Describe the bug I have configured the Config Server to use Vault as backed and tried to use authentication mechanism of APPROLE, it is throwing the error of "Missing required header in HttpServletRequest: X-Config-Token".
It works if i use authentication mechanism as "TOKEN".
Sample
application.yml
server:
port: 8888
spring:
cloud:
config:
server:
vault:
host: myvault.com
port: 443
scheme: https
namespace: devops/cicd
# authentication: TOKEN
# token: mytoken
authentication: APPROLE
app-role:
role-id: my-role-id
secret-id: my-secret-id
role: app-role
app-role-path: approle
kv-version: 2
backend: kv
profiles:
active:
- vault
application:
name: spring-config-server
Am i missing anyother set-ip ?
https://github.com/spring-cloud/spring-cloud-config/issues/1464
Comment From: kamalakarp
With Token auth
# authentication: TOKEN
# token: mytoken
I get the response back.
With AppRole Auth -
authentication: APPROLE
app-role:
role-id: my-role-id
secret-id: my-secret-id
role: app-role
app-role-path: approle
C:\Users\Kamalakar_Ponaka>curl -X "GET" "http://localhost:8888/gs-vault-config/cloud"
It's still falling back to old way and expecting a X-Config-Token.
Comment From: scottfrederick
In order to use any authentication method other than TOKEN or the X-Config-Token header, you need to have Spring Vault on the classpath so that Config Server can delegate authentication to that library. If you don't have that library in your Config Server app, you can add it with
<dependencies>
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
</dependencies>
in a Maven pom.xml or
dependencies {
implementation "org.springframework.vault:spring-vault-core"
}
in a Gradle build.gradle file.
I thought we had added this info to the docs when the feature was added, but I didn't see it in a quick read of the current docs. If it's not there, it should definitely be added.
Comment From: kamalakarp
I just tested the AppRole and it's not making use of namespace variable end up hitting everything at root level. Due to this, it is throwing invalid role id error. namespace should sent as a header.
AppRoleAuthentication.java
VaultResponse response = restOperations.postForObject("auth/{mount}/login",login, VaultResponse.class, options.getPath());
2020-03-27 17:36:44.687 ERROR 34180 --- [nio-8888-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.vault.authentication.VaultLoginException: Cannot login using AppRole: invalid role ID; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"errors":["invalid role ID"]}
]] with root cause
org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"errors":["invalid role ID"]}
Comment From: kamalakarp
I just tested the spring-cloud-vault to check if there is an issue with spring-vault-core and spring-cloud-vault seems to be passing the namespace correctly. It's the issue with config server passing the namespace.
spring-cloud-vault : bootstrap.yml
spring:
application:
name: gs-vault-config
profiles:
active:
- cloud
cloud:
vault:
host: myvault.com
port: 443
scheme: https
namespace: devops/cicd
# authentication: TOKEN
# token: 0000-xxxx-xxxx-0000
# authentication: PCF
# pcf:
# role: cf-app-role
# instance-certificate: /etc/cf-instance-credentials/instance.crt
# instance-key: /etc/cf-instance-credentials/instance.key
# pcf-path: cf_vdc02
kv:
enabled: true
backend: kv
backend-version: 2
authentication: APPROLE
app-role:
role-id: my-role-id
secret-id: my-secret-id
app-role-path: approle
role: configclient-app-role
# authentication: KUBERNETES
# kubernetes:
# role: k8s-app-role
# service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
# kubernetes-path: kubernetes
Comment From: kamalakarp
@scottfrederick - All vault auth methods doesn't seems to support Vault namespaces except for Token( since i did a PR last year) https://github.com/spring-cloud/spring-cloud-config/issues/1259. Even though spring-vault-core is supporting the namespaces, i believe we are not sending namespace as header. (X-Vault-Namespace). Do you want me to open new issue or update this issue ?
Comment From: kamalakarp
Just realized there is already a PR https://github.com/spring-cloud/spring-cloud-config/pull/1566. Can we expedite ?
Comment From: kamalakarp
In order to use any authentication method other than
TOKENor theX-Config-Tokenheader, you need to have Spring Vault on the classpath so that Config Server can delegate authentication to that library. If you don't have that library in your Config Server app, you can add it with
<dependencies> <dependency> <groupId>org.springframework.vault</groupId> <artifactId>spring-vault-core</artifactId> </dependency> </dependencies>in a Maven
pom.xmlor
dependencies { implementation "org.springframework.vault:spring-vault-core" }in a Gradle
build.gradlefile.I thought we had added this info to the docs when the feature was added, but I didn't see it in a quick read of the current docs. If it's not there, it should definitely be added.
@scottfrederick - did we update the documentation for this ? Just wanted to follow, with the latest changes, do we still need to add spring-vault-core for Config Server to get the X-Config-Token ? Are there any other alternatives ?
Comment From: scottfrederick
did we update the documentation for this ?
I don't see any mention of adding the spring-vault-core lib in the Vault Backend section of the documentation. I would suggest opening a new issue for that, since this issue has been closed for a long time now.
do we still need to add spring-vault-core for Config Server to get the X-Config-Token ?
You need to add spring-vault-core to the Config Server to get any of the authentication methods that are provided by Spring Cloud Vault.
Comment From: kamalakarp
Sure @scottfrederick , I'll open an issue.