429 lines
16 KiB
Plaintext
429 lines
16 KiB
Plaintext
// Do not edit this file (e.g. go instead to docs/src/main/asciidoc)
|
|
|
|
:docs: http://cloud.spring.io/spring-cloud-vault/spring-cloud-vault.html
|
|
|
|
|
|
Spring Cloud Vault Config provides client-side support for externalized configuration in a distributed system. With https://www.vaultproject.io[HashiCorp's Vault] you have a central place to manage external secret properties for applications across all environments. Vault can manage static and dynamic secrets such as username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, MongoDB, Consul, AWS and more.
|
|
|
|
== Features
|
|
|
|
=== Spring Cloud Vault Config Client
|
|
|
|
Specifically for Spring applications:
|
|
|
|
* Retrieve secrets from Vault and initialize Spring Environment with remote property sources
|
|
* Obtain {docs}#vault.config.backends.generic[secrets] secured with SSL
|
|
* Generate credentials for
|
|
{docs}#vault.config.backends.mysql[MySQL],
|
|
{docs}#vault.config.backends.postgresql[PostgreSQL],
|
|
{docs}#vault.config.backends.cassandra[Apache Cassandra],
|
|
{docs}#vault.config.backends.mongodb[MongoDB],
|
|
{docs}#vault.config.backends.consul[Consul],
|
|
{docs}#vault.config.backends.aws[AWS], and {docs}#vault.config.backends.rabbitmq[RabbitMQ].
|
|
* {docs}#vault.config.authentication.token[Token],
|
|
{docs}#vault.config.authentication.appid[AppId],
|
|
{docs}#vault.config.authentication.approle[AppRole],
|
|
{docs}#vault.config.authentication.clientcert[Client Certificate],
|
|
{docs}#vault.config.authentication.cubbyhole[Cubbyhole], and
|
|
{docs}#vault.config.authentication.awsec2[AWS-EC2] authentication
|
|
* Bootstrap application context: a parent context for the main application that can be trained to do anything
|
|
|
|
|
|
== Quick Start
|
|
|
|
:docs: http://cloud.spring.io/spring-cloud-vault/spring-cloud-vault.html
|
|
|
|
*Prerequisites*
|
|
|
|
To get started with Vault and this guide you need a
|
|
*NIX-like operating systems that provides:
|
|
|
|
* `wget`, `openssl` and `unzip`
|
|
* at least Java 7 and a properly configured `JAVA_HOME` environment variable
|
|
|
|
*Install Vault*
|
|
|
|
[source,bash]
|
|
----
|
|
$ src/test/bash/install_vault.sh
|
|
----
|
|
|
|
*Create SSL certificates for Vault*
|
|
|
|
[source,bash]
|
|
----
|
|
$ src/test/bash/create_certificates.sh
|
|
----
|
|
|
|
NOTE: `create_certificates.sh` creates certificates in `work/ca` and a JKS truststore `work/keystore.jks`. If you want to run Spring Cloud Vault using this quickstart guide you need to configure the truststore the `spring.cloud.vault.ssl.trust-store` property to `file:work/keystore.jks`.
|
|
|
|
[[quickstart.vault.start]]
|
|
*Start Vault server*
|
|
|
|
[source,bash]
|
|
----
|
|
$ src/test/bash/local_run_vault.sh
|
|
----
|
|
|
|
Vault is started listening on `0.0.0.0:8200` using the `inmem` storage and
|
|
`https`.
|
|
Vault is sealed and not initialized when starting up.
|
|
|
|
NOTE: If you want to run tests, leave Vault uninitialized. The tests will
|
|
initialize Vault and create a root token `00000000-0000-0000-0000-000000000000`.
|
|
|
|
If you want to use Vault for your application or give it a try then you need to initialize it first.
|
|
|
|
[source,bash]
|
|
----
|
|
$ export VAULT_ADDR="https://localhost:8200"
|
|
$ export VAULT_SKIP_VERIFY=true # Don't do this for production
|
|
$ vault init
|
|
----
|
|
|
|
You should see something like:
|
|
|
|
[source,bash]
|
|
----
|
|
Key 1: 7149c6a2e16b8833f6eb1e76df03e47f6113a3288b3093faf5033d44f0e70fe701
|
|
Key 2: 901c534c7988c18c20435a85213c683bdcf0efcd82e38e2893779f152978c18c02
|
|
Key 3: 03ff3948575b1165a20c20ee7c3e6edf04f4cdbe0e82dbff5be49c63f98bc03a03
|
|
Key 4: 216ae5cc3ddaf93ceb8e1d15bb9fc3176653f5b738f5f3d1ee00cd7dccbe926e04
|
|
Key 5: b2898fc8130929d569c1677ee69dc5f3be57d7c4b494a6062693ce0b1c4d93d805
|
|
Initial Root Token: 19aefa97-cccc-bbbb-aaaa-225940e63d76
|
|
|
|
Vault initialized with 5 keys and a key threshold of 3. Please
|
|
securely distribute the above keys. When the Vault is re-sealed,
|
|
restarted, or stopped, you must provide at least 3 of these keys
|
|
to unseal it again.
|
|
|
|
Vault does not store the master key. Without at least 3 keys,
|
|
your Vault will remain permanently sealed.
|
|
----
|
|
|
|
Vault will initialize and return a set of unsealing keys and the root token.
|
|
Pick 3 keys and unseal Vault. Store the Vault token in the `VAULT_TOKEN`
|
|
environment variable.
|
|
|
|
[source,bash]
|
|
----
|
|
$ vault unseal (Key 1)
|
|
$ vault unseal (Key 2)
|
|
$ vault unseal (Key 3)
|
|
$ export VAULT_TOKEN=(Root token)
|
|
# Required to run Spring Cloud Vault tests after manual initialization
|
|
$ vault token-create -id="00000000-0000-0000-0000-000000000000" -policy="root"
|
|
----
|
|
|
|
Spring Cloud Vault accesses different resources. By default, the secret
|
|
backend is enabled which accesses secret config settings via JSON endpoints.
|
|
|
|
The HTTP service has resources in the form:
|
|
|
|
----
|
|
/secret/{application}/{profile}
|
|
/secret/{application}
|
|
/secret/{defaultContext}/{profile}
|
|
/secret/{defaultContext}
|
|
----
|
|
|
|
where the "application" is injected as the `spring.application.name` in the
|
|
`SpringApplication` (i.e. what is normally "application" in a regular
|
|
Spring Boot app), "profile" is an active profile (or comma-separated
|
|
list of properties). Properties retrieved from Vault will be used "as-is"
|
|
without further prefixing of the property names.
|
|
|
|
== Client Side Usage
|
|
|
|
To use these features in an application, just build it as a Spring
|
|
Boot application that depends on `spring-cloud-vault-config` (e.g. see
|
|
the test cases). Example Maven configuration:
|
|
|
|
.pom.xml
|
|
====
|
|
[source,xml,indent=0,subs="verbatim,quotes,attributes"]
|
|
----
|
|
<parent>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-parent</artifactId>
|
|
<version>1.5.4.RELEASE</version>
|
|
<relativePath /> <!-- lookup parent from repository -->
|
|
</parent>
|
|
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.springframework.cloud</groupId>
|
|
<artifactId>spring-cloud-starter-vault-config</artifactId>
|
|
<version>{spring-cloud-version}</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-test</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
</dependencies>
|
|
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-maven-plugin</artifactId>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
|
|
<!-- repositories also needed for snapshots and milestones -->
|
|
----
|
|
====
|
|
|
|
Then you can create a standard Spring Boot application, like this simple HTTP server:
|
|
|
|
====
|
|
[source,java]
|
|
----
|
|
@SpringBootApplication
|
|
@RestController
|
|
public class Application {
|
|
|
|
@RequestMapping("/")
|
|
public String home() {
|
|
return "Hello World!";
|
|
}
|
|
|
|
public static void main(String[] args) {
|
|
SpringApplication.run(Application.class, args);
|
|
}
|
|
}
|
|
----
|
|
====
|
|
|
|
When it runs it will pick up the external configuration from the
|
|
default local Vault server on port `8200` if it is running. To modify
|
|
the startup behavior you can change the location of the Vault server
|
|
using `bootstrap.properties` (like `application.properties` but for
|
|
the bootstrap phase of an application context), e.g.
|
|
|
|
.bootstrap.yml
|
|
====
|
|
[source,yaml]
|
|
----
|
|
spring.cloud.vault:
|
|
host: localhost
|
|
port: 8200
|
|
scheme: https
|
|
uri: https://localhost:8200
|
|
connection-timeout: 5000
|
|
read-timeout: 15000
|
|
config:
|
|
order: -10
|
|
----
|
|
====
|
|
|
|
* `host` sets the hostname of the Vault host. The host name will be used
|
|
for SSL certificate validation
|
|
* `port` sets the Vault port
|
|
* `scheme` setting the scheme to `http` will use plain HTTP.
|
|
Supported schemes are `http` and `https`.
|
|
* `uri` configure the Vault endpoint with an URI. Takes precedence over host/port/scheme configuration
|
|
* `connection-timeout` sets the connection timeout in milliseconds
|
|
* `read-timeout` sets the read timeout in milliseconds
|
|
* `config.order` sets the order for the property source
|
|
|
|
Enabling further integrations requires additional dependencies and
|
|
configuration. Depending on how you have set up Vault you might need
|
|
additional configuration like
|
|
{docs}#vault.config.ssl[SSL] and
|
|
{docs}#vault.config.authentication[authentication].
|
|
|
|
If the application imports the `spring-boot-starter-actuator` project, the
|
|
status of the vault server will be available via the `/health` endpoint.
|
|
|
|
The vault health indicator can be enabled or disabled through the
|
|
property `health.vault.enabled` (default `true`).
|
|
|
|
|
|
=== Authentication
|
|
|
|
Vault requires an https://www.vaultproject.io/docs/concepts/auth.html[authentication mechanism] to https://www.vaultproject.io/docs/concepts/tokens.html[authorize client requests].
|
|
|
|
Spring Cloud Vault supports multiple {docs}#vault.config.authentication[authentication mechanisms] to authenticate applications with Vault.
|
|
|
|
For a quickstart, use the root token printed by the <<quickstart.vault.start,Vault initialization>>.
|
|
|
|
.bootstrap.yml
|
|
====
|
|
[source,yaml]
|
|
----
|
|
spring.cloud.vault:
|
|
token: 19aefa97-cccc-bbbb-aaaa-225940e63d76
|
|
----
|
|
====
|
|
|
|
WARNING: Consider carefully your security requirements. Static token authentication is fine if you want quickly get started with Vault, but a static token is not protected any further. Any disclosure to unintended parties allows Vault use with the associated token roles.
|
|
|
|
== Building
|
|
|
|
=== Build requirements for Vault
|
|
|
|
Spring Cloud Vault Config requires SSL certificates and a running
|
|
Vault instance listening on `localhost:8200`. Certificates and the Vault
|
|
setup are scripted, the scripts are located in `src/test/bash`.
|
|
|
|
The following scripts need to be run prior to building the project for the tests to pass.
|
|
|
|
[source,bash]
|
|
----
|
|
$ ./src/test/bash/install_vault.sh
|
|
$ ./src/test/bash/create_certificates.sh
|
|
$ ./src/test/bash/local_run_vault.sh
|
|
----
|
|
|
|
Leave Vault uninitialized, the tests will initialize and unseal Vault. They will also create a root token `00000000-0000-0000-0000-000000000000`.
|
|
|
|
Changes to the documentation should be made to the adocs found under `docs/src/main/asciidoc/`
|
|
|
|
`README.adoc` can be re-generated via the following
|
|
|
|
[source,bash]
|
|
----
|
|
$ ./docs/src/main/ruby/generate_readme.sh > README.adoc
|
|
----
|
|
|
|
This script requires ruby and the asciidoctor gem installed (`gem install asciidoctor`)
|
|
|
|
:jdkversion: 1.7
|
|
|
|
=== Basic Compile and Test
|
|
|
|
To build the source you will need to install JDK {jdkversion}.
|
|
|
|
Spring Cloud uses Maven for most build-related activities, and you
|
|
should be able to get off the ground quite quickly by cloning the
|
|
project you are interested in and typing
|
|
|
|
----
|
|
$ ./mvnw install
|
|
----
|
|
|
|
NOTE: You can also install Maven (>=3.3.3) yourself and run the `mvn` command
|
|
in place of `./mvnw` in the examples below. If you do that you also
|
|
might need to add `-P spring` if your local Maven settings do not
|
|
contain repository declarations for spring pre-release artifacts.
|
|
|
|
NOTE: Be aware that you might need to increase the amount of memory
|
|
available to Maven by setting a `MAVEN_OPTS` environment variable with
|
|
a value like `-Xmx512m -XX:MaxPermSize=128m`. We try to cover this in
|
|
the `.mvn` configuration, so if you find you have to do it to make a
|
|
build succeed, please raise a ticket to get the settings added to
|
|
source control.
|
|
|
|
For hints on how to build the project look in `.travis.yml` if there
|
|
is one. There should be a "script" and maybe "install" command. Also
|
|
look at the "services" section to see if any services need to be
|
|
running locally (e.g. mongo or rabbit). Ignore the git-related bits
|
|
that you might find in "before_install" since they're related to setting git
|
|
credentials and you already have those.
|
|
|
|
The projects that require middleware generally include a
|
|
`docker-compose.yml`, so consider using
|
|
http://compose.docker.io/[Docker Compose] to run the middeware servers
|
|
in Docker containers. See the README in the
|
|
https://github.com/spring-cloud-samples/scripts[scripts demo
|
|
repository] for specific instructions about the common cases of mongo,
|
|
rabbit and redis.
|
|
|
|
NOTE: If all else fails, build with the command from `.travis.yml` (usually
|
|
`./mvnw install`).
|
|
|
|
=== Documentation
|
|
|
|
The spring-cloud-build module has a "docs" profile, and if you switch
|
|
that on it will try to build asciidoc sources from
|
|
`src/main/asciidoc`. As part of that process it will look for a
|
|
`README.adoc` and process it by loading all the includes, but not
|
|
parsing or rendering it, just copying it to `${main.basedir}`
|
|
(defaults to `${basedir}`, i.e. the root of the project). If there are
|
|
any changes in the README it will then show up after a Maven build as
|
|
a modified file in the correct place. Just commit it and push the change.
|
|
|
|
=== Working with the code
|
|
If you don't have an IDE preference we would recommend that you use
|
|
http://www.springsource.com/developer/sts[Spring Tools Suite] or
|
|
http://eclipse.org[Eclipse] when working with the code. We use the
|
|
http://eclipse.org/m2e/[m2eclipse] eclipse plugin for maven support. Other IDEs and tools
|
|
should also work without issue as long as they use Maven 3.3.3 or better.
|
|
|
|
==== Importing into eclipse with m2eclipse
|
|
We recommend the http://eclipse.org/m2e/[m2eclipse] eclipse plugin when working with
|
|
eclipse. If you don't already have m2eclipse installed it is available from the "eclipse
|
|
marketplace".
|
|
|
|
NOTE: Older versions of m2e do not support Maven 3.3, so once the
|
|
projects are imported into Eclipse you will also need to tell
|
|
m2eclipse to use the right profile for the projects. If you
|
|
see many different errors related to the POMs in the projects, check
|
|
that you have an up to date installation. If you can't upgrade m2e,
|
|
add the "spring" profile to your `settings.xml`. Alternatively you can
|
|
copy the repository settings from the "spring" profile of the parent
|
|
pom into your `settings.xml`.
|
|
|
|
==== Importing into eclipse without m2eclipse
|
|
If you prefer not to use m2eclipse you can generate eclipse project metadata using the
|
|
following command:
|
|
|
|
[indent=0]
|
|
----
|
|
$ ./mvnw eclipse:eclipse
|
|
----
|
|
|
|
The generated eclipse projects can be imported by selecting `import existing projects`
|
|
from the `file` menu.
|
|
|
|
|
|
== Contributing
|
|
|
|
Spring Cloud is released under the non-restrictive Apache 2.0 license,
|
|
and follows a very standard Github development process, using Github
|
|
tracker for issues and merging pull requests into master. If you want
|
|
to contribute even something trivial please do not hesitate, but
|
|
follow the guidelines below.
|
|
|
|
=== Sign the Contributor License Agreement
|
|
Before we accept a non-trivial patch or pull request we will need you to sign the
|
|
https://cla.pivotal.io/sign/spring[Contributor License Agreement].
|
|
Signing the contributor's agreement does not grant anyone commit rights to the main
|
|
repository, but it does mean that we can accept your contributions, and you will get an
|
|
author credit if we do. Active contributors might be asked to join the core team, and
|
|
given the ability to merge pull requests.
|
|
|
|
=== Code of Conduct
|
|
This project adheres to the Contributor Covenant https://github.com/spring-cloud/spring-cloud-build/blob/master/docs/src/main/asciidoc/code-of-conduct.adoc[code of
|
|
conduct]. By participating, you are expected to uphold this code. Please report
|
|
unacceptable behavior to spring-code-of-conduct@pivotal.io.
|
|
|
|
=== Code Conventions and Housekeeping
|
|
None of these is essential for a pull request, but they will all help. They can also be
|
|
added after the original pull request but before a merge.
|
|
|
|
* Use the Spring Framework code format conventions. If you use Eclipse
|
|
you can import formatter settings using the
|
|
`eclipse-code-formatter.xml` file from the
|
|
https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/master/spring-cloud-dependencies-parent/eclipse-code-formatter.xml[Spring
|
|
Cloud Build] project. If using IntelliJ, you can use the
|
|
http://plugins.jetbrains.com/plugin/6546[Eclipse Code Formatter
|
|
Plugin] to import the same file.
|
|
* Make sure all new `.java` files to have a simple Javadoc class comment with at least an
|
|
`@author` tag identifying you, and preferably at least a paragraph on what the class is
|
|
for.
|
|
* Add the ASF license header comment to all new `.java` files (copy from existing files
|
|
in the project)
|
|
* Add yourself as an `@author` to the .java files that you modify substantially (more
|
|
than cosmetic changes).
|
|
* Add some Javadocs and, if you change the namespace, some XSD doc elements.
|
|
* A few unit tests would help a lot as well -- someone has to do it.
|
|
* If no-one else is using your branch, please rebase it against the current master (or
|
|
other target branch in the main project).
|
|
* When writing a commit message please follow http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html[these conventions],
|
|
if you are fixing an existing issue please add `Fixes gh-XXXX` at the end of the commit
|
|
message (where XXXX is the issue number).
|