Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuring Secrets Priority in propertySources #1867

Open
arjavdongaonkar opened this issue Feb 7, 2025 · 5 comments · Fixed by #1873
Open

Configuring Secrets Priority in propertySources #1867

arjavdongaonkar opened this issue Feb 7, 2025 · 5 comments · Fixed by #1873
Labels
enhancement

Comments

@arjavdongaonkar
Copy link
Contributor

In the current setup, Kubernetes Secrets appear at the bottom of the propertySources list in the API response.

Example response:

"propertySources": [
  { "name": "vault:application" },
  { "name": "secret:ab-service-secrets" }
]

This ordering means that values from Kubernetes Secrets have lower precedence than other configuration sources. However, in many cases, it would be preferable for Kubernetes Secrets to take priority, allowing other configurations to resolve their values using Secrets.

Questions

  1. Is there a way to configure the order of propertySources so that Kubernetes Secrets appear at the top of the list?
  2. If not, would it be possible to introduce an option to adjust the precedence of Kubernetes Secrets dynamically?

Use Case
Having Kubernetes Secrets at the top of the list ensures that they override other configurations, making them the primary source of truth for sensitive values. This aligns with best practices for managing secrets in Kubernetes-based environments.

Looking forward to your insights on this!
@wind57
Copy link
Contributor

wind57 commented Feb 7, 2025

is this still about config server? I think it is, but it's not clear... can you please make that explicit? thank you

@arjavdongaonkar
Copy link
Contributor Author

Sure, I have my Spring Cloud Kubernetes Config Server running in a k8s cluster on port 8888 with the following setup:

  • Spring Cloud Kubernetes Config Server version: 3.2.0
  • kubernetes is included in the list of active profiles.
  • Secrets are enabled using: 
    spring.cloud.kubernetes.secrets.enableApi=true
  • The pod has correct role bindings to access Kubernetes Secrets.
  • Vanilla Spring Cloud Config Server version (when working normally): 4.2.0

When I try to access secrets using the following curl command:

curl --location 'http://localhost:8888/ab-service/ab-service,secrets'

I get the following API response:

"propertySources": [
  {
    "name": "vault:application",
    "source": {
      "TOKEN_A": "some_token_1",
      "TOKEN_B": "${TOKEN_E}_some_token",
      "TOKEN_C": "some_api_key"
    }
  },
  {
    "name": "secret:ab-service-secrets",
    "source": {
      "TOKEN_D": "some_token_2",
      "TOKEN_E": "some_token_3"
    }
  }
]

In this setup:

  • TOKEN_E is stored in Kubernetes Secrets (secret:ab-service-secrets).
  • TOKEN_B depends on TOKEN_E (TOKEN_B = ${TOKEN_E}_some_token).

Since Kubernetes Secrets appear below Vault in the propertySources array, the system fails to resolve TOKEN_E while evaluating TOKEN_B.

  • If Kubernetes Secrets were at the top, TOKEN_E would be available for resolving TOKEN_B.
  • This behavior works correctly in vanilla Spring Cloud Config Server, where the order can be explicitly controlled using spring.profiles.active as composite and defining the spring.cloud.config.server.composite structure.

In Vanilla Spring Cloud Config Server, we can explicitly define:

spring:
  cloud:
    config:
      server:
        composite:
          - type: vault
          - type: git

This setup ensures that Vault values are resolved first, allowing Git configurations to reference secrets from Vault.

I have created this new issue as suggested by @ryanjbaxter here

@ryanjbaxter
Copy link
Contributor

We will need to look into this. We might need to do some work to make something like this to work:

spring:
  cloud:
    config:
      server:
        composite:
          - type: kubernetes
          - type: vault

@arjavdongaonkar
Copy link
Contributor Author

Yes, I can see we are using CompositeUtils.getFactoryName to allow composite types to inject the repository into propertySources.
Would simply adding a KubernetesRepositoryFactory bean in codebase be sufficient, or do we need to make any additional changes?
Am I on the right track with this approach?

@arjavdongaonkar
Copy link
Contributor Author

Hey @ryanjbaxter
I’ve raised a PR to introduce support for kubernetes as a composite config source. The changes include:

  • Added KubernetesEnvironmentRepositoryFactory to enable composite repository support.
  • Updated KubernetesConfigServerAutoConfiguration to provide the factory bean.

This allows users to define Kubernetes as a composite type like:

spring:
  cloud:
    config:
      server:
        composite:
          - type: kubernetes
          - type: vault

Can you please take a look?

P.S. Please ignore the weird commit msg :)

@arjavdongaonkar arjavdongaonkar mentioned this issue Feb 11, 2025
Merged
@ryanjbaxter ryanjbaxter linked a pull request Feb 13, 2025 that will close this issue
Kubernetes as a Composite config source #1873
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Kubernetes as a Composite config source arjavdongaonkar/spring-cloud-kubernetes
4 participants
@ryanjbaxter @wind57 @arjavdongaonkar @spring-cloud-issues