Cloud security projects with Spring Cloud Config Server and Vault
This project demonstrates cloud security implementations using Spring Cloud Config and HashiCorp Vault, with examples of secure configuration management and secret handling.
CloudSecurity/├── config-client/ # Basic config client implementation├── config-client-vault/ # Vault-integrated config client├── config-server/ # Basic config server├── config-server-vault/ # Vault-integrated config server├── standalone-client/ # Independent client implementation├── config-repo/ # Configuration repository└── Docker/ # Container configurations
The system is designed with multiple layers of configuration and security management:
+-------------------------------------------------------------------------+| Client Applications || +----------------+ +-------------------+ +------------------+ || | Standalone | | Config Client | | Config Client | || | Client | | (Basic) | | (Vault) | || | [Jasypt] | | | | | || +--------+-------+ +---------+---------+ +--------+---------+ || | | | || | | | |+-----------|--------------------+---------------------|--------------------+| | |v v v+-------------------------------------------------------------------------+| Configuration Layer || +----------------+ +-------------------+ +------------------+ || | Jasypt | | Config Server | | Config Server | || | Encryption | | (Basic) | | (Vault) | || | | | | | | || +----------------+ +--------+----------+ +--------+---------+ || | | |+------------------------------|-----------------------)--------------------+| |v v+-------------------------------------------------------------------------+| Security & Storage || +----------------+ +-------------------+ +------------------+ || | Config Repo | | HashiCorp | | PostgreSQL | || | (Git) | | Vault | | Database | || | | | | | | || +----------------+ +-------------------+ +------------------+ || |+-------------------------------------------------------------------------+
The architecture consists of three main layers:
Client Applications Layer
Configuration Layer
Security & Storage Layer
The standalone application is using Jasypt for Spring Boot to secure sensitive configuration properties. This demo application shows the simplest way to encrypt sensitive properties without requiring another service or system. You have to provide an environment variable named jasypt.encryptor.password with the value sample-password to decrypt the database password during application start. After launching, http://localhost:8080 shows basic application information.
All client applications use Spring Cloud Config to separate code and configuration and therefore require a running config server before starting the actual application.
This project contains the Spring Cloud Config server which must be started like a Spring Boot application before using the config-client web application. After starting the config server with the default profile, the server is available on port 8888 and will use the configuration files provided in the config-repo folder in my GitHub repository. Starting the config server without a profile therefore requires Internet access to read the configuration files
There are two application configurations available:
This Spring Boot based web application exposes the REST endpoints /, /users and /credentials. Depending on the active Spring profile, the configuration files used are not encrypted (plain) or secured using Spring Config encryption functionality (cipher). There is no default profile available, so you have to provide a specific profile during start.
Configuration files are not protected at all, even sensitive configuration properties are stored in plain text.
This profile uses Config Server functionality to encrypt sensitive properties. It requires either a symmetric or asymmetric key. The sample is based on asymmetric encryption and is using a keystore (server.jks) which was created with the following command:
keytool -genkeypair -alias configserver -storetype JKS -keyalg RSA \-dname "CN=Config Server,OU=Unit,O=Organization,L=City,S=State,C=Germany" \-keypass secret -keystore server.jks -storepass secret
The Config Server endpoints help to encrypt and decrypt data:
curl http://localhost:8888/encrypt -d secretToEncryptcurl http://localhost:8888/decrypt -d secretToDecrypt
Build the project:
mvn clean install
Start infrastructure:
cd Dockerdocker-compose up -d
Initialize Vault:
Key 1: ndPiS12Q92PqSdahBL4xFkDSjHTivINXQeC62jUv6tVaKey 2: 8FpTPAQSFj2j2NyAt1V47iZtBn4g+a3V5hgc6L6ogiw5Key 3: xRDWjq+0n72AjfC6Zt19Aiw3XCnMBJ424QoKATDROi+FKey 4: wBEG41KMWWpYbhYwtSl/+0hYOhSNQGhsvH8T1FZiJh4wKey 5: YJ+WiIAzWDatj3eAiiULjw/BoNF+30DWsrFqs6xnDadR
hvs.WzBcwSIguPzLnhfJmPaCIMnKRun applications in order:
mvn testtarget/site/jacoco/index.htmlIn case you don’t want to use the configured Vault Docker container you can find all required commands to initialize Vault below:
vault server -config Docker/config/file-storage.hclexport VAULT_ADDR=http://127.0.0.1:8200vault operator initexport VAULT_TOKEN=[Root Token]vault operator unseal [Key 1]vault operator unseal [Key 2]vault operator unseal [Key 3]
Execute the following commands in order to enable the required backend and other services and to provide the required data:
# enable secrets backendvault secrets enable -path=secret kv-v2# provide configuration data for the config-client-vault applicationvault kv put secret/Config-Client-Vault config.client.vault.application.name="Config Client Vault" config.client.vault.application.profile="vault"# import policyvault policy write config-client-policy Docker/policies/config-client-policy.hcl# create a token for config-client-vaultvault token create -policy=config-client-policy# enable and configure AppRole authenticationvault auth enable approle# create roles with 24 hour TTL (can be renewed for up to 48 hours of its first creation)vault write auth/approle/role/config-client \token_ttl=24h \token_max_ttl=48h \token_policies=config-client-policy# update config-client-vault/application.yml with the returned role-idvault read auth/approle/role/config-client/role-id# update config-client-vault/application.yml with the returned secret-idvault write -f auth/approle/role/config-client/secret-id# enable the Transit backend and provide a keyvault secrets enable transitvault write -f transit/keys/symmetric-sample-key# enable dynamic database secretsvault secrets enable database# create an all privileges rolevault write database/roles/config_client_vault_all_privileges \db_name=config_client_vault \creation_statements="CREATE ROLE \"{{name}}\" \WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; \ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO \"{{name}}\";" \revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;" \default_ttl="24h" \max_ttl="48h"# create the database connection (the database must already exist, create it with "CREATE DATABASE config_client_vault;")vault write database/config/config_client_vault \plugin_name=postgresql-database-plugin \allowed_roles="*" \connection_url="postgresql://{{username}}:{{password}}@postgres:5432/config_client_vault?sslmode=disable" \username="postgres" \password="password"# force rotation for root user (THIS WILL DESTROY the existing root password, make sure you have another one)vault write --force /database/rotate-root/config_client_vault# create new credentialsvault read database/creds/config_client_vault_all_privileges