU^y@_(iItM%&Y+Q4fzTJHodO2br<#Qk8o=Fh6?xiG;t(<^tVlGN*YwHYbN*+ux#qerwpu9`;s z-h^IVXo>ux{&d`$r9Z!%mi_6zmY=<_(Aa4VWq+kPR9x~xOWlpzJxnYGn>;_NtFFtp z54GGsQk4p=t-Lq$;+whBb8|*17xjJKQ38{*G>h8VSmBGr5-Z@b}+_3*Xjg7`HBiDzyy{&6?adFeNk#BLg0d5b-3 z9p!F+xWNDCwRfkhhF=kO!^16Ky!0x2slrhor)q_mdPk(;+PiMET zz5h+ansg!r=$v-@J7+7{oa2j2pl#+KRU%es&<_a|W z!QKDvpGsto{Bi1?F{rbP{YmvHRmJgSd->g=lhdE>DT$9i&DZ~hSKGgD<3Nr~x0crR x@l@~8v%fudb7|Fs)}6WGzYSl#_Wjpr@eu7sVJhKCFm=a%+M#HR literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/images/logo.png b/spring-cloud-vault/2.1.3.RELEASE/single/images/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..ade2ce6ed9d9e9f2f4d9c5729a252ee618a0a5a7 GIT binary patch literal 4387 zcmV+;5!~*HP){P%3MJaDx_;_%u2|NZg!>}aqze!Nxc^y8Ao zaMb9>c)3l4zg^w!(u~7spv{7=)Rn#5sM+hyw%MSF!DHa>*1_JcqtAwz$$7Kao2k-{ z$Ktlp=fbSilJ55Bz}~Eo#%^5i?uh^Z5MW6}K~#90-Cc>2qDT-G%qj|s`%n~65K#I5 zADlwl_5$Q6z@8Veu^l@*Ej;tC%&f&?en^rmW8G4Bfs-$nj#hCGIahUzrMVw+I%xQ$E)R)G83X}t`1ui)Ke0b?i}V~=x;*#OP5^AJ z_OVA5<-$S(*dHs3nS@MY=6>c;q3@Q*^@Wc{Iv$8o7%%=lu>Mmu!n-W>7#}U^c;JPI zcIceuet!P2`VsO2g}6x=;JIIdC*&i)%=!Asvn$`C@XK&1|;bH5D_ z=zH7c!N>)KddJ;g59siDEplU|gd&)!`j@>B<Ren; zZ&4m;WDi^gpt1Gv2zv@ph@g01qCEH@j_rY~NI}KjsHjX%MJEA4+|NkF9jCN)QIRhc zFaLQ2c|!z};lxO_~%A+Qex!?*?#BCYPpKKPI zY^8;41BlDH8Ck6C87V0(Eh9w^6@ery;@8d~7@N5%3D&bI&W)5%c0@q##k7>lV_Tmd zdSptXnJFnrN!I{yxMakbDUX|fdg@WJnp;XPU|!EiuDPM4^)e9poGEjf}cm) zQ6T<|r>a)+C6s`;zm+8Q0)h9IA5I2+zPRKWK##xWH90f{l+8s6PUi_;-+}yxY%qW_ zpq+;jDIBj9-3_RCtVLQ8Qlfc6S#9Zl2_?oe1NdkN)R~2omG>pa#E4!j>XLcm?Homv z)0|1pBko@KhMk9$WCm|6Z@xrINc5&Ax^KW7RoSKZ9md31ze)+imI%u9;l1k3P*$se zQB*}|EF)AlQ+s3l9q}umq*6uHfSQl>hxm| zpk$MFHQ|Ize3VlGK<4Y2*By?DAfD8q1chgsqJWf%4u>l#5$sjHAe?MN@FtB=By8>S z{l+gMS0M8kTOy{7HgpDqa)qoeLq8Iyrv*^7Z*ILgv-I>lSDU1yE;shXv=}u0Bm)79 zpZqyHmaO~`DU)SCU_|?m=93u|FsC%Kn)W)5C8=35QKN++ZrT`%n7|YUMOK|G+@yYz zBsTlUk2m2t-|0W}=uS+>_s~eOomO9eNP&(Tp=ivSZj!ZUx>Nu{loG^10u@~^veRv# zmx6;={>X(lfGBI}VRIH%reoDmG+ED&YsLnu8aM$(K>}kY*{WC@uUGg=h+u|R+ppeQ z8xW0SWbtX~n<7Qc(HS71?mA?&;Jqh|!U`bj9XbqsX$b*$gdCZ6vtd|FipbjbhVnr?e>-4~RyzvF<<-Qs^Xc&1 zMG?)OVl#yvh7FZ<%SeB(RSHMUeR^N=4zyT3l&pu{5o$u;~6g>~~oHNaYV8U>0d+O}rOK%P62>-NULqj@}>^cx{|H`VfP%0dmMM*p1WF zX&7F-oZ#fP%2l0M2J7v2y}j5tt-lDZ!(fW)xl~mt!6pa@qT{k(8D&?Dpg3SeTXh;6 zf~))sUYGV!>A5Fl6kB4L;Y5ruG0!VLN%ntyh9Y>!uB?pF4UL3&H(8sVe5^8A((%`i zD&TE8X^@_Brv#AKv}u7iEW65RY1@Y9KX&$iMCPdhIRDn!vkbDmh(BgVGz>E6X3ukb#p2Dx>^YuoxqN> z&w=TuA#hCAbp}GWYhDjUwWLTfU(G?$^s~;HSU;+R{kpFly^j3+BInx<4KBB1x7JYC zq<$);o)bY?S3fKEx%TA&oqlzKyfMhJHsEOBM5vkH=RD7cW|-B?MI_cw{^7Xc1(m9~ zY|dhW*3%mkt3V{KH|x!_zDoEW{pMW71nBgGRd{1G_98WN0`zS#8>d{w#F$=l%EOAr z%><3QQ|3Oe&L`j+o50)eA0I5EhsJJ-CL4Pp#eODK+j12X5>7tPtJ_F0{3hxA#EBq0 z_hMK!&xF{BCJ#;IRAJKJXvA>xffF#F;@O-dBTNdzspmqpEd}QO8>RCjCxVhZ$Qj=7 zR2}p-3O+iPEC&Ddv3l{56Y;_KSR8ur?jWOew%1`587vFmG)reqt>6);xJOkEPixX_ z{l|b+7-b^&p<-59Q+mbk>LvNW)xz2n&o^6%Q5kc+;MAgscwhSWS<|`zCf*UJUuqoa z<7}JNrV&lKxd)Z!9Qg;2$Q}52x!URT=8B-r)87O|Tk=#LvYxcMhJRYjK97YiKRx*c za9yp+cXdp@JVJ%MGumF%FB?1~_+WQq&dK-ySxOAxpFeD-@#iG-6;v%XIA>!=<*f?Urxr1Pj(NRcREqRRHswF zk;j>n(Teu^{w^dPDOsf5TChaEoY0ZZ0HxLA&?f3eiMsB1rnlg`>2#dD*!qoJFO-O# zDCrWg{cyrF-w{wT!XcoZ6_49SkbCa*A$sQp;){qYC;S(1O3w3cji$AzmFPZyvq-oR zB9zXUx8vCzP2=&Mkk|15Nsl{s2rN>b28Gv_ksGXo2Tx7|t-BV%^X`)si!E0pYw*0d zkugG_qAdWw>pV~oF%cFHS5DfTwX}nDVdUvMW>VPMT=ftWp`2Rh#>gcN;X#OonH{0e zOL_oW%w@gelynN~uV8sJ*A8kU8Ggbe>ACN|&Z+?vZRYo$q3wH25x6ZH0y_Z>zGn@q z+emoZVD*LPpV4o0t@IK&<|`Sd%7^EE+hM!+peeAgujC%P7pzCGt(!;Xv%%^faBH_Ny;(iNv1s|C4 z;d>&5#%14t#C1l6)&Gr!&i#K!Jq$4oFjj-|VjfCJn`i+DF_Z1EJu49V8?S zPwDGv&2QHSrR5O5HXg{G@nB7R5}TH^g2M&sd+LD)RJXytSjbGlvUSlLCDnQI^ADq-=ja;k5rFl-Ml_z)VsGybK8TIasZnEcqLXLuyu~zChc% zL%fec%2=ejbK>iOinblMxi=_y`|4Qa38-k_yc%%b?f12SPL~o`>8RHOeg!~?yA8UI zdPCq>pyRk$361H`|12tC<~>R|`r&Ux7=3_f-}_C1MEoyptpet@ckcq;uZ91Q6(ahB zmSI_8^q;YU1bax!&jo6@9(V!xH$g$gmct4GP2JkGq7VKLLV;pn&(9s!GIhyccg;Y= zB;&be0q?i5@bi3XC zN)ZU(_2cjD^OTzYc6Aza?V^lzbs5IC=Zaqs*DUpq28#7tClK{yXb1Wwu?(E7V(JeM8)nOZvWVMX6F08ci!Lcy`N`3 zRmMkqPWG8hB9T1hF%lKAdbyuT9>n{*eLWY6#T%Du@g&n~JQuNGq$r&!4Flu`Bpp*> zh%RqUHzpvFJTmlZEv{9>@llh3hPZWTc7vHflSqO{yBR^VFdRt3()C6mdFU^lWI(SI zk~M4vs4$DM41J8lf+acP)u|5Q7d9H%x_Cd^XHyaDX=#nXqQj zt>&vFvNyJflaQQ&<7Pgco|~IX%Vp9`mUKGA-Zp( zOJtG50yzv2=0Xrx46(Qj83@V53@*$QjdQ#U%j3e3l*8gOAt(xhqztY^3`s$@h$SN! zBqG*0R&KQ7h!Mrc?dl1;Z?K%-#qz}#48ctnwaJt{-T}%C6K=9*n9P7U2?jzG2&y-_ z1)=T&y^dFcS@bqcC$pFgz^e@N_3!Y2&4rmVrc?^b{#WF$vAX{!YjnaHy1PC8t6j!L zL=U>RZ=0Vuyd59RNX(3d7!LK(`xl6rBPrw5(!bs96XC4+vN`n!pkNhnvKs;x&pmV! z^p5t4F5vmbc<*Tg!?VGlB>@XnzNdTWfhvE25$e1Mo;VNrFPPX7U z(3k?AET0>c;EQjdF;|7qmM;id8Z2DH;$?xdi*jLQS;UTmTiQ;84~KpVQTS}!1G7>???1T1M8Y2Y^v{gyWH4>vrEALt zW@fUDlD9Q{=doHaIiz}LsVtu#Tf|>gNSPn)uUj7xxbS*QsNLaH+;@qq1yM5)eX8Xer{FRzM~ z7xK|ff|w#cs13!6!+4oAeiqo&#|^o&-HT^JJ+1KLT73G&i2y$6Z`@c^KzV`9OsHC8!WcLRbRl_HObYx+233S$HvBP zx5xC8NE3$Tk|?#kKW%jS#1E2l4~Dm9y?iNEMtGE`{31iwDR0{;frQ`P~3kjC$lu_eqZs}wAR(baf^>n-dr`hd)oUmm$gnF zbD^_eYPM#zynGxf-a!tS6u8|n_+WHspz~^faii1kX{e03c}{&}W2fu+^!IEjlU-

MvJZJ$)LTqJA+@mbLxmkyPc#tU=W5xPJ%q2sZXv`v(Ui?>!8Tjh_mSOc$O+ zW<-$ZjJfV@LAsB%Biz5w(;fXV?CW1TB9(ujH2(XqZD*&_2O2L-EZJ~mTUSoq*g)q^ zQ!j3qa>DzQ*dH!xN(0O3n$-7HmkYk_eQXG-gI*K|{dncP!DXswNa?P_Z}nzo#*v#J zQ5S9ROsaZ%ZqC6y?VF!Q1^;o|wu*kH=E=`8B``9)uFtN|s?>Xw*7?*`wfqP}<_A~q zd8VVPq*k-7ZPhbSEogsT%F|x0xuT7xdRv7>Rev?4wv{qrDN}+xS$8V5!!ga&#Y1*BgqL?&c}jPc zG_JlfMSD5I%DQQcHXTbGWQtKpeL6yAB|UI5CQ=~#`}=c}Um;E%R)9u^qI0>&GHQ-g zOm;DCkym+{WF$}@UWrV1mtnTPtu!WtY$r7BOpo|N_#mqWGhK#KR0MD7eW*yPaY&xBTRfcG-E5p&`2dq z875XFdy+3GStd(wD_Mg`dys8Xd_houJju_&*4)mZt2Tk1H)DTRJY^_lf>>*ZU2Th5 zWQ3Ly{;kf91GM2s4Vfv8a-fcsXpb+4t> zmM%11X*>M&PQZNVdARf4d*2x!aq1>jOzQ?>>R)(Ok;sOJ)7jfk$Fdif23? z-}3V78&9qod*O;uGk%fEW^;|k`Lo>bOq2iF72o-IGb2gTw+4B~#iYz(oL}sS7|$R2 zDGfrR{|@~AQJ&v(#4u|ZtJP}t520N48P!$8U;|Vfuq=8>E$w`o2Jf`%eqhqbr%IH1zV?O3uDWqKZId-wMQ*MFefpD5X*w@ zok{kNA?%%$F{M!OUcE^^x{~(wkHK|_*9Yg`KNS88FaVH_sda1Xfs6nE002ovPDHLk FV1jwin)(0$ literal 0 HcmV?d00001 diff --git a/spring-cloud-vault/2.1.3.RELEASE/single/images/warning.png b/spring-cloud-vault/2.1.3.RELEASE/single/images/warning.png new file mode 100644 index 0000000000000000000000000000000000000000..0d5b5244605adbb7ab05a1549746a9c35490f95b GIT binary patch literal 2130 zcmbVNYg7|w8V(4q($)50y>JmGlLW#g$xLn}Vd2Si)}#|ptPAQp3Bp-3!-lL0;i^LY?;i#f0m5s49g z3h?3rDQg~EDPlm?FKkgKIcWEK-3X6YU0uzs7H|nq84s39r2!5;pF?SI$QqXy^Ko1x zV~zpENvp@<_Bsd`5MabC#3rvCq&$5dg43yGR zAdy0-rWjC#a1N_+kzUMY#pmogD7!DP(9dEKr3c5ngvUq_6>}Y+w-a81v=eSXnIi_+ zI?U>D1q2C!0zHox#XXKH+@|&rPT*OF5yvY$5J|)WwLqnU)c-5;=UChSlQkaY3@^|g z|J5#YBB}=i+n3Ex9bS$P?xJSKLk)-HHII@;3qG#TG^!+aj>0QkO~7kB0+|yM;YrGB zF>Ge@isQ#73%Tp#k_(tInh3U$uJWY-+DND*o}L-CB5g@#9YWWw~pxZ!Obm>yN#ZHFvL0zA3vNCTJ=t?)~`2O1M{L6un=ml<2x zQEYfifmA?Pz0tqRs^2Utt1pU0BQB1eIY0U_I}c1Y#PP7Ci5s7#IJn}xK{G+{_v^Z+1V#$Erodv>d}ew>RP0wzw+GWkGCBlS1Oj5Z!5NK zUuSR6>pa}RSEZ;qE_w1l#`hQX4E67U6NeP zHZ`T&wj0_H)t|Y1thUqnhub?%e)Y07;a^Tq%FO&iQkR&`qG!dh*2WfW(HuRQj*_DI zeCD1bUA|tMwjOb8E|FRIn$pzEU!2j_N}1Z2ig)vbr5xA0rjC70cmI6*%Uf->hWzaZ z{33HABO5q)vRhzDly2l691@+q3O{}NbSzx+I*k@|L4&3leK#$>u+T#TvTELfKb|IH zc23atf3vmfCa0&TWY@iuoA_Pm<0~ttEC*ut`isb^jXS>X^Sp=l?RXN_OJ*&usGXg$ zTlTv;Ch^vhLDf&+62jl64*&D+=+`sN_dap_1W%p|KQVYIdgPL5uRE9(c4On)DXndL zLNq?%!-u*zmMxyYc4m4Nr>>=A=s}PkJkqr&E^b9>5g+}c1%X}3|WKcg&spcJQ)05zI<<5LTBhNKRg$XRTi2{j)yl_ zj4~kKOvr+m(;vw~9zVh(zC-y9jqQnguz5r7FRq^MyKuXAENp(TAzUVtg&Ts+B_s7) zGn+fN0sG>9GjsPLKTRrvCd`71IZulJ1_1jO9KWbD&_@2UC+LTNpxxrdz#E|j|2nA9 zzB!UTyfAEJ&#%$pQ>QX#8vk@_a5iqukMF;8`wRKe{BI}5$H%OROs4J1#j)|?p|YSh z_SpR^e`VE#F52;WL{!+L(yZLRh40*KS;@box;9(-tE)`mcVp27O*>Z{_Lb*5T3cJA yr~0nPHtg2+UHi&&$8ha;`+hiaUmw&!n@8(?5PqF(KE5>Ym)EG)p&uyBP5%a8^# + + Spring Cloud Vault

Spring Cloud Vault


© 2016-2019 The original authors.

[Note]Note

Copies of this document may be made for your own use and for distribution to others, provided that you do not charge any fee for such copies and further provided that each copy contains this Copyright Notice, whether distributed in print or electronically.

Spring Cloud Vault Config provides client-side support for externalized configuration in a distributed system. With HashiCorp’s Vault you have a central place to manage external secret properties for applications across all environments. Vault can manage static and dynamic secrets such as username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, MongoDB, Consul, AWS and more.

1. Quick Start

Prerequisites

To get started with Vault and this guide you need a +*NIX-like operating systems that provides:

  • wget, openssl and unzip
  • at least Java 7 and a properly configured JAVA_HOME environment variable

Install Vault

$ src/test/bash/install_vault.sh

Create SSL certificates for Vault

$ src/test/bash/create_certificates.sh
[Note]Note

create_certificates.sh creates certificates in work/ca and a JKS truststore work/keystore.jks. If you want to run Spring Cloud Vault using this quickstart guide you need to configure the truststore the spring.cloud.vault.ssl.trust-store property to file:work/keystore.jks.

Start Vault server

$ src/test/bash/local_run_vault.sh

Vault is started listening on 0.0.0.0:8200 using the inmem storage and +https. +Vault is sealed and not initialized when starting up.

[Note]Note

If you want to run tests, leave Vault uninitialized. The tests will +initialize Vault and create a root token 00000000-0000-0000-0000-000000000000.

If you want to use Vault for your application or give it a try then you need to initialize it first.

$ export VAULT_ADDR="https://localhost:8200"
+$ export VAULT_SKIP_VERIFY=true # Don't do this for production
+$ vault init

You should see something like:

Key 1: 7149c6a2e16b8833f6eb1e76df03e47f6113a3288b3093faf5033d44f0e70fe701
+Key 2: 901c534c7988c18c20435a85213c683bdcf0efcd82e38e2893779f152978c18c02
+Key 3: 03ff3948575b1165a20c20ee7c3e6edf04f4cdbe0e82dbff5be49c63f98bc03a03
+Key 4: 216ae5cc3ddaf93ceb8e1d15bb9fc3176653f5b738f5f3d1ee00cd7dccbe926e04
+Key 5: b2898fc8130929d569c1677ee69dc5f3be57d7c4b494a6062693ce0b1c4d93d805
+Initial Root Token: 19aefa97-cccc-bbbb-aaaa-225940e63d76
+
+Vault initialized with 5 keys and a key threshold of 3. Please
+securely distribute the above keys. When the Vault is re-sealed,
+restarted, or stopped, you must provide at least 3 of these keys
+to unseal it again.
+
+Vault does not store the master key. Without at least 3 keys,
+your Vault will remain permanently sealed.

Vault will initialize and return a set of unsealing keys and the root token. +Pick 3 keys and unseal Vault. Store the Vault token in the VAULT_TOKEN + environment variable.

$ vault unseal (Key 1)
+$ vault unseal (Key 2)
+$ vault unseal (Key 3)
+$ export VAULT_TOKEN=(Root token)
+# Required to run Spring Cloud Vault tests after manual initialization
+$ vault token-create -id="00000000-0000-0000-0000-000000000000" -policy="root"

Spring Cloud Vault accesses different resources. By default, the secret +backend is enabled which accesses secret config settings via JSON endpoints.

The HTTP service has resources in the form:

/secret/{application}/{profile}
+/secret/{application}
+/secret/{defaultContext}/{profile}
+/secret/{defaultContext}

where the "application" is injected as the spring.application.name in the +SpringApplication (i.e. what is normally "application" in a regular +Spring Boot app), "profile" is an active profile (or comma-separated +list of properties). Properties retrieved from Vault will be used "as-is" +without further prefixing of the property names.

2. Client Side Usage

To use these features in an application, just build it as a Spring +Boot application that depends on spring-cloud-vault-config (e.g. see +the test cases). Example Maven configuration:

Example 2.1. pom.xml

<parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>2.0.0.RELEASE</version>
+    <relativePath /> <!-- lookup parent from repository -->
+</parent>
+
+<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-starter-vault-config</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+    <dependency>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-test</artifactId>
+        <scope>test</scope>
+    </dependency>
+</dependencies>
+
+<build>
+    <plugins>
+        <plugin>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-maven-plugin</artifactId>
+        </plugin>
+    </plugins>
+</build>
+
+<!-- repositories also needed for snapshots and milestones -->

Then you can create a standard Spring Boot application, like this simple HTTP server:

@SpringBootApplication
+@RestController
+public class Application {
+
+    @RequestMapping("/")
+    public String home() {
+        return "Hello World!";
+    }
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+}

When it runs it will pick up the external configuration from the +default local Vault server on port 8200 if it is running. To modify +the startup behavior you can change the location of the Vault server +using bootstrap.properties (like application.properties but for +the bootstrap phase of an application context), e.g.

Example 2.2. bootstrap.yml

spring.cloud.vault:
+    host: localhost
+    port: 8200
+    scheme: https
+    uri: https://localhost:8200
+    connection-timeout: 5000
+    read-timeout: 15000
+    config:
+        order: -10

  • host sets the hostname of the Vault host. The host name will be used +for SSL certificate validation
  • port sets the Vault port
  • scheme setting the scheme to http will use plain HTTP. +Supported schemes are http and https.
  • uri configure the Vault endpoint with an URI. Takes precedence over host/port/scheme configuration
  • connection-timeout sets the connection timeout in milliseconds
  • read-timeout sets the read timeout in milliseconds
  • config.order sets the order for the property source

Enabling further integrations requires additional dependencies and +configuration. Depending on how you have set up Vault you might need +additional configuration like +SSL and +authentication.

If the application imports the spring-boot-starter-actuator project, the +status of the vault server will be available via the /health endpoint.

The vault health indicator can be enabled or disabled through the property management.health.vault.enabled (default to true).

2.1 Authentication

Vault requires an authentication mechanism to authorize client requests.

Spring Cloud Vault supports multiple authentication mechanisms to authenticate applications with Vault.

For a quickstart, use the root token printed by the Vault initialization.

Example 2.3. bootstrap.yml

spring.cloud.vault:
+    token: 19aefa97-cccc-bbbb-aaaa-225940e63d76

[Warning]Warning

Consider carefully your security requirements. Static token authentication is fine if you want quickly get started with Vault, but a static token is not protected any further. Any disclosure to unintended parties allows Vault use with the associated token roles.

3. Authentication methods

Different organizations have different requirements for security +and authentication. Vault reflects that need by shipping multiple authentication +methods. Spring Cloud Vault supports token and AppId authentication.

3.1 Token authentication

Tokens are the core method for authentication within Vault. +Token authentication requires a static token to be provided using the +Bootstrap Application Context.

[Note]Note

Token authentication is the default authentication method. +If a token is disclosed an unintended party gains access to Vault and +can access secrets for the intended client.

Example 3.1. bootstrap.yml

spring.cloud.vault:
+    authentication: TOKEN
+    token: 00000000-0000-0000-0000-000000000000

  • authentication setting this value to TOKEN selects the Token +authentication method
  • token sets the static token to use

See also: Vault Documentation: Tokens

3.2 AppId authentication

Vault supports AppId +authentication that consists of two hard to guess tokens. The AppId +defaults to spring.application.name that is statically configured. +The second token is the UserId which is a part determined by the application, +usually related to the runtime environment. IP address, Mac address or a +Docker container name are good examples. Spring Cloud Vault Config supports +IP address, Mac address and static UserId’s (e.g. supplied via System properties). +The IP and Mac address are represented as Hex-encoded SHA256 hash.

IP address-based UserId’s use the local host’s IP address.

Example 3.2. bootstrap.yml using SHA256 IP-Address UserId’s

spring.cloud.vault:
+    authentication: APPID
+    app-id:
+        user-id: IP_ADDRESS

  • authentication setting this value to APPID selects the AppId +authentication method
  • app-id-path sets the path of the AppId mount to use
  • user-id sets the UserId method. Possible values are IP_ADDRESS, +MAC_ADDRESS or a class name implementing a custom AppIdUserIdMechanism

The corresponding command to generate the IP address UserId from a command line is:

$ echo -n 192.168.99.1 | sha256sum
[Note]Note

Including the line break of echo leads to a different hash value +so make sure to include the -n flag.

Mac address-based UserId’s obtain their network device from the +localhost-bound device. The configuration also allows specifying +a network-interface hint to pick the right device. The value of +network-interface is optional and can be either an interface +name or interface index (0-based).

Example 3.3. bootstrap.yml using SHA256 Mac-Address UserId’s

spring.cloud.vault:
+    authentication: APPID
+    app-id:
+        user-id: MAC_ADDRESS
+        network-interface: eth0

  • network-interface sets network interface to obtain the physical address

The corresponding command to generate the IP address UserId from a command line is:

$ echo -n 0AFEDE1234AC | sha256sum
[Note]Note

The Mac address is specified uppercase and without colons. +Including the line break of echo leads to a different hash value +so make sure to include the -n flag.

3.2.1 Custom UserId

The UserId generation is an open mechanism. You can set +spring.cloud.vault.app-id.user-id to any string and the configured +value will be used as static UserId.

A more advanced approach lets you set spring.cloud.vault.app-id.user-id to a +classname. This class must be on your classpath and must implement +the org.springframework.cloud.vault.AppIdUserIdMechanism interface +and the createUserId method. Spring Cloud Vault will obtain the UserId +by calling createUserId each time it authenticates using AppId to +obtain a token.

Example 3.4. bootstrap.yml

spring.cloud.vault:
+    authentication: APPID
+    app-id:
+        user-id: com.examlple.MyUserIdMechanism

Example 3.5. MyUserIdMechanism.java

public class MyUserIdMechanism implements AppIdUserIdMechanism {
+
+  @Override
+  public String createUserId() {
+    String userId = ...
+    return userId;
+  }
+}

See also: Vault Documentation: Using the App ID auth backend

3.3 AppRole authentication

AppRole is intended for machine +authentication, like the deprecated (since Vault 0.6.1) Section 3.2, “AppId authentication”. +AppRole authentication consists of two hard to guess (secret) tokens: RoleId and SecretId.

Spring Vault supports various AppRole scenarios (push/pull mode and wrapped).

RoleId and optionally SecretId must be provided by configuration, +Spring Vault will not look up these or create a custom SecretId.

Example 3.6. bootstrap.yml with AppRole authentication properties

spring.cloud.vault:
+    authentication: APPROLE
+    app-role:
+        role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52

The following scenarios are supported along the required configuration details:

Table 3.1. Configuration

Method

RoleId

SecretId

RoleName

Token

Provided RoleId/SecretId

Provided

Provided

  

Provided RoleId without SecretId

Provided

   

Provided RoleId, Pull SecretId

Provided

Provided

Provided

Provided

Pull RoleId, provided SecretId

 

Provided

Provided

Provided

Full Pull Mode

  

Provided

Provided

Wrapped

   

Provided

Wrapped RoleId, provided SecretId

Provided

  

Provided

Provided RoleId, wrapped SecretId

 

Provided

 

Provided


Table 3.2. Pull/Push/Wrapped Matrix

RoleId

SecretId

Supported

Provided

Provided

Provided

Pull

Provided

Wrapped

Provided

Absent

Pull

Provided

Pull

Pull

Pull

Wrapped

Pull

Absent

Wrapped

Provided

Wrapped

Pull

Wrapped

Wrapped

Wrapped

Absent


[Note]Note

You can use still all combinations of push/pull/wrapped modes by providing a configured AppRoleAuthentication bean within the bootstrap context. Spring Cloud Vault cannot derive all possible AppRole combinations from the configuration properties.

[Important]Important

AppRole authentication is limited to simple pull mode using reactive infrastructure. Full pull mode is not yet supported. Using Spring Cloud Vault with the Spring WebFlux stack enables Vault’s reactive auto-configuration which can be disabled by setting spring.cloud.vault.reactive.enabled=false.

Example 3.7. bootstrap.yml with all AppRole authentication properties

spring.cloud.vault:
+    authentication: APPROLE
+    app-role:
+        role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52
+        secret-id: 1696536f-1976-73b1-b241-0b4213908d39
+        role: my-role
+        app-role-path: approle

  • role-id sets the RoleId.
  • secret-id sets the SecretId. SecretId can be omitted if AppRole is configured without requiring SecretId (See bind_secret_id).
  • role: sets the AppRole name for pull mode.
  • app-role-path sets the path of the approle authentication mount to use.

See also: Vault Documentation: Using the AppRole auth backend

3.4 AWS-EC2 authentication

The aws-ec2 +auth backend provides a secure introduction mechanism +for AWS EC2 instances, allowing automated retrieval of a Vault +token. Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats AWS as a Trusted Third Party and uses the +cryptographically signed dynamic metadata information that uniquely +represents each EC2 instance.

Example 3.8. bootstrap.yml using AWS-EC2 Authentication

spring.cloud.vault:
+    authentication: AWS_EC2

AWS-EC2 authentication enables nonce by default to follow +the Trust On First Use (TOFU) principle. Any unintended party that +gains access to the PKCS#7 identity metadata can authenticate +against Vault.

During the first login, Spring Cloud Vault generates a nonce +that is stored in the auth backend aside the instance Id. +Re-authentication requires the same nonce to be sent. Any other +party does not have the nonce and can raise an alert in Vault for +further investigation.

The nonce is kept in memory and is lost during application restart. +You can configure a static nonce with spring.cloud.vault.aws-ec2.nonce.

AWS-EC2 authentication roles are optional and default to the AMI. +You can configure the authentication role by setting the +spring.cloud.vault.aws-ec2.role property.

Example 3.9. bootstrap.yml with configured role

spring.cloud.vault:
+    authentication: AWS_EC2
+    aws-ec2:
+        role: application-server

Example 3.10. bootstrap.yml with all AWS EC2 authentication properties

spring.cloud.vault:
+    authentication: AWS_EC2
+    aws-ec2:
+        role: application-server
+        aws-ec2-path: aws-ec2
+        identity-document: http://...
+        nonce: my-static-nonce

  • authentication setting this value to AWS_EC2 selects the AWS EC2 +authentication method
  • role sets the name of the role against which the login is being attempted.
  • aws-ec2-path sets the path of the AWS EC2 mount to use
  • identity-document sets URL of the PKCS#7 AWS EC2 identity document
  • nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation

See also: Vault Documentation: Using the aws auth backend

3.5 AWS-IAM authentication

The aws backend provides a secure +authentication mechanism for AWS IAM roles, allowing the automatic authentication with +vault based on the current IAM role of the running application. + Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats AWS as a Trusted Third Party and uses the +4 pieces of information signed by the caller with their IAM credentials + to verify that the caller is indeed using that IAM role.

The current IAM role the application is running in is automatically calculated. +If you are running your application on AWS ECS then the application +will use the IAM role assigned to the ECS task of the running container. +If you are running your application naked on top of an EC2 instance then +the IAM role used will be the one assigned to the EC2 instance.

When using the AWS-IAM authentication you must create a role in Vault +and assign it to your IAM role. An empty role defaults to +the friendly name the current IAM role.

Example 3.11. bootstrap.yml with required AWS-IAM Authentication properties

spring.cloud.vault:
+    authentication: AWS_IAM

Example 3.12. bootstrap.yml with all AWS-IAM Authentication properties

spring.cloud.vault:
+    authentication: AWS_IAM
+    aws-iam:
+        role: my-dev-role
+        aws-path: aws
+        server-id: some.server.name

  • role sets the name of the role against which the login is being attempted. This should be bound to your IAM role. If one is not supplied then the friendly name of the current IAM user will be used as the vault role.
  • aws-path sets the path of the AWS mount to use
  • server-id sets the value to use for the X-Vault-AWS-IAM-Server-ID header preventing certain types of replay attacks.

AWS-IAM requires the AWS Java SDK dependency (com.amazonaws:aws-java-sdk-core) +as the authentication implementation uses AWS SDK types for credentials and request signing.

See also: Vault Documentation: Using the aws auth backend

3.6 Azure MSI authentication

The azure +auth backend provides a secure introduction mechanism +for Azure VM instances, allowing automated retrieval of a Vault +token. Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats Azure as a Trusted Third Party and uses the +managed service identity and instance metadata information that can be +bound to a VM instance.

Example 3.13. bootstrap.yml with required Azure Authentication properties

spring.cloud.vault:
+    authentication: AZURE_MSI
+    azure-msi:
+        role: my-dev-role

Example 3.14. bootstrap.yml with all Azure Authentication properties

spring.cloud.vault:
+    authentication: AZURE_MSI
+    azure-msi:
+        role: my-dev-role
+        azure-path: aws

  • role sets the name of the role against which the login is being attempted.
  • azure-path sets the path of the Azure mount to use

Azure MSI authentication fetches environmental details about the virtual machine +(subscription Id, resource group, VM name) from the instance metadata service.

See also: Vault Documentation: Using the azure auth backend

3.7 TLS certificate authentication

The cert auth backend allows authentication using SSL/TLS client +certificates that are either signed by a CA or self-signed.

To enable cert authentication you need to:

  1. Use SSL, see Chapter 9, Vault Client SSL configuration
  2. Configure a Java Keystore that contains the client +certificate and the private key
  3. Set the spring.cloud.vault.authentication to CERT

Example 3.15. bootstrap.yml

spring.cloud.vault:
+    authentication: CERT
+    ssl:
+        key-store: classpath:keystore.jks
+        key-store-password: changeit
+        cert-auth-path: cert

See also: Vault Documentation: Using the Cert auth backend

3.8 Cubbyhole authentication

Cubbyhole authentication uses Vault primitives to provide a secured authentication +workflow. Cubbyhole authentication uses tokens as primary login method. +An ephemeral token is used to obtain a second, login VaultToken from Vault’s +Cubbyhole secret backend. The login token is usually longer-lived and used to +interact with Vault. The login token will be retrieved from a wrapped +response stored at /cubbyhole/response.

Creating a wrapped token

[Note]Note

Response Wrapping for token creation requires Vault 0.6.0 or higher.

Example 3.16. Creating and storing tokens

$ vault token-create -wrap-ttl="10m"
+Key                            Value
+---                            -----
+wrapping_token:                397ccb93-ff6c-b17b-9389-380b01ca2645
+wrapping_token_ttl:            0h10m0s
+wrapping_token_creation_time:  2016-09-18 20:29:48.652957077 +0200 CEST
+wrapped_accessor:              46b6aebb-187f-932a-26d7-4f3d86a68319

Example 3.17. bootstrap.yml

spring.cloud.vault:
+    authentication: CUBBYHOLE
+    token: 397ccb93-ff6c-b17b-9389-380b01ca2645

See also:

3.9 GCP-GCE authentication

The gcp +auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP GCE (Google Compute Engine) authentication creates a signature in the form of a +JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance +is obtained from the GCE metadata service using Instance identification. +This API creates a JSON Web Token that can be used to confirm the instance identity.

Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats GCP as a Trusted Third Party and uses the +cryptographically signed dynamic metadata information that uniquely +represents each GCP service account.

Example 3.18. bootstrap.yml with required GCP-GCE Authentication properties

spring.cloud.vault:
+    authentication: GCP_GCE
+    gcp-gce:
+        role: my-dev-role

Example 3.19. bootstrap.yml with all GCP-GCE Authentication properties

spring.cloud.vault:
+    authentication: GCP_GCE
+    gcp-gce:
+        gcp-path: gcp
+        role: my-dev-role
+        service-account: my-service@projectid.iam.gserviceaccount.com

  • role sets the name of the role against which the login is being attempted.
  • gcp-path sets the path of the GCP mount to use
  • service-account allows overriding the service account Id to a specific value. Defaults to the default service account.

See also:

3.10 GCP-IAM authentication

The gcp +auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT) +for a service account. A JWT for a service account is obtained by +calling GCP IAM’s projects.serviceAccounts.signJwt API. The caller authenticates against GCP IAM +and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party.

IAM credentials can be obtained from either the runtime environment +, specifically the GOOGLE_APPLICATION_CREDENTIALS +environment variable, the Google Compute metadata service, +or supplied externally as e.g. JSON or base64 encoded. +JSON is the preferred form as it carries the project id and +service account identifier required for calling projects.serviceAccounts.signJwt.

Example 3.20. bootstrap.yml with required GCP-IAM Authentication properties

spring.cloud.vault:
+    authentication: GCP_IAM
+    gcp-iam:
+        role: my-dev-role

Example 3.21. bootstrap.yml with all GCP-IAM Authentication properties

spring.cloud.vault:
+    authentication: GCP_IAM
+    gcp-iam:
+        credentials:
+            location: classpath:credentials.json
+            encoded-key: e+KApn0=
+        gcp-path: gcp
+        jwt-validity: 15m
+        project-id: my-project-id
+        role: my-dev-role
+        service-account: my-service@projectid.iam.gserviceaccount.com

  • role sets the name of the role against which the login is being attempted.
  • credentials.location path to the credentials resource that contains Google credentials in JSON format.
  • credentials.encoded-key the base64 encoded contents of an OAuth2 account private key in the JSON format.
  • gcp-path sets the path of the GCP mount to use
  • jwt-validity configures the JWT token validity. Defaults to 15 minutes.
  • project-id allows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential.
  • service-account allows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential.

GCP IAM authentication requires the Google Cloud Java SDK dependency +(com.google.apis:google-api-services-iam and com.google.auth:google-auth-library-oauth2-http) +as the authentication implementation uses Google APIs for credentials and JWT signing.

[Note]Note

Google credentials require an OAuth 2 token maintaining the token lifecycle. All API +is synchronous therefore, GcpIamAuthentication does not support AuthenticationSteps which is +required for reactive usage.

See also:

3.11 Kubernetes authentication

Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token. +The authentication is role based and the role is bound to a service account name and a namespace.

A file containing a JWT token for a pod’s service account is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.

Example 3.22. bootstrap.yml with all Kubernetes authentication properties

spring.cloud.vault:
+    authentication: KUBERNETES
+    kubernetes:
+        role: my-dev-role
+        kubernetes-path: kubernetes
+        service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token

  • role sets the Role.
  • kubernetes-path sets the path of the Kubernetes mount to use.
  • service-account-token-file sets the location of the file containing the Kubernetes Service Account Token. Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token.

See also:

4. Secret Backends

4.1 Generic Backend

Spring Cloud Vault supports at the basic level the generic secret +backend. The generic secret backend allows storage of arbitrary +values as key-value store. A single context can store one or many +key-value tuples. Contexts can be organized hierarchically. +Spring Cloud Vault allows using the Application name +and a default context name (application) in combination with active +profiles.

/secret/{application}/{profile}
+/secret/{application}
+/secret/{default-context}/{profile}
+/secret/{default-context}

The application name is determined by the properties:

  • spring.cloud.vault.generic.application-name
  • spring.cloud.vault.application-name
  • spring.application.name

Secrets can be obtained from other contexts within the generic backend by adding their +paths to the application name, separated by commas. For example, given the application +name usefulapp,mysql1,projectx/aws, each of these folders will be used:

  • /secret/usefulapp
  • /secret/mysql1
  • /secret/projectx/aws

Spring Cloud Vault adds all active profiles to the list of possible context paths. +No active profiles will skip accessing contexts with a profile name.

Properties are exposed like they are stored (i.e. without additional prefixes).

spring.cloud.vault:
+    generic:
+        enabled: true
+        backend: secret
+        profile-separator: '/'
+        default-context: application
+        application-name: my-app
  • enabled setting this value to false disables the secret backend +config usage
  • backend sets the path of the secret mount to use
  • default-context sets the context name used by all applications
  • application-name overrides the application name for use in the generic backend
  • profile-separator separates the profile name from the context in +property sources with profiles
[Note]Note

The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable generic secret backend usage for non-versioned key-value backends and kv secret backend usage for versioned key-value backends.

See also: Vault Documentation: Using the KV Secrets Engine - Version 1 (generic secret backend)

4.2 Versioned Key-Value Backend

Spring Cloud Vault supports the versioned Key-Value secret +backend. The key-value backend allows storage of arbitrary +values as key-value store. A single context can store one or many +key-value tuples. Contexts can be organized hierarchically. +Spring Cloud Vault allows using the Application name +and a default context name (application) in combination with active +profiles.

/secret/{application}/{profile}
+/secret/{application}
+/secret/{default-context}/{profile}
+/secret/{default-context}

The application name is determined by the properties:

  • spring.cloud.vault.kv.application-name
  • spring.cloud.vault.application-name
  • spring.application.name

Secrets can be obtained from other contexts within the key-value backend by adding their +paths to the application name, separated by commas. For example, given the application +name usefulapp,mysql1,projectx/aws, each of these folders will be used:

  • /secret/usefulapp
  • /secret/mysql1
  • /secret/projectx/aws

Spring Cloud Vault adds all active profiles to the list of possible context paths. +No active profiles will skip accessing contexts with a profile name.

Properties are exposed like they are stored (i.e. without additional prefixes).

[Note]Note

Spring Cloud Vault adds the data/ context between the mount path and the actual context path.

spring.cloud.vault:
+    kv:
+        enabled: true
+        backend: secret
+        profile-separator: '/'
+        default-context: application
+        application-name: my-app
  • enabled setting this value to false disables the secret backend +config usage
  • backend sets the path of the secret mount to use
  • default-context sets the context name used by all applications
  • application-name overrides the application name for use in the generic backend
  • profile-separator separates the profile name from the context in +property sources with profiles
[Note]Note

The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable generic secret backend usage for non-versioned key-value backends and kv secret backend usage for versioned key-value backends.

See also: Vault Documentation: Using the KV Secrets Engine - Version 2 (versioned key-value backend)

4.3 Consul

Spring Cloud Vault can obtain credentials for HashiCorp Consul. +The Consul integration requires the spring-cloud-vault-config-consul +dependency.

Example 4.1. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-consul</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

The integration can be enabled by setting +spring.cloud.vault.consul.enabled=true (default false) and +providing the role name with spring.cloud.vault.consul.role=….

The obtained token is stored in spring.cloud.consul.token +so using Spring Cloud Consul can pick up the generated +credentials without further configuration. You can configure +the property name by setting spring.cloud.vault.consul.token-property.

spring.cloud.vault:
+    consul:
+        enabled: true
+        role: readonly
+        backend: consul
+        token-property: spring.cloud.consul.token
  • enabled setting this value to true enables the Consul backend config usage
  • role sets the role name of the Consul role definition
  • backend sets the path of the Consul mount to use
  • token-property sets the property name in which the Consul ACL token is stored

See also: Vault Documentation: Setting up Consul with Vault

4.4 RabbitMQ

Spring Cloud Vault can obtain credentials for RabbitMQ.

The RabbitMQ integration requires the spring-cloud-vault-config-rabbitmq +dependency.

Example 4.2. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-rabbitmq</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

The integration can be enabled by setting +spring.cloud.vault.rabbitmq.enabled=true (default false) +and providing the role name with spring.cloud.vault.rabbitmq.role=….

Username and password are stored in spring.rabbitmq.username +and spring.rabbitmq.password so using Spring Boot will pick up the generated +credentials without further configuration. You can configure the property names +by setting spring.cloud.vault.rabbitmq.username-property and +spring.cloud.vault.rabbitmq.password-property.

spring.cloud.vault:
+    rabbitmq:
+        enabled: true
+        role: readonly
+        backend: rabbitmq
+        username-property: spring.rabbitmq.username
+        password-property: spring.rabbitmq.password
  • enabled setting this value to true enables the RabbitMQ backend config usage
  • role sets the role name of the RabbitMQ role definition
  • backend sets the path of the RabbitMQ mount to use
  • username-property sets the property name in which the RabbitMQ username is stored
  • password-property sets the property name in which the RabbitMQ password is stored

See also: Vault Documentation: Setting up RabbitMQ with Vault

4.5 AWS

Spring Cloud Vault can obtain credentials for AWS.

The AWS integration requires the spring-cloud-vault-config-aws +dependency.

Example 4.3. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-aws</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

The integration can be enabled by setting +spring.cloud.vault.aws=true (default false) +and providing the role name with spring.cloud.vault.aws.role=….

The access key and secret key are stored in cloud.aws.credentials.accessKey +and cloud.aws.credentials.secretKey so using Spring Cloud AWS will pick up the generated +credentials without further configuration. You can configure the property names +by setting spring.cloud.vault.aws.access-key-property and +spring.cloud.vault.aws.secret-key-property.

spring.cloud.vault:
+    aws:
+        enabled: true
+        role: readonly
+        backend: aws
+        access-key-property: cloud.aws.credentials.accessKey
+        secret-key-property: cloud.aws.credentials.secretKey
  • enabled setting this value to true enables the AWS backend config usage
  • role sets the role name of the AWS role definition
  • backend sets the path of the AWS mount to use
  • access-key-property sets the property name in which the AWS access key is stored
  • secret-key-property sets the property name in which the AWS secret key is stored

See also: Vault Documentation: Setting up AWS with Vault

5. Database backends

Vault supports several database secret backends to generate database +credentials dynamically based on configured roles. This means +services that need to access a database no longer need to configure +credentials: they can request them from Vault, and use Vault’s leasing +mechanism to more easily roll keys.

Spring Cloud Vault integrates with these backends:

Using a database secret backend requires to enable the +backend in the configuration and the spring-cloud-vault-config-databases +dependency.

Vault ships since 0.7.1 with a dedicated database secret backend that allows +database integration via plugins. You can use that specific backend by using the +generic database backend. Make sure to specify the appropriate +backend path, e.g. spring.cloud.vault.mysql.role.backend=database.

Example 5.1. pom.xml

<dependencies>
+    <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-vault-config-databases</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </dependency>
+</dependencies>

[Note]Note

Enabling multiple JDBC-compliant databases will generate credentials +and store them by default in the same property keys hence property names for +JDBC secrets need to be configured separately.

5.1 Database

Spring Cloud Vault can obtain credentials for any database listed at +https://www.vaultproject.io/api/secret/databases/index.html. +The integration can be enabled by setting +spring.cloud.vault.database.enabled=true (default false) and +providing the role name with spring.cloud.vault.database.role=….

While the database backend is a generic one, spring.cloud.vault.database +specifically targets JDBC databases. Username and password are +stored in spring.datasource.username and spring.datasource.password +so using Spring Boot will pick up the generated credentials +for your DataSource without further configuration. +You can configure the property names by setting +spring.cloud.vault.database.username-property and +spring.cloud.vault.database.password-property.

spring.cloud.vault:
+    database:
+        enabled: true
+        role: readonly
+        backend: database
+        username-property: spring.datasource.username
+        password-property: spring.datasource.password
  • enabled setting this value to true enables the Database backend config usage
  • role sets the role name of the Database role definition
  • backend sets the path of the Database mount to use
  • username-property sets the property name in which the Database username is stored
  • password-property sets the property name in which the Database password is stored

See also: Vault Documentation: Database Secrets backend

[Warning]Warning

Spring Cloud Vault does not support getting new credentials and +configuring your DataSource with them when the maximum lease time +has been reached. That is, if max_ttl of the Database role in Vault +is set to 24h that means that 24 hours after your application has +started it can no longer authenticate with the database.

5.2 Apache Cassandra

[Note]Note

The cassandra backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as cassandra.

Spring Cloud Vault can obtain credentials for Apache Cassandra. +The integration can be enabled by setting +spring.cloud.vault.cassandra.enabled=true (default false) and +providing the role name with spring.cloud.vault.cassandra.role=….

Username and password are stored in spring.data.cassandra.username +and spring.data.cassandra.password so using Spring Boot will pick +up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.cassandra.username-property and +spring.cloud.vault.cassandra.password-property.

spring.cloud.vault:
+    cassandra:
+        enabled: true
+        role: readonly
+        backend: cassandra
+        username-property: spring.data.cassandra.username
+        password-property: spring.data.cassandra.password
  • enabled setting this value to true enables the Cassandra backend config usage
  • role sets the role name of the Cassandra role definition
  • backend sets the path of the Cassandra mount to use
  • username-property sets the property name in which the Cassandra username is stored
  • password-property sets the property name in which the Cassandra password is stored

See also: Vault Documentation: Setting up Apache Cassandra with Vault

5.3 MongoDB

[Note]Note

The mongodb backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as mongodb.

Spring Cloud Vault can obtain credentials for MongoDB. +The integration can be enabled by setting +spring.cloud.vault.mongodb.enabled=true (default false) and +providing the role name with spring.cloud.vault.mongodb.role=….

Username and password are stored in spring.data.mongodb.username +and spring.data.mongodb.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.mongodb.username-property and +spring.cloud.vault.mongodb.password-property.

spring.cloud.vault:
+    mongodb:
+        enabled: true
+        role: readonly
+        backend: mongodb
+        username-property: spring.data.mongodb.username
+        password-property: spring.data.mongodb.password
  • enabled setting this value to true enables the MongodB backend config usage
  • role sets the role name of the MongoDB role definition
  • backend sets the path of the MongoDB mount to use
  • username-property sets the property name in which the MongoDB username is stored
  • password-property sets the property name in which the MongoDB password is stored

See also: Vault Documentation: Setting up MongoDB with Vault

5.4 MySQL

[Note]Note

The mysql backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as mysql. +Configuration for spring.cloud.vault.mysql will be removed in a future version.

Spring Cloud Vault can obtain credentials for MySQL. +The integration can be enabled by setting +spring.cloud.vault.mysql.enabled=true (default false) and +providing the role name with spring.cloud.vault.mysql.role=….

Username and password are stored in spring.datasource.username +and spring.datasource.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.mysql.username-property and +spring.cloud.vault.mysql.password-property.

spring.cloud.vault:
+    mysql:
+        enabled: true
+        role: readonly
+        backend: mysql
+        username-property: spring.datasource.username
+        password-property: spring.datasource.password
  • enabled setting this value to true enables the MySQL backend config usage
  • role sets the role name of the MySQL role definition
  • backend sets the path of the MySQL mount to use
  • username-property sets the property name in which the MySQL username is stored
  • password-property sets the property name in which the MySQL password is stored

See also: Vault Documentation: Setting up MySQL with Vault

5.5 PostgreSQL

[Note]Note

The postgresql backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as postgresql. +Configuration for spring.cloud.vault.postgresql will be removed in a future version.

Spring Cloud Vault can obtain credentials for PostgreSQL. +The integration can be enabled by setting +spring.cloud.vault.postgresql.enabled=true (default false) and +providing the role name with spring.cloud.vault.postgresql.role=….

Username and password are stored in spring.datasource.username +and spring.datasource.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.postgresql.username-property and +spring.cloud.vault.postgresql.password-property.

spring.cloud.vault:
+    postgresql:
+        enabled: true
+        role: readonly
+        backend: postgresql
+        username-property: spring.datasource.username
+        password-property: spring.datasource.password
  • enabled setting this value to true enables the PostgreSQL backend config usage
  • role sets the role name of the PostgreSQL role definition
  • backend sets the path of the PostgreSQL mount to use
  • username-property sets the property name in which the PostgreSQL username is stored
  • password-property sets the property name in which the PostgreSQL password is stored

See also: Vault Documentation: Setting up PostgreSQL with Vault

6. Configure PropertySourceLocator behavior

Spring Cloud Vault uses property-based configuration to create PropertySources +for generic and discovered secret backends.

Discovered backends provide VaultSecretBackendDescriptor beans to describe the configuration +state to use secret backend as PropertySource. A SecretBackendMetadataFactory is required +to create a SecretBackendMetadata object which contains path, name and property transformation +configuration.

SecretBackendMetadata is used to back a particular PropertySource.

You can register an arbitrary number of beans implementing VaultConfigurer for customization. +Default generic and discovered backend registration is disabled if Spring Cloud Vault discovers +at least one VaultConfigurer bean. You can however enable default registration with +SecretBackendConfigurer.registerDefaultGenericSecretBackends() and SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends().

public class CustomizationBean implements VaultConfigurer {
+
+    @Override
+    public void addSecretBackends(SecretBackendConfigurer configurer) {
+
+        configurer.add("secret/my-application");
+
+        configurer.registerDefaultGenericSecretBackends(false);
+        configurer.registerDefaultDiscoveredSecretBackends(true);
+    }
+}
[Note]Note

All customization is required to happen in the bootstrap context. Add your configuration +classes to META-INF/spring.factories at org.springframework.cloud.bootstrap.BootstrapConfiguration +in your application.

7. Service Registry Configuration

You can use a DiscoveryClient (such as from Spring Cloud Consul) to locate +a Vault server by setting spring.cloud.vault.discovery.enabled=true (default false). +The net result of that is that your apps need a bootstrap.yml (or an environment variable) +with the appropriate discovery configuration. +The benefit is that the Vault can change its co-ordinates, as long as the discovery service +is a fixed point. The default service id is vault but you can change that on the client with +spring.cloud.vault.discovery.serviceId.

The discovery client implementations all support some kind of metadata map +(e.g. for Eureka we have eureka.instance.metadataMap). Some additional properties of the service +may need to be configured in its service registration metadata so that clients can connect +correctly. Service registries that do not provide details about transport layer security +need to provide a scheme metadata entry to be set either to https or http. +If no scheme is configured and the service is not exposed as secure service, then +configuration defaults to spring.cloud.vault.scheme which is https when it’s not set.

spring.cloud.vault.discovery:
+    enabled: true
+    service-id: my-vault-service

8. Vault Client Fail Fast

In some cases, it may be desirable to fail startup of a service if +it cannot connect to the Vault Server. If this is the desired +behavior, set the bootstrap configuration property +spring.cloud.vault.fail-fast=true and the client will halt with +an Exception.

spring.cloud.vault:
+    fail-fast: true

9. Vault Client SSL configuration

SSL can be configured declaratively by setting various properties. +You can set either javax.net.ssl.trustStore to configure +JVM-wide SSL settings or spring.cloud.vault.ssl.trust-store +to set SSL settings only for Spring Cloud Vault Config.

spring.cloud.vault:
+    ssl:
+        trust-store: classpath:keystore.jks
+        trust-store-password: changeit
  • trust-store sets the resource for the trust-store. SSL-secured Vault +communication will validate the Vault SSL certificate with the specified +trust-store.
  • trust-store-password sets the trust-store password

Please note that configuring spring.cloud.vault.ssl.* can be only +applied when either Apache Http Components or the OkHttp client +is on your class-path.

10. Lease lifecycle management (renewal and revocation)

With every secret, Vault creates a lease: +metadata containing information such as a time duration, +renewability, and more.

Vault promises that the data will be valid for the given duration, +or Time To Live (TTL). Once the lease is expired, Vault can +revoke the data, and the consumer of the secret can no longer +be certain that it is valid.

Spring Cloud Vault maintains a lease lifecycle beyond +the creation of login tokens and secrets. That said, +login tokens and secrets associated with a lease +are scheduled for renewal just before the lease expires +until terminal expiry. +Application shutdown revokes obtained login tokens and renewable +leases.

Secret service and database backends (such as MongoDB or MySQL) +usually generate a renewable lease so generated credentials will +be disabled on application shutdown.

[Note]Note

Static tokens are not renewed or revoked.

Lease renewal and revocation is enabled by default and can +be disabled by setting spring.cloud.vault.config.lifecycle.enabled +to false. This is not recommended as leases can expire and +Spring Cloud Vault cannot longer access Vault or services +using generated credentials and valid credentials remain active +after application shutdown.

spring.cloud.vault:
+    config.lifecycle.enabled: true

See also: Vault Documentation: Lease, Renew, and Revoke

\ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.html b/spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.html new file mode 100644 index 00000000..4743b3c2 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.html @@ -0,0 +1,117 @@ + + + + + + + +spring-cloud-vault + + + + + + + + +
+
+
+
+

2.1.3.RELEASE

+
+
+
+
+

Pick The Documentation Option

+
+
+ +
+
+
+
+ + + + + \ No newline at end of file diff --git a/spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.xml b/spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.xml new file mode 100644 index 00000000..5ef453a3 --- /dev/null +++ b/spring-cloud-vault/2.1.3.RELEASE/spring-cloud-vault.xml @@ -0,0 +1,1621 @@ + + + + + +Spring Cloud Vault +2019-09-10 + + + +© 2016-2019 The original authors. + +Copies of this document may be made for your own use and for distribution to others, provided that you do not charge any fee for such copies and further provided that each copy contains this Copyright Notice, whether distributed in print or electronically. + +Spring Cloud Vault Config provides client-side support for externalized configuration in a distributed system. With HashiCorp’s Vault you have a central place to manage external secret properties for applications across all environments. Vault can manage static and dynamic secrets such as username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, MongoDB, Consul, AWS and more. + + +Quick Start +Prerequisites +To get started with Vault and this guide you need a +*NIX-like operating systems that provides: + + +wget, openssl and unzip + + +at least Java 7 and a properly configured JAVA_HOME environment variable + + +Install Vault +$ src/test/bash/install_vault.sh +Create SSL certificates for Vault +$ src/test/bash/create_certificates.sh + +create_certificates.sh creates certificates in work/ca and a JKS truststore work/keystore.jks. If you want to run Spring Cloud Vault using this quickstart guide you need to configure the truststore the spring.cloud.vault.ssl.trust-store property to file:work/keystore.jks. + +Start Vault server +$ src/test/bash/local_run_vault.sh +Vault is started listening on 0.0.0.0:8200 using the inmem storage and +https. +Vault is sealed and not initialized when starting up. + +If you want to run tests, leave Vault uninitialized. The tests will +initialize Vault and create a root token 00000000-0000-0000-0000-000000000000. + +If you want to use Vault for your application or give it a try then you need to initialize it first. +$ export VAULT_ADDR="https://localhost:8200" +$ export VAULT_SKIP_VERIFY=true # Don't do this for production +$ vault init +You should see something like: +Key 1: 7149c6a2e16b8833f6eb1e76df03e47f6113a3288b3093faf5033d44f0e70fe701 +Key 2: 901c534c7988c18c20435a85213c683bdcf0efcd82e38e2893779f152978c18c02 +Key 3: 03ff3948575b1165a20c20ee7c3e6edf04f4cdbe0e82dbff5be49c63f98bc03a03 +Key 4: 216ae5cc3ddaf93ceb8e1d15bb9fc3176653f5b738f5f3d1ee00cd7dccbe926e04 +Key 5: b2898fc8130929d569c1677ee69dc5f3be57d7c4b494a6062693ce0b1c4d93d805 +Initial Root Token: 19aefa97-cccc-bbbb-aaaa-225940e63d76 + +Vault initialized with 5 keys and a key threshold of 3. Please +securely distribute the above keys. When the Vault is re-sealed, +restarted, or stopped, you must provide at least 3 of these keys +to unseal it again. + +Vault does not store the master key. Without at least 3 keys, +your Vault will remain permanently sealed. +Vault will initialize and return a set of unsealing keys and the root token. +Pick 3 keys and unseal Vault. Store the Vault token in the VAULT_TOKEN + environment variable. +$ vault unseal (Key 1) +$ vault unseal (Key 2) +$ vault unseal (Key 3) +$ export VAULT_TOKEN=(Root token) +# Required to run Spring Cloud Vault tests after manual initialization +$ vault token-create -id="00000000-0000-0000-0000-000000000000" -policy="root" +Spring Cloud Vault accesses different resources. By default, the secret +backend is enabled which accesses secret config settings via JSON endpoints. +The HTTP service has resources in the form: +/secret/{application}/{profile} +/secret/{application} +/secret/{defaultContext}/{profile} +/secret/{defaultContext} +where the "application" is injected as the spring.application.name in the +SpringApplication (i.e. what is normally "application" in a regular +Spring Boot app), "profile" is an active profile (or comma-separated +list of properties). Properties retrieved from Vault will be used "as-is" +without further prefixing of the property names. + + +Client Side Usage +To use these features in an application, just build it as a Spring +Boot application that depends on spring-cloud-vault-config (e.g. see +the test cases). Example Maven configuration: + +pom.xml +<parent> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-parent</artifactId> + <version>2.0.0.RELEASE</version> + <relativePath /> <!-- lookup parent from repository --> +</parent> + +<dependencies> + <dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-starter-vault-config</artifactId> + <version>2.1.3.RELEASE</version> + </dependency> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-test</artifactId> + <scope>test</scope> + </dependency> +</dependencies> + +<build> + <plugins> + <plugin> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-maven-plugin</artifactId> + </plugin> + </plugins> +</build> + +<!-- repositories also needed for snapshots and milestones --> + +Then you can create a standard Spring Boot application, like this simple HTTP server: + +@SpringBootApplication +@RestController +public class Application { + + @RequestMapping("/") + public String home() { + return "Hello World!"; + } + + public static void main(String[] args) { + SpringApplication.run(Application.class, args); + } +} + +When it runs it will pick up the external configuration from the +default local Vault server on port 8200 if it is running. To modify +the startup behavior you can change the location of the Vault server +using bootstrap.properties (like application.properties but for +the bootstrap phase of an application context), e.g. + +bootstrap.yml +spring.cloud.vault: + host: localhost + port: 8200 + scheme: https + uri: https://localhost:8200 + connection-timeout: 5000 + read-timeout: 15000 + config: + order: -10 + + + +host sets the hostname of the Vault host. The host name will be used +for SSL certificate validation + + +port sets the Vault port + + +scheme setting the scheme to http will use plain HTTP. +Supported schemes are http and https. + + +uri configure the Vault endpoint with an URI. Takes precedence over host/port/scheme configuration + + +connection-timeout sets the connection timeout in milliseconds + + +read-timeout sets the read timeout in milliseconds + + +config.order sets the order for the property source + + +Enabling further integrations requires additional dependencies and +configuration. Depending on how you have set up Vault you might need +additional configuration like +SSL and +authentication. +If the application imports the spring-boot-starter-actuator project, the +status of the vault server will be available via the /health endpoint. +The vault health indicator can be enabled or disabled through the property management.health.vault.enabled (default to true). +
+Authentication +Vault requires an authentication mechanism to authorize client requests. +Spring Cloud Vault supports multiple authentication mechanisms to authenticate applications with Vault. +For a quickstart, use the root token printed by the Vault initialization. + +bootstrap.yml +spring.cloud.vault: + token: 19aefa97-cccc-bbbb-aaaa-225940e63d76 + + +Consider carefully your security requirements. Static token authentication is fine if you want quickly get started with Vault, but a static token is not protected any further. Any disclosure to unintended parties allows Vault use with the associated token roles. + +
+
+ +Authentication methods +Different organizations have different requirements for security +and authentication. Vault reflects that need by shipping multiple authentication +methods. Spring Cloud Vault supports token and AppId authentication. +
+Token authentication +Tokens are the core method for authentication within Vault. +Token authentication requires a static token to be provided using the +Bootstrap Application Context. + +Token authentication is the default authentication method. +If a token is disclosed an unintended party gains access to Vault and +can access secrets for the intended client. + + +bootstrap.yml +spring.cloud.vault: + authentication: TOKEN + token: 00000000-0000-0000-0000-000000000000 + + + +authentication setting this value to TOKEN selects the Token +authentication method + + +token sets the static token to use + + +See also: Vault Documentation: Tokens +
+
+AppId authentication +Vault supports AppId +authentication that consists of two hard to guess tokens. The AppId +defaults to spring.application.name that is statically configured. +The second token is the UserId which is a part determined by the application, +usually related to the runtime environment. IP address, Mac address or a +Docker container name are good examples. Spring Cloud Vault Config supports +IP address, Mac address and static UserId’s (e.g. supplied via System properties). +The IP and Mac address are represented as Hex-encoded SHA256 hash. +IP address-based UserId’s use the local host’s IP address. + +bootstrap.yml using SHA256 IP-Address UserId’s +spring.cloud.vault: + authentication: APPID + app-id: + user-id: IP_ADDRESS + + + +authentication setting this value to APPID selects the AppId +authentication method + + +app-id-path sets the path of the AppId mount to use + + +user-id sets the UserId method. Possible values are IP_ADDRESS, +MAC_ADDRESS or a class name implementing a custom AppIdUserIdMechanism + + +The corresponding command to generate the IP address UserId from a command line is: +$ echo -n 192.168.99.1 | sha256sum + +Including the line break of echo leads to a different hash value +so make sure to include the -n flag. + +Mac address-based UserId’s obtain their network device from the +localhost-bound device. The configuration also allows specifying +a network-interface hint to pick the right device. The value of +network-interface is optional and can be either an interface +name or interface index (0-based). + +bootstrap.yml using SHA256 Mac-Address UserId’s +spring.cloud.vault: + authentication: APPID + app-id: + user-id: MAC_ADDRESS + network-interface: eth0 + + + +network-interface sets network interface to obtain the physical address + + +The corresponding command to generate the IP address UserId from a command line is: +$ echo -n 0AFEDE1234AC | sha256sum + +The Mac address is specified uppercase and without colons. +Including the line break of echo leads to a different hash value +so make sure to include the -n flag. + +
+Custom UserId +The UserId generation is an open mechanism. You can set +spring.cloud.vault.app-id.user-id to any string and the configured +value will be used as static UserId. +A more advanced approach lets you set spring.cloud.vault.app-id.user-id to a +classname. This class must be on your classpath and must implement +the org.springframework.cloud.vault.AppIdUserIdMechanism interface +and the createUserId method. Spring Cloud Vault will obtain the UserId +by calling createUserId each time it authenticates using AppId to +obtain a token. + +bootstrap.yml +spring.cloud.vault: + authentication: APPID + app-id: + user-id: com.examlple.MyUserIdMechanism + + +MyUserIdMechanism.java +public class MyUserIdMechanism implements AppIdUserIdMechanism { + + @Override + public String createUserId() { + String userId = ... + return userId; + } +} + +See also: Vault Documentation: Using the App ID auth backend +
+
+
+AppRole authentication +AppRole is intended for machine +authentication, like the deprecated (since Vault 0.6.1) . +AppRole authentication consists of two hard to guess (secret) tokens: RoleId and SecretId. +Spring Vault supports various AppRole scenarios (push/pull mode and wrapped). +RoleId and optionally SecretId must be provided by configuration, +Spring Vault will not look up these or create a custom SecretId. + +bootstrap.yml with AppRole authentication properties +spring.cloud.vault: + authentication: APPROLE + app-role: + role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52 + +The following scenarios are supported along the required configuration details: + +Configuration + + + + + + + + +Method +RoleId +SecretId +RoleName +Token + + +Provided RoleId/SecretId +Provided +Provided + + + + +Provided RoleId without SecretId +Provided + + + + + +Provided RoleId, Pull SecretId +Provided +Provided +Provided +Provided + + +Pull RoleId, provided SecretId + +Provided +Provided +Provided + + +Full Pull Mode + + +Provided +Provided + + +Wrapped + + + +Provided + + +Wrapped RoleId, provided SecretId +Provided + + +Provided + + +Provided RoleId, wrapped SecretId + +Provided + +Provided + + + +
+ +Pull/Push/Wrapped Matrix + + + + + + +RoleId +SecretId +Supported + + +Provided +Provided + + + +Provided +Pull + + + +Provided +Wrapped + + + +Provided +Absent + + + +Pull +Provided + + + +Pull +Pull + + + +Pull +Wrapped + + + +Pull +Absent + + + +Wrapped +Provided + + + +Wrapped +Pull + + + +Wrapped +Wrapped + + + +Wrapped +Absent + + + + +
+ +You can use still all combinations of push/pull/wrapped modes by providing a configured AppRoleAuthentication bean within the bootstrap context. Spring Cloud Vault cannot derive all possible AppRole combinations from the configuration properties. + + +AppRole authentication is limited to simple pull mode using reactive infrastructure. Full pull mode is not yet supported. Using Spring Cloud Vault with the Spring WebFlux stack enables Vault’s reactive auto-configuration which can be disabled by setting spring.cloud.vault.reactive.enabled=false. + + +bootstrap.yml with all AppRole authentication properties +spring.cloud.vault: + authentication: APPROLE + app-role: + role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52 + secret-id: 1696536f-1976-73b1-b241-0b4213908d39 + role: my-role + app-role-path: approle + + + +role-id sets the RoleId. + + +secret-id sets the SecretId. SecretId can be omitted if AppRole is configured without requiring SecretId (See bind_secret_id). + + +role: sets the AppRole name for pull mode. + + +app-role-path sets the path of the approle authentication mount to use. + + +See also: Vault Documentation: Using the AppRole auth backend +
+
+AWS-EC2 authentication +The aws-ec2 +auth backend provides a secure introduction mechanism +for AWS EC2 instances, allowing automated retrieval of a Vault +token. Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats AWS as a Trusted Third Party and uses the +cryptographically signed dynamic metadata information that uniquely +represents each EC2 instance. + +bootstrap.yml using AWS-EC2 Authentication +spring.cloud.vault: + authentication: AWS_EC2 + +AWS-EC2 authentication enables nonce by default to follow +the Trust On First Use (TOFU) principle. Any unintended party that +gains access to the PKCS#7 identity metadata can authenticate +against Vault. +During the first login, Spring Cloud Vault generates a nonce +that is stored in the auth backend aside the instance Id. +Re-authentication requires the same nonce to be sent. Any other +party does not have the nonce and can raise an alert in Vault for +further investigation. +The nonce is kept in memory and is lost during application restart. +You can configure a static nonce with spring.cloud.vault.aws-ec2.nonce. +AWS-EC2 authentication roles are optional and default to the AMI. +You can configure the authentication role by setting the +spring.cloud.vault.aws-ec2.role property. + +bootstrap.yml with configured role +spring.cloud.vault: + authentication: AWS_EC2 + aws-ec2: + role: application-server + + +bootstrap.yml with all AWS EC2 authentication properties +spring.cloud.vault: + authentication: AWS_EC2 + aws-ec2: + role: application-server + aws-ec2-path: aws-ec2 + identity-document: http://... + nonce: my-static-nonce + + + +authentication setting this value to AWS_EC2 selects the AWS EC2 +authentication method + + +role sets the name of the role against which the login is being attempted. + + +aws-ec2-path sets the path of the AWS EC2 mount to use + + +identity-document sets URL of the PKCS#7 AWS EC2 identity document + + +nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation + + +See also: Vault Documentation: Using the aws auth backend +
+
+AWS-IAM authentication +The aws backend provides a secure +authentication mechanism for AWS IAM roles, allowing the automatic authentication with +vault based on the current IAM role of the running application. + Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats AWS as a Trusted Third Party and uses the +4 pieces of information signed by the caller with their IAM credentials + to verify that the caller is indeed using that IAM role. +The current IAM role the application is running in is automatically calculated. +If you are running your application on AWS ECS then the application +will use the IAM role assigned to the ECS task of the running container. +If you are running your application naked on top of an EC2 instance then +the IAM role used will be the one assigned to the EC2 instance. +When using the AWS-IAM authentication you must create a role in Vault +and assign it to your IAM role. An empty role defaults to +the friendly name the current IAM role. + +bootstrap.yml with required AWS-IAM Authentication properties +spring.cloud.vault: + authentication: AWS_IAM + + +bootstrap.yml with all AWS-IAM Authentication properties +spring.cloud.vault: + authentication: AWS_IAM + aws-iam: + role: my-dev-role + aws-path: aws + server-id: some.server.name + + + +role sets the name of the role against which the login is being attempted. This should be bound to your IAM role. If one is not supplied then the friendly name of the current IAM user will be used as the vault role. + + +aws-path sets the path of the AWS mount to use + + +server-id sets the value to use for the X-Vault-AWS-IAM-Server-ID header preventing certain types of replay attacks. + + +AWS-IAM requires the AWS Java SDK dependency (com.amazonaws:aws-java-sdk-core) +as the authentication implementation uses AWS SDK types for credentials and request signing. +See also: Vault Documentation: Using the aws auth backend +
+
+Azure MSI authentication +The azure +auth backend provides a secure introduction mechanism +for Azure VM instances, allowing automated retrieval of a Vault +token. Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats Azure as a Trusted Third Party and uses the +managed service identity and instance metadata information that can be +bound to a VM instance. + +bootstrap.yml with required Azure Authentication properties +spring.cloud.vault: + authentication: AZURE_MSI + azure-msi: + role: my-dev-role + + +bootstrap.yml with all Azure Authentication properties +spring.cloud.vault: + authentication: AZURE_MSI + azure-msi: + role: my-dev-role + azure-path: aws + + + +role sets the name of the role against which the login is being attempted. + + +azure-path sets the path of the Azure mount to use + + +Azure MSI authentication fetches environmental details about the virtual machine +(subscription Id, resource group, VM name) from the instance metadata service. +See also: Vault Documentation: Using the azure auth backend +
+
+TLS certificate authentication +The cert auth backend allows authentication using SSL/TLS client +certificates that are either signed by a CA or self-signed. +To enable cert authentication you need to: + + +Use SSL, see + + +Configure a Java Keystore that contains the client +certificate and the private key + + +Set the spring.cloud.vault.authentication to CERT + + + +bootstrap.yml +spring.cloud.vault: + authentication: CERT + ssl: + key-store: classpath:keystore.jks + key-store-password: changeit + cert-auth-path: cert + +See also: Vault Documentation: Using the Cert auth backend +
+
+Cubbyhole authentication +Cubbyhole authentication uses Vault primitives to provide a secured authentication +workflow. Cubbyhole authentication uses tokens as primary login method. +An ephemeral token is used to obtain a second, login VaultToken from Vault’s +Cubbyhole secret backend. The login token is usually longer-lived and used to +interact with Vault. The login token will be retrieved from a wrapped +response stored at /cubbyhole/response. +Creating a wrapped token + +Response Wrapping for token creation requires Vault 0.6.0 or higher. + + +Creating and storing tokens +$ vault token-create -wrap-ttl="10m" +Key Value +--- ----- +wrapping_token: 397ccb93-ff6c-b17b-9389-380b01ca2645 +wrapping_token_ttl: 0h10m0s +wrapping_token_creation_time: 2016-09-18 20:29:48.652957077 +0200 CEST +wrapped_accessor: 46b6aebb-187f-932a-26d7-4f3d86a68319 + + +bootstrap.yml +spring.cloud.vault: + authentication: CUBBYHOLE + token: 397ccb93-ff6c-b17b-9389-380b01ca2645 + +See also: + + +Vault Documentation: Tokens + + +Vault Documentation: Cubbyhole Secret Backend + + +Vault Documentation: Response Wrapping + + +
+
+GCP-GCE authentication +The gcp +auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials. +GCP GCE (Google Compute Engine) authentication creates a signature in the form of a +JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance +is obtained from the GCE metadata service using Instance identification. +This API creates a JSON Web Token that can be used to confirm the instance identity. +Unlike most Vault authentication backends, this backend +does not require first-deploying, or provisioning security-sensitive +credentials (tokens, username/password, client certificates, etc.). +Instead, it treats GCP as a Trusted Third Party and uses the +cryptographically signed dynamic metadata information that uniquely +represents each GCP service account. + +bootstrap.yml with required GCP-GCE Authentication properties +spring.cloud.vault: + authentication: GCP_GCE + gcp-gce: + role: my-dev-role + + +bootstrap.yml with all GCP-GCE Authentication properties +spring.cloud.vault: + authentication: GCP_GCE + gcp-gce: + gcp-path: gcp + role: my-dev-role + service-account: my-service@projectid.iam.gserviceaccount.com + + + +role sets the name of the role against which the login is being attempted. + + +gcp-path sets the path of the GCP mount to use + + +service-account allows overriding the service account Id to a specific value. Defaults to the default service account. + + +See also: + + +Vault Documentation: Using the GCP auth backend + + +GCP Documentation: Verifying the Identity of Instances + + +
+
+GCP-IAM authentication +The gcp +auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials. +GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT) +for a service account. A JWT for a service account is obtained by +calling GCP IAM’s projects.serviceAccounts.signJwt API. The caller authenticates against GCP IAM +and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party. +IAM credentials can be obtained from either the runtime environment +, specifically the GOOGLE_APPLICATION_CREDENTIALS +environment variable, the Google Compute metadata service, +or supplied externally as e.g. JSON or base64 encoded. +JSON is the preferred form as it carries the project id and +service account identifier required for calling projects.serviceAccounts.signJwt. + +bootstrap.yml with required GCP-IAM Authentication properties +spring.cloud.vault: + authentication: GCP_IAM + gcp-iam: + role: my-dev-role + + +bootstrap.yml with all GCP-IAM Authentication properties +spring.cloud.vault: + authentication: GCP_IAM + gcp-iam: + credentials: + location: classpath:credentials.json + encoded-key: e+KApn0= + gcp-path: gcp + jwt-validity: 15m + project-id: my-project-id + role: my-dev-role + service-account: my-service@projectid.iam.gserviceaccount.com + + + +role sets the name of the role against which the login is being attempted. + + +credentials.location path to the credentials resource that contains Google credentials in JSON format. + + +credentials.encoded-key the base64 encoded contents of an OAuth2 account private key in the JSON format. + + +gcp-path sets the path of the GCP mount to use + + +jwt-validity configures the JWT token validity. Defaults to 15 minutes. + + +project-id allows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential. + + +service-account allows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential. + + +GCP IAM authentication requires the Google Cloud Java SDK dependency +(com.google.apis:google-api-services-iam and com.google.auth:google-auth-library-oauth2-http) +as the authentication implementation uses Google APIs for credentials and JWT signing. + +Google credentials require an OAuth 2 token maintaining the token lifecycle. All API +is synchronous therefore, GcpIamAuthentication does not support AuthenticationSteps which is +required for reactive usage. + +See also: + + +Vault Documentation: Using the GCP auth backend + + +GCP Documentation: projects.serviceAccounts.signJwt + + +
+
+Kubernetes authentication +Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token. +The authentication is role based and the role is bound to a service account name and a namespace. +A file containing a JWT token for a pod’s service account is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. + +bootstrap.yml with all Kubernetes authentication properties +spring.cloud.vault: + authentication: KUBERNETES + kubernetes: + role: my-dev-role + kubernetes-path: kubernetes + service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token + + + +role sets the Role. + + +kubernetes-path sets the path of the Kubernetes mount to use. + + +service-account-token-file sets the location of the file containing the Kubernetes Service Account Token. Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token. + + +See also: + + +Vault Documentation: Kubernetes + + +Kubernetes Documentation: Configure Service Accounts for Pods + + +
+
+ +Secret Backends +
+Generic Backend +Spring Cloud Vault supports at the basic level the generic secret +backend. The generic secret backend allows storage of arbitrary +values as key-value store. A single context can store one or many +key-value tuples. Contexts can be organized hierarchically. +Spring Cloud Vault allows using the Application name +and a default context name (application) in combination with active +profiles. +/secret/{application}/{profile} +/secret/{application} +/secret/{default-context}/{profile} +/secret/{default-context} +The application name is determined by the properties: + + +spring.cloud.vault.generic.application-name + + +spring.cloud.vault.application-name + + +spring.application.name + + +Secrets can be obtained from other contexts within the generic backend by adding their +paths to the application name, separated by commas. For example, given the application +name usefulapp,mysql1,projectx/aws, each of these folders will be used: + + +/secret/usefulapp + + +/secret/mysql1 + + +/secret/projectx/aws + + +Spring Cloud Vault adds all active profiles to the list of possible context paths. +No active profiles will skip accessing contexts with a profile name. +Properties are exposed like they are stored (i.e. without additional prefixes). + +spring.cloud.vault: + generic: + enabled: true + backend: secret + profile-separator: '/' + default-context: application + application-name: my-app + + + +enabled setting this value to false disables the secret backend +config usage + + +backend sets the path of the secret mount to use + + +default-context sets the context name used by all applications + + +application-name overrides the application name for use in the generic backend + + +profile-separator separates the profile name from the context in +property sources with profiles + + + +The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable generic secret backend usage for non-versioned key-value backends and kv secret backend usage for versioned key-value backends. + +See also: Vault Documentation: Using the KV Secrets Engine - Version 1 (generic secret backend) +
+
+Versioned Key-Value Backend +Spring Cloud Vault supports the versioned Key-Value secret +backend. The key-value backend allows storage of arbitrary +values as key-value store. A single context can store one or many +key-value tuples. Contexts can be organized hierarchically. +Spring Cloud Vault allows using the Application name +and a default context name (application) in combination with active +profiles. +/secret/{application}/{profile} +/secret/{application} +/secret/{default-context}/{profile} +/secret/{default-context} +The application name is determined by the properties: + + +spring.cloud.vault.kv.application-name + + +spring.cloud.vault.application-name + + +spring.application.name + + +Secrets can be obtained from other contexts within the key-value backend by adding their +paths to the application name, separated by commas. For example, given the application +name usefulapp,mysql1,projectx/aws, each of these folders will be used: + + +/secret/usefulapp + + +/secret/mysql1 + + +/secret/projectx/aws + + +Spring Cloud Vault adds all active profiles to the list of possible context paths. +No active profiles will skip accessing contexts with a profile name. +Properties are exposed like they are stored (i.e. without additional prefixes). + +Spring Cloud Vault adds the data/ context between the mount path and the actual context path. + + +spring.cloud.vault: + kv: + enabled: true + backend: secret + profile-separator: '/' + default-context: application + application-name: my-app + + + +enabled setting this value to false disables the secret backend +config usage + + +backend sets the path of the secret mount to use + + +default-context sets the context name used by all applications + + +application-name overrides the application name for use in the generic backend + + +profile-separator separates the profile name from the context in +property sources with profiles + + + +The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable generic secret backend usage for non-versioned key-value backends and kv secret backend usage for versioned key-value backends. + +See also: Vault Documentation: Using the KV Secrets Engine - Version 2 (versioned key-value backend) +
+
+Consul +Spring Cloud Vault can obtain credentials for HashiCorp Consul. +The Consul integration requires the spring-cloud-vault-config-consul +dependency. + +pom.xml +<dependencies> + <dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-vault-config-consul</artifactId> + <version>2.1.3.RELEASE</version> + </dependency> +</dependencies> + +The integration can be enabled by setting +spring.cloud.vault.consul.enabled=true (default false) and +providing the role name with spring.cloud.vault.consul.role=…. +The obtained token is stored in spring.cloud.consul.token +so using Spring Cloud Consul can pick up the generated +credentials without further configuration. You can configure +the property name by setting spring.cloud.vault.consul.token-property. + +spring.cloud.vault: + consul: + enabled: true + role: readonly + backend: consul + token-property: spring.cloud.consul.token + + + +enabled setting this value to true enables the Consul backend config usage + + +role sets the role name of the Consul role definition + + +backend sets the path of the Consul mount to use + + +token-property sets the property name in which the Consul ACL token is stored + + +See also: Vault Documentation: Setting up Consul with Vault +
+
+RabbitMQ +Spring Cloud Vault can obtain credentials for RabbitMQ. +The RabbitMQ integration requires the spring-cloud-vault-config-rabbitmq +dependency. + +pom.xml +<dependencies> + <dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-vault-config-rabbitmq</artifactId> + <version>2.1.3.RELEASE</version> + </dependency> +</dependencies> + +The integration can be enabled by setting +spring.cloud.vault.rabbitmq.enabled=true (default false) +and providing the role name with spring.cloud.vault.rabbitmq.role=…. +Username and password are stored in spring.rabbitmq.username +and spring.rabbitmq.password so using Spring Boot will pick up the generated +credentials without further configuration. You can configure the property names +by setting spring.cloud.vault.rabbitmq.username-property and +spring.cloud.vault.rabbitmq.password-property. + +spring.cloud.vault: + rabbitmq: + enabled: true + role: readonly + backend: rabbitmq + username-property: spring.rabbitmq.username + password-property: spring.rabbitmq.password + + + +enabled setting this value to true enables the RabbitMQ backend config usage + + +role sets the role name of the RabbitMQ role definition + + +backend sets the path of the RabbitMQ mount to use + + +username-property sets the property name in which the RabbitMQ username is stored + + +password-property sets the property name in which the RabbitMQ password is stored + + +See also: Vault Documentation: Setting up RabbitMQ with Vault +
+
+AWS +Spring Cloud Vault can obtain credentials for AWS. +The AWS integration requires the spring-cloud-vault-config-aws +dependency. + +pom.xml +<dependencies> + <dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-vault-config-aws</artifactId> + <version>2.1.3.RELEASE</version> + </dependency> +</dependencies> + +The integration can be enabled by setting +spring.cloud.vault.aws=true (default false) +and providing the role name with spring.cloud.vault.aws.role=…. +The access key and secret key are stored in cloud.aws.credentials.accessKey +and cloud.aws.credentials.secretKey so using Spring Cloud AWS will pick up the generated +credentials without further configuration. You can configure the property names +by setting spring.cloud.vault.aws.access-key-property and +spring.cloud.vault.aws.secret-key-property. + +spring.cloud.vault: + aws: + enabled: true + role: readonly + backend: aws + access-key-property: cloud.aws.credentials.accessKey + secret-key-property: cloud.aws.credentials.secretKey + + + +enabled setting this value to true enables the AWS backend config usage + + +role sets the role name of the AWS role definition + + +backend sets the path of the AWS mount to use + + +access-key-property sets the property name in which the AWS access key is stored + + +secret-key-property sets the property name in which the AWS secret key is stored + + +See also: Vault Documentation: Setting up AWS with Vault +
+
+ +Database backends +Vault supports several database secret backends to generate database +credentials dynamically based on configured roles. This means +services that need to access a database no longer need to configure +credentials: they can request them from Vault, and use Vault’s leasing +mechanism to more easily roll keys. +Spring Cloud Vault integrates with these backends: + + + + + + + + + + + + + + + + + +Using a database secret backend requires to enable the +backend in the configuration and the spring-cloud-vault-config-databases +dependency. +Vault ships since 0.7.1 with a dedicated database secret backend that allows +database integration via plugins. You can use that specific backend by using the +generic database backend. Make sure to specify the appropriate +backend path, e.g. spring.cloud.vault.mysql.role.backend=database. + +pom.xml +<dependencies> + <dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-vault-config-databases</artifactId> + <version>2.1.3.RELEASE</version> + </dependency> +</dependencies> + + +Enabling multiple JDBC-compliant databases will generate credentials +and store them by default in the same property keys hence property names for +JDBC secrets need to be configured separately. + +
+Database +Spring Cloud Vault can obtain credentials for any database listed at +https://www.vaultproject.io/api/secret/databases/index.html. +The integration can be enabled by setting +spring.cloud.vault.database.enabled=true (default false) and +providing the role name with spring.cloud.vault.database.role=…. +While the database backend is a generic one, spring.cloud.vault.database +specifically targets JDBC databases. Username and password are +stored in spring.datasource.username and spring.datasource.password +so using Spring Boot will pick up the generated credentials +for your DataSource without further configuration. +You can configure the property names by setting +spring.cloud.vault.database.username-property and +spring.cloud.vault.database.password-property. + +spring.cloud.vault: + database: + enabled: true + role: readonly + backend: database + username-property: spring.datasource.username + password-property: spring.datasource.password + + + +enabled setting this value to true enables the Database backend config usage + + +role sets the role name of the Database role definition + + +backend sets the path of the Database mount to use + + +username-property sets the property name in which the Database username is stored + + +password-property sets the property name in which the Database password is stored + + +See also: Vault Documentation: Database Secrets backend + +Spring Cloud Vault does not support getting new credentials and +configuring your DataSource with them when the maximum lease time +has been reached. That is, if max_ttl of the Database role in Vault +is set to 24h that means that 24 hours after your application has +started it can no longer authenticate with the database. + +
+
+Apache Cassandra + +The cassandra backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as cassandra. + +Spring Cloud Vault can obtain credentials for Apache Cassandra. +The integration can be enabled by setting +spring.cloud.vault.cassandra.enabled=true (default false) and +providing the role name with spring.cloud.vault.cassandra.role=…. +Username and password are stored in spring.data.cassandra.username +and spring.data.cassandra.password so using Spring Boot will pick +up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.cassandra.username-property and +spring.cloud.vault.cassandra.password-property. + +spring.cloud.vault: + cassandra: + enabled: true + role: readonly + backend: cassandra + username-property: spring.data.cassandra.username + password-property: spring.data.cassandra.password + + + +enabled setting this value to true enables the Cassandra backend config usage + + +role sets the role name of the Cassandra role definition + + +backend sets the path of the Cassandra mount to use + + +username-property sets the property name in which the Cassandra username is stored + + +password-property sets the property name in which the Cassandra password is stored + + +See also: Vault Documentation: Setting up Apache Cassandra with Vault +
+
+MongoDB + +The mongodb backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as mongodb. + +Spring Cloud Vault can obtain credentials for MongoDB. +The integration can be enabled by setting +spring.cloud.vault.mongodb.enabled=true (default false) and +providing the role name with spring.cloud.vault.mongodb.role=…. +Username and password are stored in spring.data.mongodb.username +and spring.data.mongodb.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.mongodb.username-property and +spring.cloud.vault.mongodb.password-property. + +spring.cloud.vault: + mongodb: + enabled: true + role: readonly + backend: mongodb + username-property: spring.data.mongodb.username + password-property: spring.data.mongodb.password + + + +enabled setting this value to true enables the MongodB backend config usage + + +role sets the role name of the MongoDB role definition + + +backend sets the path of the MongoDB mount to use + + +username-property sets the property name in which the MongoDB username is stored + + +password-property sets the property name in which the MongoDB password is stored + + +See also: Vault Documentation: Setting up MongoDB with Vault +
+
+MySQL + +The mysql backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as mysql. +Configuration for spring.cloud.vault.mysql will be removed in a future version. + +Spring Cloud Vault can obtain credentials for MySQL. +The integration can be enabled by setting +spring.cloud.vault.mysql.enabled=true (default false) and +providing the role name with spring.cloud.vault.mysql.role=…. +Username and password are stored in spring.datasource.username +and spring.datasource.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.mysql.username-property and +spring.cloud.vault.mysql.password-property. + +spring.cloud.vault: + mysql: + enabled: true + role: readonly + backend: mysql + username-property: spring.datasource.username + password-property: spring.datasource.password + + + +enabled setting this value to true enables the MySQL backend config usage + + +role sets the role name of the MySQL role definition + + +backend sets the path of the MySQL mount to use + + +username-property sets the property name in which the MySQL username is stored + + +password-property sets the property name in which the MySQL password is stored + + +See also: Vault Documentation: Setting up MySQL with Vault +
+
+PostgreSQL + +The postgresql backend has been deprecated in Vault 0.7.1 and +it is recommended to use the database backend and mount it as postgresql. +Configuration for spring.cloud.vault.postgresql will be removed in a future version. + +Spring Cloud Vault can obtain credentials for PostgreSQL. +The integration can be enabled by setting +spring.cloud.vault.postgresql.enabled=true (default false) and +providing the role name with spring.cloud.vault.postgresql.role=…. +Username and password are stored in spring.datasource.username +and spring.datasource.password so using Spring Boot will +pick up the generated credentials without further configuration. +You can configure the property names by setting +spring.cloud.vault.postgresql.username-property and +spring.cloud.vault.postgresql.password-property. + +spring.cloud.vault: + postgresql: + enabled: true + role: readonly + backend: postgresql + username-property: spring.datasource.username + password-property: spring.datasource.password + + + +enabled setting this value to true enables the PostgreSQL backend config usage + + +role sets the role name of the PostgreSQL role definition + + +backend sets the path of the PostgreSQL mount to use + + +username-property sets the property name in which the PostgreSQL username is stored + + +password-property sets the property name in which the PostgreSQL password is stored + + +See also: Vault Documentation: Setting up PostgreSQL with Vault +
+
+ +Configure <literal>PropertySourceLocator</literal> behavior +Spring Cloud Vault uses property-based configuration to create PropertySources +for generic and discovered secret backends. +Discovered backends provide VaultSecretBackendDescriptor beans to describe the configuration +state to use secret backend as PropertySource. A SecretBackendMetadataFactory is required +to create a SecretBackendMetadata object which contains path, name and property transformation +configuration. +SecretBackendMetadata is used to back a particular PropertySource. +You can register an arbitrary number of beans implementing VaultConfigurer for customization. +Default generic and discovered backend registration is disabled if Spring Cloud Vault discovers +at least one VaultConfigurer bean. You can however enable default registration with +SecretBackendConfigurer.registerDefaultGenericSecretBackends() and SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends(). + +public class CustomizationBean implements VaultConfigurer { + + @Override + public void addSecretBackends(SecretBackendConfigurer configurer) { + + configurer.add("secret/my-application"); + + configurer.registerDefaultGenericSecretBackends(false); + configurer.registerDefaultDiscoveredSecretBackends(true); + } +} + + +All customization is required to happen in the bootstrap context. Add your configuration +classes to META-INF/spring.factories at org.springframework.cloud.bootstrap.BootstrapConfiguration +in your application. + + + +Service Registry Configuration +You can use a DiscoveryClient (such as from Spring Cloud Consul) to locate +a Vault server by setting spring.cloud.vault.discovery.enabled=true (default false). +The net result of that is that your apps need a bootstrap.yml (or an environment variable) +with the appropriate discovery configuration. +The benefit is that the Vault can change its co-ordinates, as long as the discovery service +is a fixed point. The default service id is vault but you can change that on the client with +spring.cloud.vault.discovery.serviceId. +The discovery client implementations all support some kind of metadata map +(e.g. for Eureka we have eureka.instance.metadataMap). Some additional properties of the service +may need to be configured in its service registration metadata so that clients can connect +correctly. Service registries that do not provide details about transport layer security +need to provide a scheme metadata entry to be set either to https or http. +If no scheme is configured and the service is not exposed as secure service, then +configuration defaults to spring.cloud.vault.scheme which is https when it’s not set. + +spring.cloud.vault.discovery: + enabled: true + service-id: my-vault-service + + + +Vault Client Fail Fast +In some cases, it may be desirable to fail startup of a service if +it cannot connect to the Vault Server. If this is the desired +behavior, set the bootstrap configuration property +spring.cloud.vault.fail-fast=true and the client will halt with +an Exception. + +spring.cloud.vault: + fail-fast: true + + + +Vault Client SSL configuration +SSL can be configured declaratively by setting various properties. +You can set either javax.net.ssl.trustStore to configure +JVM-wide SSL settings or spring.cloud.vault.ssl.trust-store +to set SSL settings only for Spring Cloud Vault Config. + +spring.cloud.vault: + ssl: + trust-store: classpath:keystore.jks + trust-store-password: changeit + + + +trust-store sets the resource for the trust-store. SSL-secured Vault +communication will validate the Vault SSL certificate with the specified +trust-store. + + +trust-store-password sets the trust-store password + + +Please note that configuring spring.cloud.vault.ssl.* can be only +applied when either Apache Http Components or the OkHttp client +is on your class-path. + + +Lease lifecycle management (renewal and revocation) +With every secret, Vault creates a lease: +metadata containing information such as a time duration, +renewability, and more. +Vault promises that the data will be valid for the given duration, +or Time To Live (TTL). Once the lease is expired, Vault can +revoke the data, and the consumer of the secret can no longer +be certain that it is valid. +Spring Cloud Vault maintains a lease lifecycle beyond +the creation of login tokens and secrets. That said, +login tokens and secrets associated with a lease +are scheduled for renewal just before the lease expires +until terminal expiry. +Application shutdown revokes obtained login tokens and renewable +leases. +Secret service and database backends (such as MongoDB or MySQL) +usually generate a renewable lease so generated credentials will +be disabled on application shutdown. + +Static tokens are not renewed or revoked. + +Lease renewal and revocation is enabled by default and can +be disabled by setting spring.cloud.vault.config.lifecycle.enabled +to false. This is not recommended as leases can expire and +Spring Cloud Vault cannot longer access Vault or services +using generated credentials and valid credentials remain active +after application shutdown. + +spring.cloud.vault: + config.lifecycle.enabled: true + +See also: Vault Documentation: Lease, Renew, and Revoke + +
\ No newline at end of file