You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using vault and consul for secret management and service configuration respectively. It is quite common to use consul ACL in a production environment and to be managing consul ACL tokens with the Vault Consul backend.
Sample application yaml configuration With spring boot's config data api:
spring:
config:
import: consul://,vault://
Verified that the import order should be reversed so that consul could be loaded after vault. However that does not help with the acl token being available to the config data loader as the consul config data loader and its dependencies such as ConsulConfigProperties are initialized by the ConfigDataImporter (resolve) before they are loaded.
Sample error logs that show the acl set to null:
17:35:24.089 [main] DEBUG org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter - Application failed to start due to an exception
org.springframework.boot.context.config.ConfigDataResourceNotFoundException: Config data resource '[ConsulConfigDataResource@c667f46 context = 'local/spring-boot-example/spring-boot-example,local.properties', optional = true, properties = [ConsulConfigProperties@51bd8b5c enabled = true, prefix = 'local/spring-boot-example', defaultContext = 'application', profileSeparator = ',', format = FILES, dataKey = 'data', aclToken = [null], watch = [ConsulConfigProperties.Watch@7b50df34 waitTime = 55, enabled = true, delay = 1000], failFast = true, name = 'spring-boot-example', consulToken = [null], consulAclToken = [null]]]' via location 'consul://' cannot be found
at org.springframework.boot.context.config.ConfigDataResourceNotFoundException.withLocation(ConfigDataResourceNotFoundException.java:97)
at org.springframework.boot.context.config.ConfigDataImporter.handle(ConfigDataImporter.java:133)
at org.springframework.boot.context.config.ConfigDataImporter.load(ConfigDataImporter.java:124)
at org.springframework.boot.context.config.ConfigDataImporter.resolveAndLoad(ConfigDataImporter.java:82)
at org.springframework.boot.context.config.ConfigDataEnvironmentContributors.withProcessedImports(ConfigDataEnvironmentContributors.java:121)
at org.springframework.boot.context.config.ConfigDataEnvironment.processWithProfiles(ConfigDataEnvironment.java:310)
at org.springframework.boot.context.config.ConfigDataEnvironment.processAndApply(ConfigDataEnvironment.java:235)
at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:97)
at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:89)
at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEnvironmentPreparedEvent(EnvironmentPostProcessorApplicationListener.java:100)
at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEvent(EnvironmentPostProcessorApplicationListener.java:86)
at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:176)
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:169)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:143)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:131)
at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:82)
at org.springframework.boot.SpringApplicationRunListeners.lambda$environmentPrepared$2(SpringApplicationRunListeners.java:63)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:117)
at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:111)
at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:62)
at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:362)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:320)
at com.hmhco.example.springboot.Application.main(Application.java:21)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Caused by: org.springframework.cloud.consul.config.ConsulPropertySources$PropertySourceNotFoundException: OperationException{statusCode=403, statusMessage='Forbidden', statusContent='Permission denied'}
Does anybody have a workaround or know when this feature will be implemented?
The problem still exists in these versions:
springboot: "2.5.2",
spring_cloud_consul: "3.0.3",
spring_cloud_vault: "3.0.3"
Confirmed in our case.
Did anyone have a workaround for using vault alongside consul as config source?
Vault creates aclToken for Consul, but it is not used during fetching config from consul:// source
It's not clear exactly what changes (if any) are needed to Spring Boot to support Vault and Consul together. I've duplicated this issue at spring-cloud/spring-cloud-vault#607 since this we really need input from the Spring Cloud team. We can reopen this issue if concrete API changes are needed on our side.
I am using vault and consul for secret management and service configuration respectively. It is quite common to use consul ACL in a production environment and to be managing consul ACL tokens with the Vault Consul backend.
Sample application yaml configuration With spring boot's config data api:
Verified that the import order should be reversed so that consul could be loaded after vault. However that does not help with the acl token being available to the config data loader as the consul config data loader and its dependencies such as
ConsulConfigProperties
are initialized by theConfigDataImporter
(resolve) before they are loaded.Sample error logs that show the acl set to
null
:Note: With legacy bootstrap, there is a workaround documented here (this does not apply to config data api) - https://gist.github.com/mp911de/17f550ffecdc9e8f22061bfdf896bbb4
Test Case Provided here:
https://github.com/krisiye/sb-issue-25705
The text was updated successfully, but these errors were encountered: