Hello Spring Cloud Config Team,
Again, just wanted to say thanks for this great project. Just wanted to reach out as I think there might be an issue with Spring Cloud Config Client trying to authenticate to Spring Cloud Config Server. Let us imagine some very important shining secrets such as a database password, or an encryption key. Let us imagine the store, Git, Vault, etc… contains those very important shining passwords, those very important shining encryption keys. Hence, I do not want any service who just knows my Spring Cloud Config Server endpoint, and the Git folder, the Vault path to be able to get the secrets, by connecting to the Spring Cloud Config Server pretending to be me.
Hence, the proper way to go I believe is to implement some kind of authentication mechanism on the Spring Cloud Config Server side to authenticate the Spring Cloud Config Client.
I am reading again and again the class org.springframework.cloud.config.client.ConfigClientProperties
, and I believe there is a chicken and egg problem.
Even for with the properties such as spring.cloud.config.password
or spring.cloud.config.tls.keyStorePassword
Suppose on the Server side, I use Spring Security, to perform some kind of username password, token, or X509 validation. This still means Spring Cloud Config Client needs to store on his side, at least one credential, the at least one credential in order to connect to the server protecting the shining secrets.
Hence, I believe there might be an issue where Spring Cloud Config Client needs to store at least one secret to be able to authenticate to Spring Cloud Config Server, in order to retrieve the remaining secrets.
If it is, then it defeats the purpose of Spring Cloud Config Server for securing secrets, since at least one secret must resides on client side. Just wanted to raise the issue, and hopefully to get some insight on this small technical point.
Thank you
Comment From: spencergibb
What you describe is common. There's nothing we can do here.
Comment From: spring-cloud-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-cloud-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.