This is the project that I used for HashiTalks 2021 on Spring Cloud and Vault.
This project includes a demo on how to consume Vault Dynamic MySQL database credentials in a Spring App using annotations. The deployment uses Waypoint to deploy to Docker for Mac as well as Docker for Mac Kubernetes.
- Start Vault, MySQL, Waypoint, and Kubernetes
cd ./scripts/vault/
./start-vault.sh
cd ../mysql/
./start-mysql.sh
cd ../waypoint/
./start-waypoint.sh
cd ../
- Configure Vault
cd ./vault/
./configure-vault.sh
cd ../../
- Get the root token from the output file
cat /tmp/vault-output.txt | grep "Root Token"
Copy the root token to the spring.cloud.vault.token
value in
./src/main/resources/bootstrap.yml
file.
- Initialize Waypoint
waypoint init
- Run the build/deploy
waypoint up
Open the deployment URL and view the page.
- Reconfigure
bootstrap.yml
to use Kubernetes authentication
...
# authentication: TOKEN
# token: s.D6Zb5rPAYXcvuze6FR2I0GZL
authentication: KUBERNETES
kubernetes:
role: app
kubernetes-path: kubernetes
...
- Reconfigure
waypoint.hcl
to deploy and release to Kubernetes
...
deploy {
/*use "docker" {
service_port = 8080
}*/
use "kubernetes" {
service_port = 8080
service_account = "vault-auth"
}
}
release {
use "kubernetes" {
load_balancer = true
}
}
...
- Run the build/deploy
waypoint up
Open the release URL (should be http://localhost) and view the page.
There are a few endpoints you can use to see the credentials, database data, and restart.
/getdbcredentials
Will output the dynamically generated database user
. This demonstrates that
the dynamic user is generated using the Vault configurations in bootstrap.yml
in conjunction with the Autowired DataSource.
/getdbdata
Will output data entered into the database during the MySQL start above. This demonstrates that the dynamically generated database credentials can be used to successfully pull data from the database and map to a Spring Model.
/restart
Will restart the application and create a new dynamic database credential.
- Cleanup the deployment by running
cd ./scripts; ./cleanup.sh