Spring Cloud Services packages Spring Cloud projects like Config Server, Hystrix Dashboard and Eureka into a set of Cloud Foundry marketplace items that can be provisioned easily by a developer.
The Spring Cloud Services Config Server externalizes configuration information of an application and serves out this configuration using a REST based interface. It has the ability to store and serve encrypted configuration values and this recipe will go into the details of how to provision and test this feature.
There are a few pre-requisites that need to be in place before the config server instance can be created:
ssh-keygen -t rsa -b 2048 -C "test@test.com" -f gitkeys -N ''
the generated gitkeys.pub
can be placed as a deployment key in github
If the intent is to let config server handle both storing of encrypted values and serving out decrypted values, then there are two potential ways in which config server instance can handle this:
Create a configuration file for SCS Config server instance with encrypt.key
set to a secret text based key:
The git.privateKey
here is the private key corresponding to the git deploy key specified in the Pre-requisite section. The privateKey
has
the newlines replaced with \n
json
{
"git": {
"uri": "ssh://git@github.com/someuser/sample-config.git",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAycu6z3mh0froKoRkEYgsGAbYq6te3Yn7T9XAgQfWju7tKL10\nHyrQj1FC92Z35MViOyk5FPh/fHVIQgAg2y/dyKXPzEKFbiXPRHWWi8Zdez3ADzxQ\nCrym3G6fR3bxMWdi73FtYQBrExG/uaj6Z+2g8xMLR08pDtwaH6iQb27wgmmbvvO5\nWPjZ...bbf3\n-----END RSA PRIVATE KEY-----"
},
"encrypt": {
"key": "samplekey"
}
}
Create the config server instance:
bash
cf create-service p-config-server standard config-server -c config-server.json
Generate a Keypair using the following command:
bash
openssl genrsa -out privkey.pem 1024
cat privkey.pem | tr -d '\n' > nonewline_server_rsa.key
Use the content of nonewline_server_rsa.key
file to generate a config-server.json
file with content like this. Note All the newlines have been removed from the private key of the encrypt.key
, only this form of key works for this field:
json
{
"git": {
"uri": "ssh://git@github.com/someuser/sample-config.git",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAycu6z3mh0froKoRkEYgsGAbYq6te3Yn7T9XAgQfWju7tKL10\nHyrQj1FC...K3V5GHbbf3\n-----END RSA PRIVATE KEY-----"
},
"encrypt": {
"key": "-----BEGIN RSA PRIVATE KEY-----MIICXQIBAAKBgQDoMbFRys1BuBayW5mmYoN6HrXff/J2s8dijn80u5Qf6eR39n6B+424d49IDM9ErQw9JcGZnXiIxW4QU6JwECQBu6kZ/TgxyJqS1Y14Je9wIXlpiU++MMCzNT3iTI3BlBP5Gmu4M1uvexUte41K7XzimKg8UyXUV2c9DWznrdXfcCQQCpdbRJ29/dt3QkrP9t3TbvkV5ITBKJxf/gRlJagN0YNyRKSQL8cMUDVcQxpXUbfCsPAsQ/9lZ5SjSfJJVjiIQE-----END RSA PRIVATE KEY-----"
}
}
Create the config server instance:
bash
cf create-service p-config-server standard config-server -c config-server.json
SCS Config server works with 2 different set of credentials, an Application credential generated at the point of binding to the service to retrieve properties of an application and a user credential of a user in the space where the service is created to call the /encrypt
endpoint.
myapp
Create a temporary credential for the service using create-service-key
command:
bash
cf create-service-key config-server config-server-key
Grab and store the credential into a config-server-key.json
file:
bash
cf service-key config-server config-server-key | tail -n 6 > config-server-key.json
Get the properties of myapp
in default profile
#!/bin/bash
# Get details form config-server-key.json file
access_token_uri=$(cat config-server-key.json | jq -r ".access_token_uri")
client_id=$(cat config-server-key.json | jq -r ".client_id")
client_secret=$(cat config-server-key.json | jq -r ".client_secret")
uri=$(cat config-server-key.json | jq -r ".uri")
# Get the token using apps client credentials
TOKEN=$(curl -k $access_token_uri -u $client_id:$client_secret -d grant_type=client_credentials 2>/dev/null | jq -r .access_token)
# OR with httpie
# TOKEN=$(http --body --form POST ${access_token_uri} grant_type=client_credentials --auth $client_id:$client_secret | jq -r .access_token)
# Get the properties of myapp, in default profile
curl -k -H "Authorization: bearer $TOKEN" $uri/myapp/default
A handy script to encrypt properties looks like this:
#!/bin/bash
toencrypt=${1}
CF_TOKEN=$(cf oauth-token)
curl -X POST -k -H "Authorization: $CF_TOKEN" $uri/encrypt -d $toencrypt