Hi all, I appreciate the time and effort this team is taking to provide the support for this fantastic product. However, in one of my recent attempt to use spring-config-server with GCP Secret Manager is yielding no success. To get some much needed help, I am opening this discussion around it.
As per the Spring Cloud announcement here, I was expecting the GCP Secret Manager is supported. There are no docs around how to use the gcp-secret-manager backend (if there is any support). The official doc doesn't say much either.
I am running a simple config-server in GCP Cloud Run. I have to read some sensitive properties from a secret store like GCP Secret Manager (I am running apps in GCP Cloud Run) and some generic properties from a git backend. After multiple attempts, I am not able to get any success to read the configs from the secret manager using config-server. here is the application.yaml file for config server.
server:
port: ${PORT:8080}
spring:
application:
name: config-server
profiles:
active: git, gcp-secret-manager
cloud:
config:
server:
gcp-secret-manager:
application-label: application
profile-label: profile
token-mandatory: false
order: 1
git:
uri: https://github.com/ichandan16/test-config-server.git
order: 2
I have labeled my secrets as application: app1 and profile: dev. Trying to access cloud run config-server service with:
https://config-server-gcp-xxxxx-uw.a.run.app/app1/dev. I can read git backend data but not GCP secret manager.
Is there any document that you can help me with that gives a clear direction on how to use it.
/r, Chandan Patra
Comment From: ryanjbaxter
Here is the original PR https://github.com/spring-cloud/spring-cloud-config/pull/1628/files
Is there anything in the logs indicating what might be wrong?
Comment From: ichandan16
Here is the original PR https://github.com/spring-cloud/spring-cloud-config/pull/1628/files
Is there anything in the logs indicating what might be wrong?
Hi Ryan, Thank you for responding.
I was checking if there are documentation around GCP Secret Manager Backend implementation? I did not find from the official doc: https://cloud.spring.io/spring-cloud-config/reference/html/#_environment_repository
Comment From: ryanjbaxter
Yes I dont see any either, that is an issue in itself for sure, but to me it sounded like you could not get it to work, is it working ok but its just the lack of documentation?
Comment From: ichandan16
Yes I dont see any either, that is an issue in itself for sure, but to me it sounded like you could not get it to work, is it working ok but its just the lack of documentation?
Hi Ryan, I got this thing working, thank you for sending the code piece. I set up my profile as secret-manager instead of gcp-secret-manager and it worked. The new application.yml file looks as below:
server:
port: ${PORT:8080}
spring:
application:
name: config-server
profiles:
active: git,secret-manager
cloud:
config:
server:
gcp-secret-manager:
application-label: application
profile-label: profile
token-mandatory: false
order: 1
git:
uri: https://github.com/ichandan16/test-config-server.git
order: 2
Check this line out. I feel it is bit misleading.
One more important thing that need to be done (never miss this one) is providing the labels to the secrets. For my secrets, I have provided
application : app1 and profile : dev labels.
I am accessing the service using https://config-server-gcp-xxxxx-uw.a.run.app/app1/dev. It fetches data from both the places ( in git - https://github.com/ichandan16/test-config-server.git/app1-dev.yml and from the secret manager with labels as mentioned above).
Comment From: ryanjbaxter
Check this line out. I feel it is bit misleading.
I dont think its misleasing, that is the prefix for the properties. The profile to be enabled is specified here https://github.com/spring-cloud/spring-cloud-config/pull/1628/files#diff-60ae02b60426f263517ade4aaf8fca7cb352aa909b2da71768bf224feb249633R466
I agree though that some documentation would be nice. Would you be interested in creating a PR with some documentation?