deploy and use the vault to save the secret, take the spring database connection as example
- setup up the vault server in dev mode by customize token
- should auto import the security key/value pair into vault
- spring application could use the security key/value pair in vault
- use the vault to store the pg database connection string
- spring application api test nowith vault and bootstrap.properties(分环境配置)
- flyway migration with vault
In the root folder of codebase, please run the sh start-vault-dev.sh to init the env.
all of these have been moved to https://github.com/victoryw/ansible-infrastructure-vault-learn by now, the application and test will use the vm build by "ansible-infrastructure-vault-learn". later, there would be another way to use the docker deploy on the mac.
The migration scripts should be stored in the database-migration/test.
The file named as 'migrate-db.sh' in the database-migration will use the flyway to migrate.
And the username and password is stored in the vault.
There are two tests.
- One test is named with 'PG' means that this test will use the postgres.
- The other one test is named with 'H2' means that this test will use the H2 as the fake datebase.
gradle test
gradle bootRun.
source destroy-vault-dev.sh
spring-cloud-vault spring-cloud-vault-doc
id "io.spring.dependency-management" version "1.0.2.RELEASE"
dependencyManagement {
imports {
mavenBom 'org.springframework.cloud:spring-cloud-vault-dependencies:1.0.1.RELEASE'
}
}
compile 'org.springframework.cloud:spring-cloud-starter-vault-config'
spring.application.name=my-application
spring.cloud.vault.host=127.0.0.1
spring.cloud.vault.port=8201
spring.cloud.vault.scheme=http
spring.cloud.vault.authentication=token
spring.cloud.vault.token=devroot
spring.datasource.url=jdbc:postgresql:https://localhost:5436/vaultdb
spring.cloud.vault.postgresql.enabled=true
spring.cloud.vault.postgresql.role=operator
spring.cloud.vault.postgresql.backend=postgresql
spring.cloud.vault.postgresql.username-property=spring.datasource.username
spring.cloud.vault.postgresql.password-property=spring.datasource.password
In the test class should be with
@ActiveProfiles(profiles = "test")
In the bootstrap-test.properties should be with
spring.application.name=my-application
spring.config.enabled=false
spring.cloud.vault.enabled=false
spring.cloud.vault.postgresql.enabled=false
password=''
spring.datasource.url=jdbc:h2:mem:app
spring.datasource.password=
use docker to run flyway with vault
a=`ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p' | sed -n '1p;1q'`
not use the dynamic secret for the pg not allow non-owner to remove/change the table