Skip to content
/ springboot-vault-examples Public

The goal of this project is to explore the capabilities of Vault. To achieve this, we will develop applications that utilize Vault for storing and retrieving secrets. Vault dynamically generates credentials for accessing databases and relies on Consul as the backend. The authentication method employed in Vault is AppRole.

24 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ivangfr/springboot-vault-examples

BranchesTags

Repository files navigation

springboot-vault-examples

The goal of this project is play with Vault. For it, we will implement some applications that rely on Vault to store/retrieve secrets. The credentials to access databases are generated dynamically by Vault that uses Consul as backend.

Lease Rotation

One of the problems faced by many people when using Vault is about rotating the lease obtained for some backend databases. When a Spring Boot application requests a lease from Vault using, for instance, the library Spring Cloud Vault, the library itself is able to automatically renew the lease from time to time (default_lease_ttl).

However, when the maximum expiration time of a lease is reached (max_lease_ttl), it means that the lease cannot be renewed anymore, and a new lease is required. In this situation, Spring Cloud Vault library cannot rotate it, leaving the application without connection to database.

In order to solve this problem, I have implemented some solutions for applications that use Spring Cloud Vault or Spring Vault. Please, have a look at the examples below.

Examples

Example Diagram
spring-cloud-vault-approle-mysql (with lease rotation) project-diagram
spring-cloud-vault-approle-cassandra project-diagram
spring-vault-approle-mysql (with lease rotation) project-diagram
spring-vault-approle-multi-datasources-mysql (with lease rotation) project-diagram

Prerequisites

Initialize Environment

Open a terminal and, inside springboot-vault-examples root folder, run the following script

./init-environment.sh

This script will:

  • start Consul, Vault, MySQL, and Cassandra Docker containers;
  • unseal Vault and enable AppRole in it;
  • setup Database roles and policies in Vault for the application so that they can access their databases using dynamically generated credentials;
  • setup KV Secrets in Vault for the application;

Shutdown Environment

To stop and remove docker-compose containers, network and volumes, go to a terminal and, inside springboot-vault-examples root folder, run the script below

./shutdown-environment.sh

Cleanup

To remove all Docker images created by this project, go to a terminal and, inside springboot-vault-examples root folder, run the following script

./remove-docker-images.sh all

References

About

The goal of this project is to explore the capabilities of Vault. To achieve this, we will develop applications that utilize Vault for storing and retrieving secrets. Vault dynamically generates credentials for accessing databases and relies on Consul as the backend. The authentication method employed in Vault is AppRole.

Topics

mysql java docker cassandra spring-boot consul vault spring-data-jpa spring-web-mvc spring-cloud-vault spring-vault jib springdoc-openapi

Resources

Readme
Activity

Stars

24 stars

Watchers

2 watching

Forks

12 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages