Improve handling of secrets #80
Comments
|
I recently found starkandwayne.com's genesis tool which uses hashicorp vault painlessly to manage secrets for templating cloud foundry deployments. I think their approach is ideal and surprisingly simple. Placeholders are stored in yml config files that get resolved out of vault as needed with values inserted during deployment. I think it'd be worth taking a look to see if the solution can be ported to jhipster. Check out some of their tools at their homebrew tap: https://github.com/starkandwayne/homebrew-cf (specifically Spruce is their merge tool for config files) |
|
@jasondt Thanks. I also wonder how the jhipster registry could help here. That seems to be a multi-application configuration server of some sort, but I haven't tried it out yet. |
|
oh, yeah that would definitely be part of it. Spring cloud config server would hold the configuration files which ideally would only have values with references to the secrets in vault like Spruce does instead of plain text or even encrypted values. The config server is sourced by a git repo (local or github/bitbucket/etc) and can be triggered by webhooks when branches for master/prod, stage, etc are updated and then update registered services over messaging with Spring Cloud Streams or making a post (I prefer RabbitMQ). For the record, I've used spring cloud / netflix oss for a few years now, but I'm new to jhipster and it seems to be lacking on documentation. If you're new to spring cloud, I might try starting with their documentation instead of jhipster. There's some good example apps too: |
Something like this: https://ciwise.com/wordpress/index.php/2017/03/03/how-to-encrypt-sensitive-values-for-jhipster-application-property-files/
or
https://github.com/spring-cloud/spring-cloud-vault
The text was updated successfully, but these errors were encountered: