diff --git a/.gitignore b/.gitignore
index 520491fa3..346b6e34c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -146,3 +146,7 @@ Desktop.ini
# ESLint
######################
.eslintcache
+
+# Ignore Vault data and logs
+src/main/docker/vault-config/data
+src/main/docker/vault-config/logs
diff --git a/README.md b/README.md
index 36c2d9e1b..580cc9b4d 100644
--- a/README.md
+++ b/README.md
@@ -27,3 +27,78 @@ To run the cloned repository;
[github-actions-build]: https://github.com/jhipster/jhipster-registry/workflows/Build/badge.svg
[github-actions-docker]: https://github.com/jhipster/jhipster-registry/workflows/Docker%20Image/badge.svg
[github-actions-url]: https://github.com/jhipster/jhipster-registry/actions
+
+## HashiCorp Vault Integration
+
+### Development Mode
+
+`JHipster Registry` default integration uses a `vault` server with an in-memory backend. The data shall not be persisted and shall require you to configure secrets after every restart. The in-memory configuration provides an easy way to test out the integration and later switch to the recommended server mode.
+
+- Start vault server docker container:
+
+```shell
+docker-compose -f src/main/docker/vault.yml up -d
+```
+
+- The default configured root token is `jhipster-registry`. We shall use the default secrets engine backend mounted on the `secrets` path. Configure secrets using either of `ui`, `cli` or `http`.
+- Create a new secret sub-path `jhipster-registry/dev` and add the following secret in JSON format. Here `jhipster-registry` refers to the application name and `dev` refers to the development profile. Do follow the same convention to configure secrets of other applications.
+
+```json
+{
+ "spring.security.user.password": "admin123!@#"
+}
+```
+
+- Start `JHipster Registry` server in development mode using the following command (skipping execution of test cases):
+
+```shell
+./mvnw -DskipTests
+```
+
+- After successful start, open `http://localhost:8761/` in a browser. You shall require entering a new password as provided in the above vault configuration.
+
+### Server Mode
+
+`JHipster Registry` also provides configuration to use the native file system as the persistent backend.
+
+- Uncomment the following configurations in [vault.yml](src/main/docker/vault.yml). You can refer [config.hcl](src/main/docker/vault-config/config/config.hcl) to view provided vault server configurations:
+
+```yml
+command: server
+volumes:
+ - ./vault-config/config:/vault/config
+ - ./vault-config/logs:/vault/logs
+ - ./vault-config/data:/vault/file
+```
+
+- Start vault server docker container:
+
+```shell
+docker-compose -f src/main/docker/vault.yml up -d
+```
+
+- Open `vault` server [`ui`](http://localhost:8200/ui/vault/init) to initialize master key shares. In this guide, we shall enter `1` as the number of key shares and `1` as the key threshold value. Do refer to vault documentation for recommended configuration. Note down the initial `root token` and the `key` and keep it at a safe place. You shall require the `key` to unseal the vault server after a restart.
+- Enable secret engine backend `kv` and use `secrets` as the mount path.
+- Create a new secret sub-path `jhipster-registry/dev` and add the following secrets in JSON format. Here `jhipster-registry` refers to the application name and `dev` refers to the development profile. Do follow the same convention to configure secrets of other applications.
+
+```json
+{
+ "spring.security.user.password": "admin123!@#"
+}
+```
+
+- In this guide, we shall use the `token` authentication mechanism to retrieve secrets from the `vault` server. Update `bootstrap.yml` to specify `root token` in place of default dev token.
+
+```yaml
+vault:
+ authentication: token
+ token: jhipster-registry # In server mode, provide a token having read access on secrets
+```
+
+- Start `JHipster Registry` server in development mode using the following command (skipping execution of test cases):
+
+```shell
+./mvnw -DskipTests
+```
+
+- After successful start, you shall require entering a new password as provided in vault.
diff --git a/pom.xml b/pom.xml
index f6068ba7e..74c2edc55 100644
--- a/pom.xml
+++ b/pom.xml
@@ -36,6 +36,7 @@
2.2.7.RELEASE
0.14.1
1.3.1.Final
+ 2.2.8.RELEASE
3.1.0
3.8.1
@@ -256,10 +257,12 @@
org.springframework.cloud
spring-cloud-starter-config
+ ${spring-cloud-config-server.version}
org.springframework.cloud
spring-cloud-config-server
+ ${spring-cloud-config-server.version}
org.springframework.cloud
@@ -294,6 +297,10 @@
io.dropwizard.metrics
metrics-core
+
+ org.springframework.vault
+ spring-vault-core
+
diff --git a/src/main/docker/vault-config/config/config.hcl b/src/main/docker/vault-config/config/config.hcl
new file mode 100644
index 000000000..122edb3c7
--- /dev/null
+++ b/src/main/docker/vault-config/config/config.hcl
@@ -0,0 +1,12 @@
+storage "file" {
+ path = "/vault/file"
+}
+
+listener "tcp" {
+ address = "0.0.0.0:8200"
+ tls_disable = 1
+}
+
+api_addr = "http://0.0.0.0:8200"
+cluster_addr = "http://0.0.0.0:8201"
+ui = true
\ No newline at end of file
diff --git a/src/main/docker/vault-config/data/.gitkeep b/src/main/docker/vault-config/data/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/src/main/docker/vault-config/logs/.gitkeep b/src/main/docker/vault-config/logs/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/src/main/docker/vault.yml b/src/main/docker/vault.yml
new file mode 100644
index 000000000..17ba3509b
--- /dev/null
+++ b/src/main/docker/vault.yml
@@ -0,0 +1,19 @@
+version: '2'
+
+services:
+ vault:
+ image: vault:1.7.1
+ environment:
+ - VAULT_DEV_ROOT_TOKEN_ID=jhipster-registry
+ ports:
+ - 8200:8200
+ cap_add:
+ - IPC_LOCK
+ # Uncomment the below configurations to start vault in server mode and use file system backend
+ # Do ensure to keep root token and unseal keys in a safe place. Those shall be required to
+ # unseal vault after the restart and configure other authentication methods.
+# command: server
+# volumes:
+# - ./vault-config/config:/vault/config
+# - ./vault-config/logs:/vault/logs
+# - ./vault-config/data:/vault/file
diff --git a/src/main/resources/config/bootstrap-prod.yml b/src/main/resources/config/bootstrap-prod.yml
index 224ed0ed9..c0893c271 100644
--- a/src/main/resources/config/bootstrap-prod.yml
+++ b/src/main/resources/config/bootstrap-prod.yml
@@ -21,6 +21,14 @@ spring:
# ignore-local-ssh-settings: true
# private-key: # https://cloud.spring.io/spring-cloud-config/multi/multi__spring_cloud_config_server.html#_git_ssh_configuration_using_properties
prefix: /config
+ # Ideally, you should configure approle authentication mechanism and provide
+ # role id and secret id as environment variables. Refer vault documentation
+ # to enable and configure https://www.vaultproject.io/docs/auth/approle
+ # vault:
+ # authentication: approle
+ # app-role:
+ # role-id:
+ # secret-id:
fail-fast: true
# name of the config server's property source (file.yml) that we want to use
name: jhipster-registry
diff --git a/src/main/resources/config/bootstrap.yml b/src/main/resources/config/bootstrap.yml
index 8a2ba872f..6ee9ced26 100644
--- a/src/main/resources/config/bootstrap.yml
+++ b/src/main/resources/config/bootstrap.yml
@@ -13,9 +13,23 @@ spring:
config:
server:
bootstrap: true
+ fail-on-composite-error: false
composite:
- type: native
search-locations: file:./central-config
+ - type: vault
+ kv-version: 2
+ backend: secret
+ default-key: application
+ profile-separator: '/'
+ vault:
+ authentication: token
+ host: localhost
+ port: 8200
+ scheme: http
+ skip-ssl-validation: true
+ timeout: 5
+ token: jhipster-registry # In server mode, provide a token having read access on secrets
prefix: /config
fail-fast: true
# name of the config server's property source (file.yml) that we want to use