spring-cloud-config-client: Load properties from Vault first.

[kis024]

We've added basic auth to our config server, we want to store credentials for config clients in vault.
This flow doesn't work since RestTemplate that connects to config server is constructed much earlier than properties are loaded from vault (spring-cloud-dependencies: 2022.0.4).

Possible solution:
If spring-cloud-starter-vault-config is present in the class path and connection info is known, the following order of values resolution could be used:

• fetch values from vault
• resolve current property placeholders
• load other remote property sources
• resolve placeholders other remote property sources

[ryanjbaxter]

Are you using spring.config.import? can you provide its configuration?

[kis024]

yes, spring.config.import: vault://, configserver:https://... or spring.config.import: configserver:https://..., vault://

[ryanjbaxter]

Are this in you application yaml/properties?

can you try setting an environment variable/system property just for the vault import and leave the config server import in the application configuration file?

[kis024]

Tried, same result but different behaviour (I was even surprised that it worked, I though spring.config.import from env var would override the value from config file :))
I noticed that connection to vault now is done before connecting to config-server.
But property values are still not resolved and authentication failed.

[ryanjbaxter]

Ok. We will have to take a look at it, it might be a limitation of spring boot but we will look into it

[ENate]

Hi. Has this issue been resolved? I am trying to load config properties from spring cloud config server (using a username and password) after loading other spring config server from vault. It seems the property sources cannot be loaded by clients when I used spring.config.import: optional:configserver: http://username:password@config-server:PORT. Any help will be welcomed.

[ryanjbaxter]

@ENate are you trying to loading the username and password to use to authenticate with the config server from vault?

Something like spring.import.config=http://${config.server.username}:${config.server.password}@locahost:8888 where config.server.username and config.server.password are coming from vault?

[ENate]

Yes @ryanjbaxter thanks for putting it so clear. I have been looking on ways to handle this issue but cant find any. I did it this way (with a yaml file which is same basically) :

spring:
    import:
       config: http://${CONFIG_USER}:${CONFIG_PASSWORD}@localhost:8888

I defined spring.cloud.config.usernameand spring.cloud.config.password as keys with their corresponding secrets inside vault and passed them in place of username and password but it did not work. I implemented a spring security authentication for config server with a database backend for the config server. So, I do not if there is a special mechanism to be used by config clients to retrieve properties from the spring cloud server vault. I got the following in the config server logs (which I believe came from the client):

find using query: { "username" : "${CONFIG_USER}"} fields: Document{{}} for class: class com.mypackage..ConfigUserEntity in collection: config_user_server_details

Thanks again