Spring Cloud Config The config server do not decrypt encrypted properties when spring.cloud.config.server.bootstrap=true

Describe the bug When the property spring.cloud.config.server.bootstrap is set to true, the config server fails to load its configuration if one of repository property is encrypted with a secret key in bootstrap.yml.

Sample A sample project is available in this repository : https://github.com/xhuy-le/config-server-composite-encryt-issue.git

Comment From: ryanjbaxter

Can you try with the latest versions of Spring Boot and Spring Cloud?

Comment From: xhuy-le

Hello,

I've just upgraded to Spring Boot 2.7.5 and Spring Cloud 2021.0.4 (see here). Unfortunately the problem is still there.

Huy

Comment From: ryanjbaxter

This is an ordering issue.

We are not going to decrypt any properties until we have all the property sources. Since you are using bootstrap to configure the config server itself we need to fetch all the configuration first, so we need the search-location.

Why do you need to encrypt the search-location?

Comment From: xhuy-le

Hello,

I've used the search-location in the sample project to illustrate the problem, but it could be anything else, like Git password or Vault secret key that need to be encrypted (if the config server needs to fetch properties from Git or Vault).

Huy

Comment From: ryanjbaxter

If I place

mysecret: "{cipher}f73aec41e9cfb48861d0ba8c47b4df31953eab79c75c7320558f58ec51df3ead"

in bootstrap.yml it gets decrypted just fine for me

Comment From: spring-cloud-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: xhuy-le

Hello,

I've added some new commits to the sample project. The mysecret gets indeed decrypted but the test is still broken if search-location is encrypted. In general if any of the repository properties (Git password, Vault key, ...) is encrypted, the config server fails to start.

Huy

Comment From: ryanjbaxter

See my comment above we need all property sources before we decrypt anything so any property that is needed to fetch configuration cannot be decrypted

Comment From: spring-cloud-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-cloud-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.