Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,368 questions
Config-server with Azure Key Vault Cloud config
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 2%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVE%3C/text%3E%3C/svg%3E)
Victor Einstenberg
0
Reputation points
Hi guys
I really need some insight here.
I have an actual setup of config-server + centralized git configuration repo + App client (running on an k8 cluster)
App connects to config-server, that connects to the git repo, fetch the configuration and serves back to the app, pretty standard setup for config-server
Now we are trying to use Azure Key Vault as backend for config-server, meaning that when config-server connect to the git repository, replace any placeholder in the configuration file with secrets from the AKV. However this never happens, I can see that the config-server has all the secrets loaded as property-sources, but it never replaces the placeholders
Follow some configuration
config-server: 2023.0.3
spring-cloud-azure-starter-keyvault-secrets: 5.19.0
config-server application.yaml
spring:
cloud:
config:
allowOverride: true # Allows overriding properties from different sources.
server:
enable-placeholder-resolution: true
azure:
keyvault:
secret:
property-source-enabled: true
property-sources[0]:
endpoint: "XXX"
credential:
client-id: "XXX"
client-secret: "XXX"
profile:
tenant-id: "XXX"
property-sources being loaded in config-server
{
"name": "azure-key-vault-secret-property-source-0",
"properties": {
"blackduck-token": {
"value": "******"
},
"blackduck.token": {
"value": "******"
},
"sonarqube-token": {
"value": "******"
},
"sonarqube.token": {
"value": "******"
},
"nexus-password": {
"value": "******"
},
"nexus.password": {
"value": "******"
},
"nexus-url": {
"value": "******"
},
"nexus.url": {
"value": "******"
},
"eastu-nexus-password": {
"value": "******"
},
"eastu.nexus.password": {
"value": "******"
},
"sonarqube-password": {
"value": "******"
},
"sonarqube.password": {
"value": "******"
},
"fortify-token": {
"value": "******"
},
"fortify.token": {
"value": "******"
},
"nexus-user": {
"value": "******"
},
"nexus.user": {
"value": "******"
},
"sonarqube-user": {
"value": "******"
},
"sonarqube.user": {
"value": "******"
},
"sample-maven-spring-boot---dev---feature----kvintegration---testing-secret": {
"value": "******"
},
"sample.maven.spring.boot...dev...feature....kvintegration...testing.secret": {
"value": "******"
},
"testing--secret": {
"value": "******"
},
"testing..secret": {
"value": "******"
},
"sonarqube-url": {
"value": "******"
},
"sonarqube.url": {
"value": "******"
},
"sample-maven-spring-boot---dev---feature----kvintegration---testing--secret": {
"value": "******"
},
"sample.maven.spring.boot...dev...feature....kvintegration...testing..secret": {
"value": "******"
},
"sonarqube-token": {
"value": "******"
},
"sonarqube.token": {
"value": "******"
},
"eastu-nexus-username": {
"value": "******"
},
"eastu.nexus.username": {
"value": "******"
},
"simple-key": {
"value": "******"
},
"simple.key": {
"value": "******"
},
"testing-secret": {
"value": "******"
},
"testing.secret": {
"value": "******"
}
}
}
and finally the app configuration stored in git served by config-server without having the place holders replaced (simple-key should get replaced
# logging:
# level:
# root: DEBUG
app:
message: Hello from ${environment.name} demo new message
new:
message: >-
Hello from big-message
This is a longer message
for the ${environment.name} environment
being pulled from the config repository
someKey: ${simple.key}
I've had this setup done. in older version and used to work fine, so just curious or if I'm missing something.
Sign in to answer