Spring Cloud Config Add support to Config Server with Vault Backend for secrets with multilevel paths

This is a Feature Request to enhance PCF Config Server with Hashicorp Vault Back End and make it support secrets with multilevel paths.

1. This is the scenario: PCF config server with Hashicorp Vault v1.3.2 as a backend using this configuration:

$ cat  configServerConfig_LongPath_SBX_2.json
{
  "vault":
  {
   "scheme": "https",
   "kvVersion": "2",
   "host": "[host]",
   "port": "[port]",
   "backend": "secret",
   "defaultKey": "sbx/myorg/myecosystem/app",
   "profileSeparator": "/"
  }
}

1. The objective is to retrieve secret "password" from path /secret/sbx/myorg/myecosystem/app

A test secret has been created in multilevel path /secret/sbx/myorg/myecosystem/app It can be successfully retrieved via CLI using the token shown in bootstrap.xml below.

$ vault kv get /secret/sbx/myorg/myecosystem/app
====== Metadata ======
Key              Value
---              -----
created_time     2020-03-03T21:36:37.671631924Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
password    notsecret

1. The problem is: Config server keeps trying to retrieve the secret from “/config_server_test/cloud” as shown in the excerpt from ‘cf logs config_server_test –recent’ shown below. As expected, Vault returns error 403 "Forbidden"

2020-03-03T14:12:32.75-0800 [APP/PROC/WEB/0] OUT 2020-03-03 22:12:32.753  WARN 13 --- [           main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: {"timestamp":"2020-03-03T22:12:32.729+0000","status":500,"error":"Internal Server Error","message":"403 Forbidden","path":"/config_server_test/cloud"}

Where: config_server_test: Is the client application name declared in bootstrap.xml cloud: Is the default profile

$ cat bootstrap.yml
spring:
  application:
    name: config_server_test
  cloud:
    config:
      enabled: true
      token: s.pPpM0MLuNiLIWnrIoPtPTLfJ
      scheme: https

The behavior described above is inline with the PCF Documentation: https://docs.run.pivotal.io/spring-cloud-services/config-server/configuring-with-vault.html

Case #234963 was created and we spent 2+ hours with Pivotal Tech Support trying to override the default values using these spring.cloud.config.* values:

spring.cloud.config.name="/secret/sbx/myorg/myecosystem"
spring.cloud.config.profile=app

That did not work, therefore the most viable solution is to enhance the product.

Comment From: spencergibb

Can I ask why you want to do this? Also, spring.cloud.config.name can have a comma-separated list of values. Did you put spring.cloud.config.name in bootstrap.yml?

Also, this is strictly for OSS Config Server. The commercial version is built on top.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: obautista-clgx

Hi, Answering your questions: Why you want to do this?

The objective is to allow corporate applications in PCF retrieve secrets from the Enterprise Vault repository.

Also, spring.cloud.config.name can have a comma-separated list of values. Did you put spring.cloud.config.name in bootstrap.yml?

Our bootstrap.yml file is in the original post above. We don't have a value for spring.cloud.config.name

Also, this is strictly for OSS Config Server. The commercial version is built on top.

Pivotal Tech Support recommended to use this Github site to submit the Feature request that we need. Please let me know if a different Github needs to be used.

Comment From: spencergibb

Have you tried setting a comma-separated list in spring.cloud.config.name?

Comment From: obautista-clgx

Yes, per Pivotal Tech Support recommendation (during our jointly 2-hour troubleshooting call) we tested these two config values (as described in my initial post above) when trying to override the default behavior of the config server that we were seeing:

spring.cloud.config.name="/secret/sbx/myorg/myecosystem" spring.cloud.config.profile=app

We re-compiled and re-deployed the application after making each change. That did not work.

Please let me know if you have further comments/questions.

Comment From: spencergibb

Sorry for the delay. When I sets spring.cloud.config.name=foo,config-client I get configuration for both foo and config-client.

The latest vault env repo supports a comma separated name https://github.com/spring-cloud/spring-cloud-config/blob/46675f74c4da7479a5c92cf792c8af1b0661379e/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/environment/AbstractVaultEnvironmentRepository.java#L122

Comment From: spring-cloud-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: obautista-clgx

Please go ahead and close this issue.