CODEWITHSUNDEEP
javaspring-bootjooqhashicorp-vault
Federico Piazza
Federico Piazza

Reputation: 31035

Pulling db secrets from vault to execute Jooq not working on localhost

We are using jooq to generate the code to query our db. For jooq to run we provide the configuration using environment variables like this:

<plugin>
    <groupId>org.jooq</groupId>
    <artifactId>jooq-codegen-maven</artifactId>
    <version>${jooq.version}</version>

    <executions>
        <execution>
            <id>generate-sources</id>
            <phase>generate-sources</phase>
            <goals>
                <goal>generate</goal>
            </goals>
        </execution>
    </executions>

    <configuration>
        <jdbc>
            <driver>org.postgresql.Driver</driver>
            <url>${DB_URL}</url>
            <user>${DB_USER}</user>
            <password>${DB_PASSWORD}</password>
        </jdbc>

        <generator>
            <name>org.jooq.codegen.JavaGenerator</name>

            <database>
                <name>org.jooq.meta.postgres.PostgresDatabase</name>
                <includes>.*</includes>
                <excludes />
                <dateAsTimestamp>true</dateAsTimestamp>
                <inputSchema>myDb</inputSchema>
            </database>

            <generate>
                <deprecated>false</deprecated>
                <instanceFields>true</instanceFields>
            </generate>

            <target>
                <packageName>com.myapp.jooq</packageName>
                <directory>target/generated-sources/jooq-postgres</directory>
            </target>
        </generator>
    </configuration>

    <dependencies>
        <dependency>
            <groupId>org.postgresql</groupId>
            <artifactId>postgresql</artifactId>
            <version>${postgresql.version}</version>
        </dependency>
    </dependencies>
</plugin>

In order to set these properties DB_URL, DB_USER, DB_PASSWORD we use vault-maven-plugin that is executed before jooq in maven lifecycle. This is the configuration we use:

<plugin>
    <groupId>com.deciphernow</groupId>
    <artifactId>vault-maven-plugin</artifactId>
    <version>1.0.0</version>
    <executions>
        <execution>
            <id>pull</id>
            <phase>initialize</phase>
            <goals>
                <goal>pull</goal>
            </goals>
            <configuration>
                <servers>
                    <server>
                        <url>http://my.hostedvault.net:8200</url>
                        <token>myTokenHere</token>
                        <paths>
                            <path>
                                <name>secret/myApp</name>
                                <mappings>
                                    <mapping>
                                        <key>spring.datasource.username</key>
                                        <property>DB_USER</property>
                                    </mapping>
                                    <mapping>
                                        <key>spring.datasource.password</key>
                                        <property>DB_PASSWORD</property>
                                    </mapping>
                                    <mapping>
                                        <key>spring.datasource.url</key>
                                        <property>DB_URL</property>
                                    </mapping>
                                </mappings>
                            </path>
                        </paths>
                    </server>
                </servers>
            </configuration>
        </execution>
    </executions>
</plugin>

This is working perfectly well, however when we change the plugin to localhost:8200 it always return 404 error:

[ERROR] Failed to execute goal com.deciphernow:vault-maven-plugin:1.0.0:pull (pull) on project myApp: Exception thrown pulling secrets. Vault responded with HTTP status code: 404 -> [Help 1]

This only happens for localhost vault used in the vault-maven-plugin. So, this looks like a bug on the maven plugin (I confirmed my localhost vault works property and spring-boot can pull from it without problems). Any idea how I can provide Jooq with credentials properties stored in vault?

Upvotes: 1

Views: 245

Answers (1)

Federico Piazza
Federico Piazza

Reputation: 31035

I found the problem, so posting the answer in case it helps another one with the same problem.

I was running vault in dev mode, so when we use this mode vault is appending /data to the uri. I had started vault this way:

docker run -p 8200:8200 --name='vault' --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroottoken' vault

The plugin vault-maven-plugin seems to work with vault running in server (production) mode. So, if we start vault with this command everything works fine:

docker container run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": "true", "listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": "true"}}}' -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_API_ADDR=http://127.0.0.1:8200 -p 8200:8200 vault server

Beware that you must unseal vault by entering in the container with:

docker container exec -it <containerId> /bin/sh

And issue this command: vault operator init

Upvotes: 1

Related Questions