Spring Cloud + Hashicorp Vault Hello World Example
In this Spring Cloud Tutorial we will be making use of Hashicorp Vault to secure credentials for Microservices.
·
Join the DZone community and get the full member experience.
Join For FreeMicroservices architecture have multiple services which interact with each other and external resources like databases. They also need access to usernames and passwords to access these resources. Usually these credentials are stored in config properties. So each microservice will have its own copy of credentials. If any credentials change we will need to update the configurations in all microservices. We have previously discussed one solution to this problem is using Spring Cloud Config Native Server or Spring Cloud Config Git Server where common global properties which are repeated in all the microservices are usually stored. But still storing the secrets in configuration file is a security concern. Above approach as 2 drawbacks-
- No single point of Truth
- Security risk of exposing the credentials
In this tutorial will be using Spring Cloud Config and Hashicorp Vault to manage secrets and protect sensitive data.
Hashicorp Vault is a platform to secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting sensitive data and other secrets in a dynamic infrastructure.
Using vault we will be retrieving the credentials from the vault key/value store.
We will be implementing a simple Spring Boot Microservice which returns employee details from MySql Database. We will be creating the Spring Boot + MySQL Application using Spring Boot JDBC. We have already seen Spring Boot MYSQL JDBC basics in a previous tutorial. In We will be initially storing the MySql credentials in the configuration file.
Later we will be modifying this application to fetch the MySQL credentials from HashiCorp Vault.
Spring Boot + MySQL Application
The project will be as follows —
Add the spring-jdbc-starter dependency.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion><groupId>com.javainuse</groupId>
<artifactId>boot-jdbc</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging><name>boot-jdbc</name>
<description>Demo project for Spring Boot</description><parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.0.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent><properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8 </project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties><dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency><dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies><build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build></project>
In the application.properties file specify the datasource properties
xxxxxxxxxx
spring.datasource.url=jdbc:mysql://localhost/bootdb?createDatabaseIfNotExist=true&autoReconnect=true&useSSL=false
spring.datasource.username=root
spring.datasource.password=root
spring.datasource.platform=mysql
spring.datasource.initialization-mode=always
Create the schema-mysql.sql file and specify the initialization scripts —
xxxxxxxxxx
DROP TABLE IF EXISTS employee;CREATE TABLE employee (
empId VARCHAR(10) NOT NULL,
empName VARCHAR(100) NOT NULL
);INSERT INTO employee(empId,empName)values("emp001","emp1");
INSERT INTO employee(empId,empName)values("emp002","emp2");
INSERT INTO employee(empId,empName)values("emp003","emp3");
Create the Employee Domain class
x
package com.javainuse.model;
public class Employee {
private String empId;
private String empName;
public String getEmpId() {
return empId;
}
public void setEmpId(String empId) {
this.empId = empId;
}
public String getEmpName() {
return empName;
}
public void setEmpName(String empName) {
this.empName = empName;
}
public String toString() {
return "Employee [empId=" + empId + ", empName=" + empName + "]";
}
}
Create the DAO interface.
xxxxxxxxxx
package com.javainuse.dao;
import java.util.List;
import com.javainuse.model.Employee;
public interface EmployeeDao {
List<Employee> getAllEmployees();
}
The DAO implementation class.
xxxxxxxxxx
package com.javainuse.dao.impl;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.annotation.PostConstruct;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.support.JdbcDaoSupport;
import org.springframework.stereotype.Repository;
import com.javainuse.dao.EmployeeDao;
import com.javainuse.model.Employee;
public class EmployeeDaoImpl extends JdbcDaoSupport implements EmployeeDao {
DataSource dataSource;
private void initialize() {
setDataSource(dataSource);
}
public List<Employee> getAllEmployees() {
String sql = "SELECT * FROM employee";
List<Map<String, Object>> rows = getJdbcTemplate().queryForList(sql);
List<Employee> result = new ArrayList<Employee>();
for (Map<String, Object> row : rows) {
Employee emp = new Employee();
emp.setEmpId((String) row.get("empId"));
emp.setEmpName((String) row.get("empName"));
result.add(emp);
}
return result;
}
}
Create Service interface to specify employee operations to be performed.
xxxxxxxxxx
package com.javainuse.service;
import java.util.List;
import com.javainuse.model.Employee;
public interface EmployeeService {
List<Employee> getAllEmployees();
}
The Service class implementation.
xxxxxxxxxx
package com.javainuse.service.impl;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.javainuse.dao.EmployeeDao;
import com.javainuse.model.Employee;
import com.javainuse.service.EmployeeService;
public class EmployeeServiceImpl implements EmployeeService {
EmployeeDao employeeDao;
public List<Employee> getAllEmployees() {
List<Employee> employees = employeeDao.getAllEmployees();
return employees;
}
}
Create the Controller class to expose a GET API which fetches the employee records.
xxxxxxxxxx
package com.javainuse.controller;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import com.javainuse.model.Employee;
import com.javainuse.service.EmployeeService;
public class EmployeeController {
EmployeeService empService;
(value = "/employees", method = RequestMethod.GET)
public List<Employee> firstPage() {
return empService.getAllEmployees();
}
}
Finally create the class with @SpringBootApplication annotation.
xxxxxxxxxx
package com.javainuse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
public class SpringBootJdbcApplication {
public static void main(String[] args) {
SpringApplication.run(SpringBootJdbcApplication.class, args);
}
}
Start the application. And got to localhost:8080/employees.
Download and Setup Hashicorp Vault
Go to Hashicorp download Page and download Hashicorp Vault.
This is a zip file. Unzip it contains vault.exe. Create a file name vaultconfig.hcl for configuring vault on startup.
xxxxxxxxxx
storage "file" {
path= "./vault-data"
}listener "tcp" {
address = "127.0.0.1:8200"
tls_disable =1
}disable_mlock=true
Open a command prompt and run the following vault commands-
vault server -config ./vaultconfig.hcl
Vault is now started. Open another command prompt and run the following commands-
set VAULT_ADDR=http://localhost:82
vault operator init
set VAULT_TOKEN=s.wO85qvAKuzL4QQifLE9N5aiq
vault status
We can see here that the Vault is sealed. We need to unseal it.
xxxxxxxxxx
vault operator unseal Y2fJhNi5AXU3HdShQ4p0bZ/KfXVWU3ZYRwaecnlkEYYP
vault operator unseal XS/NJF3X/OcrVzoM9a5oSG2D7Mls2+WCE104RgCAJLrH
vault operator unseal W+W/R7Dwgaj+qwPsrKo3RBDxSzrfoW917AwgoAzvFcOT
Next enable a key value store with named secrets
vault secrets enable -path=secret/ kv
Store the MySql username and password in the Hashicorp Vault
vault kv put secret/javainuseapp dbusername=root
vault kv put secret/javainuseapp dbpassword=root
Configure Spring Cloud Config in Spring Boot Application
In the pom.xml add the Spring Cloud dependencies —
xxxxxxxxxx
<name>boot-jdbc</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.0.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
<spring-cloud.version>Hoxton.SR1</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
Create a file name bootstrap.yml and add the following configuration.
xxxxxxxxxx
spring:
application:
name: javainuseapp
cloud:
vault:
host: localhost
port: 8200
scheme: http
token: s.wO85qvAKuzL4QQifLE9N5aiq
Finally in the application.properties change the MySql username and password properties to get values from Hashicorp Vault.
xxxxxxxxxx
spring.datasource.url=jdbc:mysql://localhost/bootdb?createDatabaseIfNotExist=true&autoReconnect=true&useSSL=false
spring.datasource.username=${dbusername}
spring.datasource.password=${dbpassword}
spring.datasource.platform=mysql
spring.datasource.initialization-mode=always
If we now start the Spring Boot Application, it will automatically fetch the MySql username and password by making an API call to Vault.
Opinions expressed by DZone contributors are their own.
Comments