How to use Spring Cloud Config with a Git and Vault composite environment repository?

Question

I've been tinkering with Spring Cloud Config, but have a use case where config properties are divided into two types:

1. Non-secret values, which developers should be able to view and maintain (e.g. JDBC URL's, etc)

2. Secret values, which should be viewed and maintained only by designated people with special access (e.g. passwords)

So I'm very interested in the support for "Composite Environment Repositories", currently available in the snapshot versions. It seems like I would be able to use Git for the developer-managed properties, Vault for the secret properties, and configure it such that Vault would always take precedence over Git in the event of a conflict.

However, I'm finding that not only does Vault always take precedence... it's being used as the exclusive backend. No properties from Git are returned at all.

My application.yml looks like this:

spring:
  profiles:
    active: git, vault
  cloud:
    config:
      server:
        vault:
          order: 1
        git:
          uri: https://github.com/spring-cloud-samples/config-repo
          basedir: target/config
          order: 2

I have written a property to Vault like this:

vault write secret/foo foo=vault

And I am calling my config server like this:

curl -X "GET" "http://127.0.0.1:8888/foo/default" -H "X-Config-Token: a9384085-f048-7c99-ebd7-e607840bc24e"

However, the JSON response payload only includes the Vault property. Nothing from Git:

{
    "name": "foo",
    "profiles": [
        "default"
    ],
    "label": null,
    "version": null,
    "state": null,
    "propertySources": [
        {
            "name": "vault:foo",
            "source": {
                "foo": "vault"
            }
        }
    ]
}

It doesn't matter if I reverse the order settings in application.yml, to give Git higher priority than Vault. As long as the Vault profile is active, it acts as the exclusive backend.

However, if I deactivate the vault profile, then the same curl operation does return results from the Git backend:

{
    "name": "foo",
    "profiles": [
        "default"
    ],
    "label": "master",
    "version": "30f5f4a144dba41e23575ebe46369222b7cbc90d",
    "state": null,
    "propertySources": [
        {
            "name": "https://github.com/spring-cloud-samples/config-repo/foo.properties",
            "source": {
                "democonfigclient.message": "hello spring io",
                "foo": "from foo props"
            }
        },
        {
            "name": "https://github.com/spring-cloud-samples/config-repo/application.yml",
            "source": {
                "info.description": "Spring Cloud Samples",
                "info.url": "https://github.com/spring-cloud-samples",
                "eureka.client.serviceUrl.defaultZone": "http://localhost:8761/eureka/",
                "foo": "from-default"
            }
        }
    ]
}

Is there anything I could be missing? Some reason why the Git properties and Vault properties don't... well, "composite" together?

The only example in the documentation shows Git and Subversion being used together, and there's a note warning you that all repos should contain the same label (e.g. master). I'm wondering if that's the issue, as the label is always null for Vault.

Answer 1

I believe there must be something wrong with your dependencies. I also set up a spring cloud config server with git and vault which works just fine. I think forcing usage of 1.3.0-BUILD.SNAPSHOT is not enough. Spring cloud config 1.3.0-BUILD.SNAPSHOT depends on spring-vault-core. You might be missing this dependency. And that might be causing the failing bean creation that you mentioned in one of your comments. Here is a link to a sample project with git and vault. Feel free to check it out.