Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQ] Make spring-cloud-azure-starter-keyvault-secrets' configuration properties more reasonable #28310

Closed
chenrujun opened this issue Apr 14, 2022 · 3 comments
Closed

[FEATURE REQ] Make spring-cloud-azure-starter-keyvault-secrets' configuration properties more reasonable #28310

chenrujun opened this issue Apr 14, 2022 · 3 comments
Assignees
@stliu
Labels
azure-spring All azure-spring related issues azure-spring-keyvault Spring keyvault related issues. Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
Backlog

Comments

@chenrujun
Copy link

chenrujun commented Apr 14, 2022
edited
Loading

Context

In #28128 (comment), @stliu think current property's behavior does not reasonable.

Problem

spring:
  cloud:
    azure:
      profile:
        tenant-id: ${AZURE_TENANT_ID}
      credential:
        client-id: ${AZURE_CLIENT_ID}
        client-secret: ${AZURE_CLIENT_SECRET}
      keyvault:
        secret:
          property-source-enabled: true
          endpoint: ${AZURE_KEYVAULT_ENDPOINT}

If we satisfy this requirement, some other property may confuse customer. For example: Does spring.cloud.azure.keyvault.secret.enable or spring.cloud.azure.keyvault.secret.enable can be used to disable all Key Vault property-source?

Goal

For spring-cloud-azure-starter-keyvault-secret's cofigurable properties, design each property's function, implement it, and explain it well in reference doc and changelog.

Solution

Here is a proposal about each property's function:

Yaml File Examples

spring:
  cloud:
    azure: # 1
      profile: # 2
        tenant-id: # 3
      credential: # 4
        client-id: # 5
        client-secret: # 6
      keyvault: # 7
        secret: # 8
          enabled: # 9
          property-source-enabled: # 10
          endpoint: # 11
          profile: # 12
            tenant-id: # 13
          credential: # 14
            client-id: # 15
            client-secret: # 16
          property-sources: # 17
          - name: # 18
            enabled: # 19
            endpoint: # 20
            profile: # 21
              tenant-id: # 22
            credential: # 23
              client-id: # 24
              client-secret: # 25
          - name: # 26
            enabled: # 27
            endpoint: # 28
            profile: # 29
              tenant-id: # 30
            credential: # 31
              client-id: # 32
              client-secret: # 33

Behavior Changes

# 11 ~ # 16:

  1. Current behavior in version 4.0.0: this property is only used to configure a SecretClient bean, this SecretClient will not enable the feature of property-source.
  2. New designed behavior: this property can be used to configure both SecretClient bean and enable the feature of property-source.

# 10:

  1. Current behavior in version 4.0.0: It's used to enable/disable all property-source configured in #17 ~ #33.
  2. New designed behavior: It's used to enable/disable the property-source configured in # 11 ~ # 16. Note: It has no relationship with property-source configured in #17 ~ #33.

# 9:

  1. Current behavior in version 4.0.0: It's used to enable /disable the SecretClientbean configured by# 11~# 16`.
  2. New designed behavior: It's used to enable / disable all features configured in #10 ~ #33.

Disable All Property-Sources:
In new design, there is no property used to disable all property-sources.

Priority of Property-Sources

  1. # 11 has the highest priority.
  2. For the property-sources configured in # 17, the priority is decided by the order. For example: # 18 has higher priority than # 26.

Behavior Not Changed

All other behaviors not changed. For example:

  1. If # 13 is not configured, it will use # 3 instead.
  2. If # 22 is not configured, it will use # 3 instead. Note: It has no relationship with #13.
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 14, 2022
@chenrujun chenrujun self-assigned this Apr 14, 2022
@chenrujun chenrujun added Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved. azure-spring All azure-spring related issues labels Apr 14, 2022
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 14, 2022
@chenrujun chenrujun added the azure-spring-keyvault Spring keyvault related issues. label Apr 14, 2022
@chenrujun chenrujun added this to the Backlog milestone Apr 14, 2022
@chenrujun chenrujun changed the title [FEATURE REQ] New design of KeyVault secret property-source [FEATURE REQ] Make spring-cloud-azure-starter-keyvault-secrets' configuration properties more reasonable Apr 27, 2022
@stliu stliu assigned stliu and unassigned chenrujun Aug 16, 2022
This was referenced Oct 2, 2022
Closed
Open
@ezYakaEagle442
Copy link

@chenrujun sorry but this is still not clear, if there is spring.cloud.azure.keyvault.secret.endpoint why then shall spring.cloud.azure.keyvault.secret.property-sources[].endpoint should be filled ?

I did not have spring.cloud.azure.keyvault.secret.endpoint in my yaml config file and hit those errors :

Caused by: java.net.MalformedURLException: no protocol: ${ENDPOINT}
Caused by: java.lang.IllegalArgumentException: The Azure Key Vault url is malformed.
java.lang.IllegalStateException: Failed to configure KeyVault property source

Also why does the docs at https://learn.microsoft.com/en-us/training/modules/secure-application-secrets-use-key-vault/6-update-application-configure refers to azure.keyvault.uri ??

Azure:
    keyvault:
        enabled: true
            uri:

Why shall I start my App with JVM options below ? :
-Dazure.keyvault.uri=https://kv-XXXXXX.vault.azure.net -Xms512m -Xmx1024m -Dspring.profiles.active=mysql,key-vault,cloud

@chenrujun
Copy link
Author

@ezYakaEagle442

Also why does the docs at https://learn.microsoft.com/en-us/training/modules/secure-application-secrets-use-key-vault/6-update-application-configure

As discussed by email, the page is out dated.

@stliu
Copy link
Member

stliu commented Dec 30, 2022

closing in favor of #30544

@stliu stliu closed this as completed Dec 30, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@stliu stliu

Labels
azure-spring All azure-spring related issues azure-spring-keyvault Spring keyvault related issues. Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved.
Projects
Spring Cloud Azure
Archived in project
Milestone
Backlog
Development

No branches or pull requests
3 participants
@stliu @chenrujun @ezYakaEagle442