Re: Variable Substitution in manifest.yml #

Lingesh Mouleeshwaran
 

Hello Karthi, 

Even we also get rid of all secrets managed in *.yml file and moved all secrets to the vault, and we have the simple jar which embedded into spring/spring boot war. 

For Example, below entry sufficient for any web application in manifest.yml, and we have made it vault orphan token lifetime which having 10 years tenure. 

env:
    JAVA_OPTS:  -Dspring.application.name="<<Vault secret path>>" -Dspring.cloud.vault.token=000-000-00000000-00 


Spring dependency entry :

Below entries required for any web application to embed your vault client jar.

<dependency>
            <groupId>com.config.vault</groupId>
            <artifactId>vault-java</artifactId>
            <version>1.0.0</version>
  </dependency>

<context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath*:/spring-vault-conf.xml  //this file will have details about your propertyplaceholder logic 
        </param-value>
    </context-param>

Your vault client can be the child of class PropertyPlaceholderConfigurer and you can override below method to read from the vault and populate to system ENVs

/**
* {@inheritDoc}
* @throws IOException
*/
protected void loadProperties(Properties properties) throws IOException {
        super.loadProperties(properties.putAll(vaultResource.read()));
}

Hope this gives you some context what you're looking, additional even if go via Jenkins/Travis services, still, secrets are exposed to an environment variable, anyone can able to look the secrets via cf env.

Regards
Lingesh M

On Tue, Jul 24, 2018 at 2:29 PM, <kvemula15@...> wrote:
Hi Nic,
Thank you for confirming me.Can you point me to any examples /links on web of how it could be done in CI like in jenkins world for file creation that you were talking of.
Rgds,
Karthik.


Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.