spring-cloud-vault icon indicating copy to clipboard operation
spring-cloud-vault copied to clipboard
verified publisher icon spring-cloud

Consul ACL Token is not available with Config Data API when using consul with vault (consul backend)

Open philwebb opened this issue 4 years ago • 3 comments

Please see https://github.com/spring-projects/spring-boot/issues/25705 for details.

Opening here as I'm not sure what changes (if any) are needed in Spring Boot to support this request. Perhaps there's some deeper integration between spring-cloud-vault and spring-cloud-consul needed?

philwebb avatar Aug 17 '21 00:08 philwebb

Any updates on this issue?

  • With legacy bootstrapping there are issues with the consul acl token being lost after a refresh - which is quite common with the consul watch enabled and when properties are updated. (https://github.com/spring-projects/spring-vault/issues/633 - this one was marked as a duplicate of spring-cloud/spring-cloud-commons#833 - but seems unrelated to the primary issue i posted which is about vault and consul)
  • With config Data API we cannot get the ACL token when using with the Vault Consul backend.

It will be nice to get a fix for this given how different legacy and config data api processing is and moving forward with spring boot upgrades will be easier if this is fixed.

krisiye avatar Oct 21 '21 18:10 krisiye

I think the problem originates from the design of the Config Data mechanism. There are two relevant phases:

  1. Discovery and resolution of ConfigDataResource. ConfigDataLocationResolverContext exposes access to the Properties Binder to let Config Data components inspect configuration properties.
  2. Loading of all discovered ConfigDataResource. Each resource is loaded.

Once all resources are loaded, PropertySources are added to Spring's Environment and additional (contributed) configuration properties can be accessed.

In your arrangement, Consul required properties that are contributed by Vault, however, at the time when collecting the config for the Consul integration, neither Vault was accessed nor are any properties visible from Vault's ConfigData contribution.

@philwebb would it be possible to refine Spring Boot's loading mechanism to resolve a Config Data location first, load its ConfigData and then proceed with the next Config Data location?

mp911de avatar Nov 24 '21 08:11 mp911de

@mp911de I think so, but it's likely to be risky so I'd rather not do it in the existing releases. I've opened https://github.com/spring-projects/spring-boot/issues/28849

philwebb avatar Nov 29 '21 20:11 philwebb