Skip to content

Commit

Permalink
Merge pull request #498 from jhipster/integrate-vault
Browse files Browse the repository at this point in the history
feat: Integrate Vault backend
  • Loading branch information
gmarziou authored May 18, 2021
2 parents 9f01ebe + 4f768c3 commit 893f186
Show file tree
Hide file tree
Showing 9 changed files with 139 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -146,3 +146,7 @@ Desktop.ini
# ESLint
######################
.eslintcache

# Ignore Vault data and logs
src/main/docker/vault-config/data
src/main/docker/vault-config/logs
75 changes: 75 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,78 @@ To run the cloned repository;
[github-actions-build]: https://github.com/jhipster/jhipster-registry/workflows/Build/badge.svg
[github-actions-docker]: https://github.com/jhipster/jhipster-registry/workflows/Docker%20Image/badge.svg
[github-actions-url]: https://github.com/jhipster/jhipster-registry/actions

## HashiCorp Vault Integration

### Development Mode

`JHipster Registry` default integration uses a `vault` server with an in-memory backend. The data shall not be persisted and shall require you to configure secrets after every restart. The in-memory configuration provides an easy way to test out the integration and later switch to the recommended server mode.

- Start vault server docker container:

```shell
docker-compose -f src/main/docker/vault.yml up -d
```

- The default configured root token is `jhipster-registry`. We shall use the default secrets engine backend mounted on the `secrets` path. Configure secrets using either of `ui`, `cli` or `http`.
- Create a new secret sub-path `jhipster-registry/dev` and add the following secret in JSON format. Here `jhipster-registry` refers to the application name and `dev` refers to the development profile. Do follow the same convention to configure secrets of other applications.

```json
{
"spring.security.user.password": "admin123!@#"
}
```

- Start `JHipster Registry` server in development mode using the following command (skipping execution of test cases):

```shell
./mvnw -DskipTests
```

- After successful start, open `http://localhost:8761/` in a browser. You shall require entering a new password as provided in the above vault configuration.

### Server Mode

`JHipster Registry` also provides configuration to use the native file system as the persistent backend.

- Uncomment the following configurations in [vault.yml](src/main/docker/vault.yml). You can refer [config.hcl](src/main/docker/vault-config/config/config.hcl) to view provided vault server configurations:

```yml
command: server
volumes:
- ./vault-config/config:/vault/config
- ./vault-config/logs:/vault/logs
- ./vault-config/data:/vault/file
```
- Start vault server docker container:
```shell
docker-compose -f src/main/docker/vault.yml up -d
```

- Open `vault` server [`ui`](http://localhost:8200/ui/vault/init) to initialize master key shares. In this guide, we shall enter `1` as the number of key shares and `1` as the key threshold value. Do refer to vault documentation for recommended configuration. Note down the initial `root token` and the `key` and keep it at a safe place. You shall require the `key` to unseal the vault server after a restart.
- Enable secret engine backend `kv` and use `secrets` as the mount path.
- Create a new secret sub-path `jhipster-registry/dev` and add the following secrets in JSON format. Here `jhipster-registry` refers to the application name and `dev` refers to the development profile. Do follow the same convention to configure secrets of other applications.

```json
{
"spring.security.user.password": "admin123!@#"
}
```

- In this guide, we shall use the `token` authentication mechanism to retrieve secrets from the `vault` server. Update `bootstrap.yml` to specify `root token` in place of default dev token.

```yaml
vault:
authentication: token
token: jhipster-registry # In server mode, provide a token having read access on secrets
```
- Start `JHipster Registry` server in development mode using the following command (skipping execution of test cases):

```shell
./mvnw -DskipTests
```

- After successful start, you shall require entering a new password as provided in vault.
7 changes: 7 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
<spring-boot.version>2.2.7.RELEASE</spring-boot.version>
<archunit-junit5.version>0.14.1</archunit-junit5.version>
<mapstruct.version>1.3.1.Final</mapstruct.version>
<spring-cloud-config-server.version>2.2.8.RELEASE</spring-cloud-config-server.version>
<!-- Plugin versions -->
<maven-clean-plugin.version>3.1.0</maven-clean-plugin.version>
<maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
Expand Down Expand Up @@ -256,10 +257,12 @@
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-config</artifactId>
<version>${spring-cloud-config-server.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
<version>${spring-cloud-config-server.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
Expand Down Expand Up @@ -294,6 +297,10 @@
<groupId>io.dropwizard.metrics</groupId>
<artifactId>metrics-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
<!-- jhipster-needle-maven-add-dependency -->
</dependencies>

Expand Down
12 changes: 12 additions & 0 deletions src/main/docker/vault-config/config/config.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
storage "file" {
path = "/vault/file"
}

listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}

api_addr = "http://0.0.0.0:8200"
cluster_addr = "http://0.0.0.0:8201"
ui = true
Empty file.
Empty file.
19 changes: 19 additions & 0 deletions src/main/docker/vault.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
version: '2'

services:
vault:
image: vault:1.7.1
environment:
- VAULT_DEV_ROOT_TOKEN_ID=jhipster-registry
ports:
- 8200:8200
cap_add:
- IPC_LOCK
# Uncomment the below configurations to start vault in server mode and use file system backend
# Do ensure to keep root token and unseal keys in a safe place. Those shall be required to
# unseal vault after the restart and configure other authentication methods.
# command: server
# volumes:
# - ./vault-config/config:/vault/config
# - ./vault-config/logs:/vault/logs
# - ./vault-config/data:/vault/file
8 changes: 8 additions & 0 deletions src/main/resources/config/bootstrap-prod.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,14 @@ spring:
# ignore-local-ssh-settings: true
# private-key: # https://cloud.spring.io/spring-cloud-config/multi/multi__spring_cloud_config_server.html#_git_ssh_configuration_using_properties
prefix: /config
# Ideally, you should configure approle authentication mechanism and provide
# role id and secret id as environment variables. Refer vault documentation
# to enable and configure https://www.vaultproject.io/docs/auth/approle
# vault:
# authentication: approle
# app-role:
# role-id:
# secret-id:
fail-fast: true
# name of the config server's property source (file.yml) that we want to use
name: jhipster-registry
Expand Down
14 changes: 14 additions & 0 deletions src/main/resources/config/bootstrap.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,23 @@ spring:
config:
server:
bootstrap: true
fail-on-composite-error: false
composite:
- type: native
search-locations: file:./central-config
- type: vault
kv-version: 2
backend: secret
default-key: application
profile-separator: '/'
vault:
authentication: token
host: localhost
port: 8200
scheme: http
skip-ssl-validation: true
timeout: 5
token: jhipster-registry # In server mode, provide a token having read access on secrets
prefix: /config
fail-fast: true
# name of the config server's property source (file.yml) that we want to use
Expand Down

0 comments on commit 893f186

Please sign in to comment.