Openshift secret in Spring Boot bootstrap.yml

7/18/2018

This how my bootstrap.yml looks like.

spring:
  cloud:
    config:
      uri: http://xxxx.com
      username: ****
      password: ****
    vault:
      host: vault-server
      port: 8200
      scheme: http
      authentication: token
      token: ${VAULT_ROOT_TOKEN}
  application:
    name: service-name
management:
  security:
    enabled: false

Application is starting when I configure secret as a ENV variable in Deployment Config – OSE, as below.

   name: VAULT_ROOT_TOKEN
   value: *********

But Configuring secret as a ENV variable and fetching the value from OSE secret is not working.

name: VAULT_ROOT_TOKEN
     valueFrom: 
       secretKeyRef:
         name: vault-token
         key: roottoken

Error that I am getting is

org.springframework.vault.VaultException: Status 400 secret/service-name/default: 400 Bad Request: missing required Host header

Surprise in this scenario, ENV variable is working within the container/POD but somehow it is not able to fetch during the bootstrap procedure.

env | grep TOKEN
VAULT_ROOT_TOKEN=********

My secret configuration in OSE

oc describe secret vault-token
Name:       vault-token
Namespace:  ****
Labels:     <none>
Annotations:    <none>

Type:   Opaque

Data
====
roottoken:  37 bytes

What is missing in my deployment-config or secrets in OSE? How to configure to fetch secret as ENV variable and inject in the bootstrap.yml file?

NOTE : I can't move Vault configuration out of bootstrap.yml.

Openshift Enterprise info:

Version:
OpenShift Master:v3.2.1.31
Kubernetes Master:v1.2.0-36-g4a3f9c5
-- Here_2_learn
kubernetes
openshift
spring-boot
spring-config

1 Answer

7/23/2018

Finally I was able to achieve this. This is what I have done

Provide the token as an arugument:

java $JAVA_OPTS -jar -Dspring.cloud.vault.token=${SPRING_CLOUD_VAULT_TOKEN} service-name.jar

This is how my configuration looks like:

Deployment Config:

- name: SPRING_CLOUD_VAULT_TOKEN
             valueFrom:
               secretKeyRef:
                 name: vault-token
                 key: roottoken

Bootstrap file:

spring:
  cloud:
    config:
      uri: http://xxxx.com
      username: ****
      password: ****
    vault:
      host: vault-server
      port: 8200
      scheme: http
      authentication: token
      token: ${SPRING_CLOUD_VAULT_TOKEN}
  application:
    name: service-name
management:
  security:
    enabled: false

Thanks for my colleagues who has provided the inputs.

-- Here_2_learn
Source: StackOverflow