Skip to content

tonny1983/spring-vault-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.mvn/wrapper
.mvn/wrapper
 
 
src
src
 
 
vault
vault
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Reboot a Spring Boot application to rotate a new database credential from Vault when the lease expired

Notice: The application is created for the propose of technical demonstration. The solution should never be used in production environment.

Acknowledgement

The application exists because of a prestigious blog post named Hashicorp Vault max_ttl Killed My Spring App.

The blog post gives four solutions to resolve a spring vault issue that the database credentials will not be rotated after the lease expired its max_ttl. For detail about the issue, pls refer to here.

The application is a Java implementation of solution 3 using APPROLE authentication and tested with OpenJDK11-OpenJ9, vault v1.3.2 and MongoDB v3.6.

For the fourth solution in a more general case, please refer to the rotate branch.

Getting Started

Vault

The application uses APPROLE authentication, and here is the configuration of vault as follows.

  1. Start Vault server in development mode 
    vault server -dev
  2. Export an environment variable for local connection 
    export VAULT_ADDR='http://127.0.0.1:8200'
  3. Create a new auth method named "approle" 
    vault auth enable approle
  4. Create a new policy path named "app-policy" and use hcl file to create policies of the path in order to get/renew database credentials (The fcl file locates under vault folder.) 
    vault write sys/policy/app-policy policy=@app-policy.hcl
  5. Create a readwrite path in "approle" with unlimited tokens and secret ids 
    vault write auth/approle/role/readwrite secret_id_ttl=100m token_num_uses=0 token_ttl=100m token_max_ttl=100m secret_id_num_uses=0 policies="default,app-policy"
  6. (Optional) Enable database secrets if it disabled 
    vault secrets enable database
  7. Create a MongoDB config named "app-mongodb" and add its connection info. 
    vault write database/config/app-mongodb plugin_name=mongodb-database-plugin allowed_roles="readwrite" connection_url="mongodb://{{username}}:{{password}}@[myip]/admin?ssl=false" username="[myusername]" password="[mypassword]"
  8. Configure a role that maps the MongoDB config to a MongoDB command that executes and creates the database credential (Here, ttl is 2 minutes and max_ttl is 5 minutes) 
    vault write database/roles/readwrite db_name=app-mongodb creation_statements='{ "db": "vaultdemo", "roles": [{ "role": "dbOwner" }, {"role": "readWrite", "db": "vaultdemo"}] }' default_ttl="2m" max_ttl="5m"
  9. Get role-id which will be the value of spring.cloud.vault.app-role.role-id 
    vault read auth/approle/role/readwrite/role-id
  10. Get secret-id which will be the value of spring.cloud.vault.app-role.secret-id 
    vault write -f auth/approle/role/readwrite/secret-id

Spring boot

  1. Configure spring.cloud.vault.app-role.role-id and spring.cloud.vault.app-role.secret-id in bootstrap.yml.
  2. Configure host and port of MongoDB in application.yml.
  3. Start the application.
  4. Access POST http://localhost:8080 to init some data and GET http://localhost:8080 to retrieve them.

Console Output

There are several logs shows the application do renew the database credential. After about 5 minutes, the lease is expired (because max_ttl is 5m) the application is rebooted.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages