diff --git a/Deployment/docker-compose.dev.yml b/Deployment/docker-compose.dev.yml
index fc6a924ae..2e169549b 100644
--- a/Deployment/docker-compose.dev.yml
+++ b/Deployment/docker-compose.dev.yml
@@ -22,6 +22,16 @@ services:
environment:
- KAFKA_LISTENERS=CLIENT://kafka-3:29092,EXTERNAL://kafka-3:9092
- KAFKA_ADVERTISED_LISTENERS=CLIENT://kafka-3:29092,EXTERNAL://kafka-3:9092
+ vault:
+ ports:
+ - "127.0.0.1:8201:8200"
+ networks:
+ - opex-dev
+ vault-ui:
+ ports:
+ - "127.0.0.1:8001:8000"
+ networks:
+ - opex-dev
consul:
ports:
- '127.0.0.1:8501:8500'
diff --git a/Deployment/docker-compose.override.yml b/Deployment/docker-compose.override.yml
index 5146737ee..9cb75b17a 100644
--- a/Deployment/docker-compose.override.yml
+++ b/Deployment/docker-compose.override.yml
@@ -13,6 +13,16 @@ services:
kafka-3:
networks:
- opex
+ vault:
+ ports:
+ - "127.0.0.1:8200:8200"
+ networks:
+ - opex
+ vault-ui:
+ ports:
+ - "127.0.0.1:8000:8000"
+ networks:
+ - opex
consul:
ports:
- '127.0.0.1:8500:8500'
diff --git a/Deployment/docker-compose.yml b/Deployment/docker-compose.yml
index acd9ae0c8..1765ffe69 100644
--- a/Deployment/docker-compose.yml
+++ b/Deployment/docker-compose.yml
@@ -69,6 +69,28 @@ services:
deploy:
restart_policy:
condition: on-failure
+ vault:
+ image: vault
+ volumes:
+ - $DATA/vault:/vault/file:rw
+ - $PWD/vault/config:/vault/config:rw
+ environment:
+ - VAULT_ADDRESS=http://0.0.0.0:8200
+ - PANEL_PASS=${PANEL_PASS}
+ - BACKEND_USER=${BACKEND_USER}
+ - SMTP_PASS=${SMTP_PASS}
+ - DB_USER=${DB_USER}
+ - DB_PASS=${DB_PASS}
+ healthcheck:
+ retries: 5
+ cap_add:
+ - IPC_LOCK
+ entrypoint: /vault/config/workflow-vault.sh
+ vault-ui:
+ image: djenriquez/vault-ui
+ environment:
+ - VAULT_URL_DEFAULT=http://vault:8200
+ - VAULT_AUTH_DEFAULT=USERNAMEPASSWORD
consul:
image: 'consul'
environment:
@@ -172,11 +194,14 @@ services:
- REDIS_HOST=redis
- CONSUL_HOST=consul
- DB_IP_PORT=postgres-accountant
+ - BACKEND_USER=${BACKEND_USER}
+ - VAULT_HOST=vault
depends_on:
- zookeeper
- kafka-1
- redis
- consul
+ - vault
- postgres-accountant
eventlog:
build:
@@ -189,6 +214,8 @@ services:
- REDIS_HOST=redis
- CONSUL_HOST=consul
- DB_IP_PORT=postgres-eventlog
+ - BACKEND_USER=${BACKEND_USER}
+ - VAULT_HOST=vault
depends_on:
- zookeeper
- kafka-1
@@ -196,6 +223,7 @@ services:
- kafka-3
- redis
- consul
+ - vault
- postgres-eventlog
matching-engine:
build:
@@ -241,6 +269,9 @@ services:
- DB_IP_PORT=postgres-auth
- PROXY_ADDRESS_FORWARDING=true
- WORKING_DIR=$DATA
+ - BACKEND_USER=${BACKEND_USER}
+ - VAULT_URL=http://vault:8200
+ - VAULT_HOST=vault
depends_on:
- zookeeper
- kafka-1
@@ -248,6 +279,7 @@ services:
- kafka-3
- redis
- consul
+ - vault
- postgres-auth
deploy:
restart_policy:
@@ -263,6 +295,8 @@ services:
- REDIS_HOST=redis
- CONSUL_HOST=consul
- DB_IP_PORT=postgres-wallet
+ - BACKEND_USER=${BACKEND_USER}
+ - VAULT_HOST=vault
depends_on:
- zookeeper
- kafka-1
@@ -270,6 +304,7 @@ services:
- kafka-3
- redis
- consul
+ - vault
- postgres-wallet
deploy:
restart_policy:
@@ -285,6 +320,8 @@ services:
- REDIS_HOST=redis
- CONSUL_HOST=consul
- DB_IP_PORT=postgres-api
+ - BACKEND_USER=${BACKEND_USER}
+ - VAULT_HOST=vault
depends_on:
- zookeeper
- kafka-1
@@ -292,6 +329,7 @@ services:
- kafka-3
- redis
- consul
+ - vault
- postgres-api
deploy:
restart_policy:
@@ -306,12 +344,15 @@ services:
- KAFKA_IP_PORT=kafka-1:29092,kafka-2:29092,kafka-3:29092
- CONSUL_HOST=consul
- DB_IP_PORT=postgres-api
+ - BACKEND_USER=${BACKEND_USER}
+ - VAULT_HOST=vault
depends_on:
- zookeeper
- kafka-1
- kafka-2
- kafka-3
- consul
+ - vault
- postgres-api
deploy:
restart_policy:
@@ -327,11 +368,14 @@ services:
- REDIS_HOST=redis
- CONSUL_HOST=consul
- DB_IP_PORT=postgres-bc-gateway
+ - BACKEND_USER=${BACKEND_USER}
+ - VAULT_URL=http://vault:8200
depends_on:
- zookeeper
- kafka-1
- redis
- consul
+ - vault
- postgres-bc-gateway
deploy:
restart_policy:
diff --git a/Deployment/vault/config/backend-policy.hcl b/Deployment/vault/config/backend-policy.hcl
new file mode 100644
index 000000000..5c0140529
--- /dev/null
+++ b/Deployment/vault/config/backend-policy.hcl
@@ -0,0 +1,26 @@
+path "kv/*" {
+ capabilities = ["read"]
+}
+
+path "secret/*" {
+ capabilities = ["read"]
+}
+
+path "secret/opex/" {
+ capabilities = ["read"]
+}
+
+path "secret/opex-wallet/" {
+ capabilities = ["read"]
+}
+
+path "sys/mounts" {
+ capabilities = ["read"]
+}
+
+path "sys/auth" {
+ capabilities = ["read"]
+}
+
+
+
diff --git a/Deployment/vault/config/panel-policy.hcl b/Deployment/vault/config/panel-policy.hcl
new file mode 100644
index 000000000..c37b73eef
--- /dev/null
+++ b/Deployment/vault/config/panel-policy.hcl
@@ -0,0 +1,27 @@
+path "kv/*" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/*" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/opex/" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/opex-wallet/" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+
+path "sys/mounts" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "sys/auth" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+
+
diff --git a/Deployment/vault/config/vault.json b/Deployment/vault/config/vault.json
new file mode 100644
index 000000000..105035688
--- /dev/null
+++ b/Deployment/vault/config/vault.json
@@ -0,0 +1,16 @@
+{
+ "listener": {
+ "tcp": {
+ "address": "0.0.0.0:8200",
+ "tls_disable": "true"
+ }
+ },
+ "backend": {
+ "file": {
+ "path": "/vault/file"
+ }
+ },
+ "default_lease_ttl": "168h",
+ "max_lease_ttl": "0h",
+ "api_addr": "http://0.0.0.0:8200"
+}
\ No newline at end of file
diff --git a/Deployment/vault/config/workflow-vault.sh b/Deployment/vault/config/workflow-vault.sh
new file mode 100755
index 000000000..b877919dd
--- /dev/null
+++ b/Deployment/vault/config/workflow-vault.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+vault server -config /vault/config/vault.json &
+
+## Export values
+export VAULT_ADDR='http://0.0.0.0:8200'
+export VAULT_SKIP_VERIFY='true'
+
+#
+sleep 10
+
+if [ ! -f /vault/file/generated_keys.txt ]; then
+ echo "Vault init"
+ vault operator init > /vault/file/generated_keys.txt
+fi
+echo "Generated Keys:"
+cat /vault/file/generated_keys.txt
+## Parse unsealed keys
+(grep "Unseal Key " < /vault/file/generated_keys.txt | cut -c15-) > /vault/file/keys.txt
+
+echo "Keys:"
+cat /vault/file/keys.txt
+
+while IFS= read -r line; do
+ echo "Key read from file: $line"
+ vault operator unseal $line
+done < /vault/file/keys.txt
+#
+## Get root token
+(grep "Initial Root Token: " < /vault/file/generated_keys.txt | cut -c21-) > /vault/file/tokens.txt
+while IFS= read -r line; do
+ echo "Root token read from file: $line"
+ export VAULT_TOKEN=${line}
+done < /vault/file/tokens.txt
+## Enable kv
+echo 'enable kv'
+vault secrets enable -path=secret -version=1 kv
+## Enable userpass and add default user
+echo 'enable userpass and add default user'
+vault auth enable userpass
+echo 'enable panel policies'
+vault policy write panel-policy /vault/config/panel-policy.hcl
+echo 'set password '
+echo ${PANEL_PASS}
+vault write auth/userpass/users/admin password=${PANEL_PASS} policies=panel-policy
+echo 'check login user/pass'
+vault login -method=userpass username=admin password=${PANEL_PASS}
+
+echo 'enable appid and add default user-id'
+vault auth enable app-id
+echo 'enable backend policies'
+vault policy write backend-policy /vault/config/backend-policy.hcl
+echo 'enable backend apps'
+vault write auth/app-id/map/app-id/opex-accountant value=backend-policy display_name=opex-accountant
+vault write auth/app-id/map/app-id/opex-api value=backend-policy display_name=opex-api
+vault write auth/app-id/map/app-id/opex-bc-gateway value=backend-policy display_name=opex-bc-gateway
+vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_name=opex-eventlog
+vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
+vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
+vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
+echo 'enable user-id'
+vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway
+echo 'check login appid'
+vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-bc-gateway user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
+
+#
+## Add secret values
+echo 'put key/value'
+vault kv put secret/opex smtppass=${SMTP_PASS}
+vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS}
+
+
+# Keep alive
+while pidof vault >/dev/null; do
+ sleep 10
+done
diff --git a/Jenkins/Jenkinsfile.deploy.dev.groovy b/Jenkins/Jenkinsfile.deploy.dev.groovy
index 4c78c89b0..9bf2e971e 100644
--- a/Jenkins/Jenkinsfile.deploy.dev.groovy
+++ b/Jenkins/Jenkinsfile.deploy.dev.groovy
@@ -15,6 +15,11 @@ pipeline {
stage('Deliver') {
environment {
DATA = '/var/opex/runtime-dev'
+ PANEL_PASS = credentials("v-panel-secret-dev")
+ BACKEND_USER = credentials("v-backend-secret-dev")
+ SMTP_PASS= credentials("smtp-secret-dev")
+ DB_USER='opex'
+ DB_PASS=credentials("db-secret-dev")
}
steps {
dir("Deployment") {
diff --git a/Jenkins/Jenkinsfile.deploy.groovy b/Jenkins/Jenkinsfile.deploy.groovy
index f4ce7d7fb..4bd2c3d57 100644
--- a/Jenkins/Jenkinsfile.deploy.groovy
+++ b/Jenkins/Jenkinsfile.deploy.groovy
@@ -15,6 +15,11 @@ pipeline {
stage('Deliver') {
environment {
DATA = '/var/opex/runtime'
+ PANEL_PASS = credentials("v-panel-secret")
+ BACKEND_USER = credentials("v-backend-secret")
+ SMTP_PASS= credentials("smtp-secret")
+ DB_USER='opex'
+ DB_PASS=credentials("db-secret")
}
steps {
dir("Deployment") {
diff --git a/accountant/accountant-app/pom.xml b/accountant/accountant-app/pom.xml
index aeb891bef..7f6034024 100644
--- a/accountant/accountant-app/pom.xml
+++ b/accountant/accountant-app/pom.xml
@@ -55,6 +55,10 @@
co.nilin.opex.utility.log
logging-handler
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
diff --git a/accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER")
+ }
+}
\ No newline at end of file
diff --git a/accountant/accountant-app/src/main/resources/application-docker.yml b/accountant/accountant-app/src/main/resources/application-docker.yml
index 09d0ed7da..c2befb6e8 100644
--- a/accountant/accountant-app/src/main/resources/application-docker.yml
+++ b/accountant/accountant-app/src/main/resources/application-docker.yml
@@ -5,9 +5,11 @@ spring:
host: ${REDIS_HOST}
r2dbc:
url: r2dbc:postgresql://${DB_IP_PORT}/opex_accountant
- username: opex
- password: hiopex
+ username: ${dbusername}
+ password: ${dbpassword}
cloud:
+ vault:
+ host: ${VAULT_HOST}
consul:
host: ${CONSUL_HOST}
main:
diff --git a/accountant/accountant-app/src/main/resources/application-local.yml b/accountant/accountant-app/src/main/resources/application-local.yml
new file mode 100644
index 000000000..a8a44da5c
--- /dev/null
+++ b/accountant/accountant-app/src/main/resources/application-local.yml
@@ -0,0 +1,5 @@
+spring:
+ r2dbc:
+ url: r2dbc:postgresql://localhost:5433/opex_accountant
+ username: ${dbusername}
+ password: ${dbpassword}
\ No newline at end of file
diff --git a/accountant/accountant-app/src/main/resources/application.yml b/accountant/accountant-app/src/main/resources/application.yml
index 0f55f14e7..8ff1a51dd 100644
--- a/accountant/accountant-app/src/main/resources/application.yml
+++ b/accountant/accountant-app/src/main/resources/application.yml
@@ -24,6 +24,19 @@ spring:
cloud:
bootstrap:
enabled: true
+ vault:
+ host: localhost
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
consul:
port: 8500
discovery:
@@ -31,6 +44,8 @@ spring:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
+ config:
+ import: vault://secret/${spring.application.name}
app:
coin: nln
address: 1
diff --git a/accountant/accountant-ports/accountant-wallet-proxy/pom.xml b/accountant/accountant-ports/accountant-wallet-proxy/pom.xml
index a426e9a29..b6018c730 100644
--- a/accountant/accountant-ports/accountant-wallet-proxy/pom.xml
+++ b/accountant/accountant-ports/accountant-wallet-proxy/pom.xml
@@ -84,16 +84,4 @@
https://repo.spring.io/milestone
-
-
-
-
- org.springframework.cloud
- spring-cloud-dependencies
- ${spring-cloud.version}
- pom
- import
-
-
-
diff --git a/accountant/pom.xml b/accountant/pom.xml
index 7714383c5..c60d9c6c1 100644
--- a/accountant/pom.xml
+++ b/accountant/pom.xml
@@ -73,6 +73,13 @@
logging-handler
${project.version}
+
+ org.springframework.cloud
+ spring-cloud-dependencies
+ ${spring-cloud.version}
+ pom
+ import
+
diff --git a/api/api-app/pom.xml b/api/api-app/pom.xml
index e60b9784b..00529ca01 100644
--- a/api/api-app/pom.xml
+++ b/api/api-app/pom.xml
@@ -64,6 +64,10 @@
springfox-boot-starter
3.0.0
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
diff --git a/api/api-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/api/api-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/api/api-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER")
+ }
+}
\ No newline at end of file
diff --git a/api/api-app/src/main/resources/application-docker.yml b/api/api-app/src/main/resources/application-docker.yml
index f44d7c4f5..fa49707cd 100644
--- a/api/api-app/src/main/resources/application-docker.yml
+++ b/api/api-app/src/main/resources/application-docker.yml
@@ -5,9 +5,11 @@ spring:
host: ${REDIS_HOST}
r2dbc:
url: r2dbc:postgresql://${DB_IP_PORT}/opex_api
- username: opex
- password: hiopex
+ username: ${dbusername}
+ password: ${dbpassword}
cloud:
+ vault:
+ host: ${VAULT_HOST}
consul:
host: ${CONSUL_HOST}
port: 8500
diff --git a/api/api-app/src/main/resources/application-local.yml b/api/api-app/src/main/resources/application-local.yml
new file mode 100644
index 000000000..902453ec5
--- /dev/null
+++ b/api/api-app/src/main/resources/application-local.yml
@@ -0,0 +1,5 @@
+spring:
+ r2dbc:
+ url: r2dbc:postgresql://localhost:5437/opex_api
+ username: ${dbusername}
+ password: ${dbpassword}
\ No newline at end of file
diff --git a/api/api-app/src/main/resources/application.yml b/api/api-app/src/main/resources/application.yml
index 18b0ec091..aa3103dae 100644
--- a/api/api-app/src/main/resources/application.yml
+++ b/api/api-app/src/main/resources/application.yml
@@ -24,6 +24,19 @@ spring:
cloud:
bootstrap:
enabled: true
+ vault:
+ host: localhost
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
consul:
port: 8500
discovery:
@@ -31,7 +44,8 @@ spring:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
-
+ config:
+ import: vault://secret/${spring.application.name}
app:
accountant:
url: lb://opex-accountant
diff --git a/api/api-ports/api-binance-rest/pom.xml b/api/api-ports/api-binance-rest/pom.xml
index 413465dd8..ccd19b414 100644
--- a/api/api-ports/api-binance-rest/pom.xml
+++ b/api/api-ports/api-binance-rest/pom.xml
@@ -111,15 +111,5 @@
-
-
-
- org.springframework.cloud
- spring-cloud-dependencies
- ${spring-cloud.version}
- pom
- import
-
-
-
+
diff --git a/api/pom.xml b/api/pom.xml
index d5b6f4589..baf80f4cb 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -77,6 +77,13 @@
interceptors
${project.version}
+
+ org.springframework.cloud
+ spring-cloud-dependencies
+ ${spring-cloud.version}
+ pom
+ import
+
diff --git a/bc-gateway/bc-gateway-app/pom.xml b/bc-gateway/bc-gateway-app/pom.xml
index 5f92a0274..33b85f648 100644
--- a/bc-gateway/bc-gateway-app/pom.xml
+++ b/bc-gateway/bc-gateway-app/pom.xml
@@ -87,6 +87,10 @@
springfox-boot-starter
3.0.0
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
diff --git a/bc-gateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/bc-gateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..f39bf4a89
--- /dev/null
+++ b/bc-gateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER");
+ }
+}
\ No newline at end of file
diff --git a/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml b/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml
index 518840557..81b423781 100644
--- a/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml
+++ b/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml
@@ -9,10 +9,12 @@ spring:
port: 6379
r2dbc:
url: r2dbc:postgresql://${DB_IP_PORT}/opex_bc_gateway
- username: opex
- password: hiopex
+ username: ${dbusername}
+ password: ${dbpassword}
initialization-mode: always
cloud:
+ vault:
+ host: ${VAULT_HOST}
consul:
host: ${CONSUL_HOST}
port: 8500
diff --git a/bc-gateway/bc-gateway-app/src/main/resources/application-local.yml b/bc-gateway/bc-gateway-app/src/main/resources/application-local.yml
new file mode 100644
index 000000000..9a23fc38c
--- /dev/null
+++ b/bc-gateway/bc-gateway-app/src/main/resources/application-local.yml
@@ -0,0 +1,8 @@
+spring:
+ r2dbc:
+ url: r2dbc:postgresql://localhost:5438/opex_bc_gateway
+ username: ${dbusername}
+ password: ${dbpassword}
+ cloud:
+ consul:
+ host: localhost
\ No newline at end of file
diff --git a/bc-gateway/bc-gateway-app/src/main/resources/application.yml b/bc-gateway/bc-gateway-app/src/main/resources/application.yml
index 11af09b06..19fc15ebe 100644
--- a/bc-gateway/bc-gateway-app/src/main/resources/application.yml
+++ b/bc-gateway/bc-gateway-app/src/main/resources/application.yml
@@ -19,6 +19,19 @@ spring:
cloud:
bootstrap:
enabled: true
+ vault:
+ host: localhost
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
consul:
port: 8500
discovery:
@@ -26,6 +39,8 @@ spring:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
+ config:
+ import: vault://secret/${spring.application.name}
logging:
level:
org.apache.kafka: DEBUG
diff --git a/eventlog/eventlog-app/pom.xml b/eventlog/eventlog-app/pom.xml
index 88084c14c..8d35db91e 100644
--- a/eventlog/eventlog-app/pom.xml
+++ b/eventlog/eventlog-app/pom.xml
@@ -47,8 +47,24 @@
co.nilin.opex.eventlog.ports.postgres
eventlog-persister-postgres
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
+
+
+
+ org.springframework.cloud
+ spring-cloud-dependencies
+ ${spring-cloud.version}
+ pom
+ import
+
+
+
+
diff --git a/eventlog/eventlog-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/eventlog/eventlog-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/eventlog/eventlog-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER")
+ }
+}
\ No newline at end of file
diff --git a/eventlog/eventlog-app/src/main/resources/application-docker.yml b/eventlog/eventlog-app/src/main/resources/application-docker.yml
index 5055b1c51..6507116a0 100644
--- a/eventlog/eventlog-app/src/main/resources/application-docker.yml
+++ b/eventlog/eventlog-app/src/main/resources/application-docker.yml
@@ -6,6 +6,9 @@ spring:
group-id: eventlog
r2dbc:
url: r2dbc:postgresql://${DB_IP_PORT}/opex_eventlog
- username: opex
- password: hiopex
- initialization-mode: always
\ No newline at end of file
+ username: ${dbusername}
+ password: ${dbpassword}
+ initialization-mode: always
+ cloud:
+ vault:
+ host: ${VAULT_HOST}
\ No newline at end of file
diff --git a/eventlog/eventlog-app/src/main/resources/application-local.yml b/eventlog/eventlog-app/src/main/resources/application-local.yml
new file mode 100644
index 000000000..a8582114d
--- /dev/null
+++ b/eventlog/eventlog-app/src/main/resources/application-local.yml
@@ -0,0 +1,9 @@
+spring:
+ r2dbc:
+ url: r2dbc:postgresql://localhost:5434/opex_eventlog
+ username: ${dbusername}
+ password: ${dbpassword}
+ initialization-mode: always
+ cloud:
+ consul:
+ host: localhost
\ No newline at end of file
diff --git a/eventlog/eventlog-app/src/main/resources/application.yml b/eventlog/eventlog-app/src/main/resources/application.yml
index 025ceaf4a..86b56d4eb 100644
--- a/eventlog/eventlog-app/src/main/resources/application.yml
+++ b/eventlog/eventlog-app/src/main/resources/application.yml
@@ -1,5 +1,7 @@
server.port: 8090
spring:
+ application:
+ name: opex-eventlog
main:
allow-circular-references: true
kafka:
@@ -10,4 +12,20 @@ spring:
url: r2dbc:postgresql://localhost/opex_eventlog
username: opex
password: hiopex
- initialization-mode: always
\ No newline at end of file
+ initialization-mode: always
+ cloud:
+ vault:
+ host: localhost
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
+ config:
+ import: vault://secret/${spring.application.name}
\ No newline at end of file
diff --git a/user-management/keycloak-gateway/pom.xml b/user-management/keycloak-gateway/pom.xml
index a833d881c..f80f1048f 100644
--- a/user-management/keycloak-gateway/pom.xml
+++ b/user-management/keycloak-gateway/pom.xml
@@ -85,6 +85,20 @@
org.springframework.kafka
spring-kafka
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
+
org.springframework.kafka
spring-kafka-test
diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProvider.java b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProvider.java
new file mode 100644
index 000000000..735858fef
--- /dev/null
+++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProvider.java
@@ -0,0 +1,52 @@
+package co.nilin.opex.auth.gateway.extension;
+
+import org.jboss.logging.Logger;
+import org.keycloak.vault.DefaultVaultRawSecret;
+import org.keycloak.vault.VaultProvider;
+import org.keycloak.vault.VaultRawSecret;
+
+import java.util.Optional;
+
+/**
+ * HashicorpVaultProviderFactory
+ */
+public class HashicorpVaultProvider implements VaultProvider {
+ private static final Logger logger = Logger.getLogger(HashicorpVaultProviderFactory.class);
+
+ private String vaultUrl;
+ private String vaultAppId;
+ private String vaultUserId;
+ private String realmName;
+ private String vaultSecretEngineName;
+ private VaultService service;
+
+ @Override
+ public VaultRawSecret obtainSecret(String vaultSecretId) {
+ int secretVersion = 0;
+ String vaultSecretName = vaultSecretId;
+ if (vaultSecretId.contains(":")) {
+ try {
+ secretVersion = Integer.parseInt(vaultSecretId.substring(vaultSecretId.lastIndexOf(":") + 1));
+ vaultSecretName = vaultSecretId.substring(0, vaultSecretId.lastIndexOf(":"));
+ } catch (NumberFormatException e) {
+ logger.error("last string after : is expected to be the version number");
+ }
+ }
+
+ return DefaultVaultRawSecret.forBuffer(Optional.of(service.getSecretFromVault(vaultUrl, realmName, vaultSecretEngineName, vaultSecretName, vaultAppId, vaultUserId, secretVersion)));
+ }
+
+ @Override
+ public void close() {
+ }
+
+ public HashicorpVaultProvider(String vaultUrl, String vaultAppId, String vaultUserId, String realmName, String vaultSecretEngineName, VaultService service) {
+ this.vaultUrl = vaultUrl;
+ this.vaultAppId = vaultAppId;
+ this.vaultUserId = vaultUserId;
+ this.realmName = realmName;
+ this.vaultSecretEngineName = vaultSecretEngineName;
+ this.service = service;
+ }
+
+}
\ No newline at end of file
diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProviderFactory.java b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProviderFactory.java
new file mode 100644
index 000000000..c546f1646
--- /dev/null
+++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProviderFactory.java
@@ -0,0 +1,76 @@
+package co.nilin.opex.auth.gateway.extension;
+
+import org.jboss.logging.Logger;
+import org.keycloak.Config.Scope;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.vault.VaultNotFoundException;
+import org.keycloak.vault.VaultProvider;
+import org.keycloak.vault.VaultProviderFactory;
+
+public class HashicorpVaultProviderFactory implements VaultProviderFactory {
+ private static final Logger logger = Logger.getLogger(HashicorpVaultProviderFactory.class);
+
+ public static final String PROVIDER_ID = "hachicorp-vault";
+
+ private String vaultAppId;
+ private String vaultUserId;
+ private String vaultUrl;
+ private String vaultSecretEngineName;
+
+ @Override
+ public VaultProvider create(KeycloakSession session) {
+ VaultService service = new VaultService(session);
+ if (!service.isVaultAvailable(vaultUrl, vaultAppId, vaultUserId)) {
+ logger.error("Vault unavailable : " + vaultUrl);
+ throw new VaultNotFoundException("Vault unavailable : " + vaultUrl);
+ } else {
+ logger.info("Vault available : " + vaultUrl);
+ }
+ return new HashicorpVaultProvider(vaultUrl, vaultAppId, vaultUserId, session.getContext().getRealm().getName(), vaultSecretEngineName, service);
+
+ }
+
+ private static String format(String url) {
+ if (!(url.charAt(url.length() - 1) == '/')) {
+ return url.concat("/");
+ } else {
+ return url;
+ }
+ }
+
+ @Override
+ public void init(Scope config) {
+ if (System.getenv("BACKEND_APP") != null) {
+ vaultAppId = System.getenv("BACKEND_APP");
+ } else {
+ vaultAppId = config.get("appId");
+ }
+ if (System.getenv("BACKEND_USER") != null) {
+ vaultUserId = System.getenv("BACKEND_USER");
+ } else {
+ vaultUserId = config.get("userId");
+ }
+ vaultUrl = config.get("url") != null ? format(config.get("url")) : null;
+ vaultSecretEngineName = config.get("engine-name");
+ logger.info("Init Hashicorp: " + vaultUrl);
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory factory) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void close() {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public String getId() {
+ return PROVIDER_ID;
+ }
+
+}
diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/VaultService.java b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/VaultService.java
new file mode 100644
index 000000000..d6fe61a78
--- /dev/null
+++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/VaultService.java
@@ -0,0 +1,60 @@
+package co.nilin.opex.auth.gateway.extension;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.JsonNode;
+import org.jboss.logging.Logger;
+import org.keycloak.broker.provider.util.SimpleHttp;
+import org.keycloak.models.KeycloakSession;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
+/**
+ * VaultService
+ */
+public class VaultService {
+
+ private final KeycloakSession session;
+ private static final Logger logger = Logger.getLogger(VaultService.class);
+
+ public VaultService(KeycloakSession session) {
+ this.session = session;
+ }
+
+ static class UserId {
+ @JsonProperty("user_id")
+ public String userId;
+
+ public UserId(String userId) {
+ this.userId = userId;
+ }
+ }
+
+ public ByteBuffer getSecretFromVault(String vaultUrl, String realm, String vaultSecretEngineName, String secretName, String vaultAppId, String vaultUserId, int secretVersion) {
+ try {
+ //curl \ --method POST \ --data '{"user_id": ":user_id"}' \ http://127.0.0.1:8200/v1/auth/app-id/login/:app_id
+ String vaultToken = SimpleHttp.doPost(vaultUrl + "v1//auth/app-id/login/" + vaultAppId, session).json(new UserId(vaultUserId)).asJson().get("auth").get("client_token").textValue();
+ JsonNode node = SimpleHttp.doGet(vaultUrl + "v1/" + vaultSecretEngineName + "/" + realm + "?version=" + secretVersion, session).header("X-Vault-Token", vaultToken).asJson();
+ byte[] secretBytes = node.get("data").get(secretName).textValue().getBytes(StandardCharsets.UTF_8);
+ return ByteBuffer.wrap(secretBytes);
+ } catch (IOException e) {
+ logger.error("secret not available", e);
+ return null;
+ }
+ }
+
+ public boolean isVaultAvailable(String vaultUrl, String vaultAppId, String vaultUserId) {
+ String healthVaultUrl = vaultUrl + "v1/sys/health";
+ try {
+ JsonNode vaultHealthResponseNode = SimpleHttp.doGet(healthVaultUrl, session).asJson();
+ boolean vaultIsInitialized = vaultHealthResponseNode.get("initialized").asBoolean();
+ boolean vaultIsSealed = vaultHealthResponseNode.get("sealed").asBoolean();
+ return (vaultIsInitialized && !vaultIsSealed);
+ } catch (IOException e) {
+ logger.error("vault service unavailable", e);
+ return false;
+ }
+ }
+
+}
\ No newline at end of file
diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER")
+ }
+}
\ No newline at end of file
diff --git a/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json b/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json
index 1058fe841..6c6b39cc1 100644
--- a/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json
+++ b/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json
@@ -198,9 +198,15 @@
}
},
"vault": {
- "files-plaintext": {
- "dir": "target/dependency/vault",
- "enabled": "${keycloak.vault.files-plaintext.provider.enabled:false}"
+ "provider": "hachicorp-vault",
+ "default": {
+ "enabled": true
+ },
+ "hachicorp-vault": {
+ "url": "${keycloak.hashicorp.url}",
+ "appId": "${spring.application.name}",
+ "engine-name": "secret",
+ "enabled": "${keycloak.vault.files-plaintext.provider.enabled:true}"
}
},
"saml-artifact-resolver": {
diff --git a/user-management/keycloak-gateway/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory b/user-management/keycloak-gateway/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory
new file mode 100644
index 000000000..38186ba6e
--- /dev/null
+++ b/user-management/keycloak-gateway/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory
@@ -0,0 +1 @@
+co.nilin.opex.auth.gateway.extension.HashicorpVaultProviderFactory
\ No newline at end of file
diff --git a/user-management/keycloak-gateway/src/main/resources/application-docker.yml b/user-management/keycloak-gateway/src/main/resources/application-docker.yml
index f52df428b..3c3eb5f92 100644
--- a/user-management/keycloak-gateway/src/main/resources/application-docker.yml
+++ b/user-management/keycloak-gateway/src/main/resources/application-docker.yml
@@ -3,9 +3,11 @@ spring:
bootstrap-servers: ${KAFKA_IP_PORT}
datasource:
url: jdbc:postgresql://${DB_IP_PORT}/opex_auth
- username: opex
- password: hiopex
+ username: ${dbusername}
+ password: ${dbpassword}
cloud:
+ vault:
+ host: ${VAULT_HOST}
consul:
host: ${CONSUL_HOST}
port: 8500
diff --git a/user-management/keycloak-gateway/src/main/resources/application-local.yml b/user-management/keycloak-gateway/src/main/resources/application-local.yml
new file mode 100644
index 000000000..95232034a
--- /dev/null
+++ b/user-management/keycloak-gateway/src/main/resources/application-local.yml
@@ -0,0 +1,12 @@
+spring:
+ kafka:
+ bootstrap-servers: localhost:9092
+ datasource:
+ url: jdbc:postgresql://127.0.0.1:6435/opex_auth
+ username: opex
+ password: hiopex
+ cloud:
+ consul:
+ host: 127.0.0.1
+ port: 8500
+
diff --git a/user-management/keycloak-gateway/src/main/resources/application.yml b/user-management/keycloak-gateway/src/main/resources/application.yml
index db3942635..9f0b97287 100644
--- a/user-management/keycloak-gateway/src/main/resources/application.yml
+++ b/user-management/keycloak-gateway/src/main/resources/application.yml
@@ -25,6 +25,19 @@ spring:
cloud:
bootstrap:
enabled: true
+ vault:
+ host: localhost
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
consul:
port: 8500
discovery:
@@ -32,6 +45,8 @@ spring:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
+ config:
+ import: vault://secret/${spring.application.name}
keycloak:
server:
contextPath: /auth
@@ -48,3 +63,5 @@ keycloak:
feature:
admin_fine_grained_authz: enabled
token_exchange: enabled
+ hashicorp:
+ url: ${VAULT_URL}
diff --git a/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json b/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json
index 259df44ab..146a5976d 100644
--- a/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json
+++ b/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json
@@ -42,6 +42,6 @@
"from": "for.demo.purpose.only@opex.dev",
"auth": true,
"user": "for.demo.purpose.only@opex.dev",
- "password": "642467973026C6F093FB1E39C4BFC0D15042"
+ "password": "${vault.smtppass}"
}
}
\ No newline at end of file
diff --git a/user-management/keycloak-gateway/src/main/resources/opex-realm.json b/user-management/keycloak-gateway/src/main/resources/opex-realm.json
index 791115d4b..86f085983 100644
--- a/user-management/keycloak-gateway/src/main/resources/opex-realm.json
+++ b/user-management/keycloak-gateway/src/main/resources/opex-realm.json
@@ -1974,7 +1974,7 @@
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
},
"smtpServer": {
- "password": "642467973026C6F093FB1E39C4BFC0D15042",
+ "password": "${vault.smtppass}",
"auth": "true",
"port": "2525",
"host": "smtp.elasticemail.com",
diff --git a/user-management/pom.xml b/user-management/pom.xml
index 6da9f3002..4b9529c91 100644
--- a/user-management/pom.xml
+++ b/user-management/pom.xml
@@ -10,8 +10,8 @@
- 2.4.4
- 2020.0.2
+ 2.4.5
+ 2020.0.3
co.nilin.opex.auth
diff --git a/wallet/wallet-app/pom.xml b/wallet/wallet-app/pom.xml
index 2890168aa..15350d553 100644
--- a/wallet/wallet-app/pom.xml
+++ b/wallet/wallet-app/pom.xml
@@ -99,6 +99,10 @@
json-smart
2.4.7
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
diff --git a/wallet/wallet-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/wallet/wallet-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/wallet/wallet-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER")
+ }
+}
\ No newline at end of file
diff --git a/wallet/wallet-app/src/main/resources/application-docker.yml b/wallet/wallet-app/src/main/resources/application-docker.yml
index 72129f214..32de0c06b 100644
--- a/wallet/wallet-app/src/main/resources/application-docker.yml
+++ b/wallet/wallet-app/src/main/resources/application-docker.yml
@@ -9,10 +9,12 @@ spring:
port: 6379
r2dbc:
url: r2dbc:postgresql://${DB_IP_PORT}/opex_wallet
- username: opex
- password: hiopex
+ username: ${dbusername}
+ password: ${dbpassword}
initialization-mode: always
cloud:
+ vault:
+ host: ${VAULT_HOST}
consul:
host: ${CONSUL_HOST}
port: 8500
diff --git a/wallet/wallet-app/src/main/resources/application-local.yml b/wallet/wallet-app/src/main/resources/application-local.yml
new file mode 100644
index 000000000..0d0b0906b
--- /dev/null
+++ b/wallet/wallet-app/src/main/resources/application-local.yml
@@ -0,0 +1,12 @@
+server.port: 8091
+spring:
+ kafka:
+ bootstrap-servers: localhost:9092
+ redis:
+ host: 127.0.0.1
+ port: 6379
+ r2dbc:
+ url: r2dbc:postgresql://127.0.0.1:5436/opex_wallet
+ username: ${dbusername}
+ password: ${dbpassword}
+ initialization-mode: always
\ No newline at end of file
diff --git a/wallet/wallet-app/src/main/resources/application.yml b/wallet/wallet-app/src/main/resources/application.yml
index 6b9be3fff..d89f4c3bf 100644
--- a/wallet/wallet-app/src/main/resources/application.yml
+++ b/wallet/wallet-app/src/main/resources/application.yml
@@ -20,6 +20,19 @@ spring:
cloud:
bootstrap:
enabled: true
+ vault:
+ host: localhost
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
consul:
port: 8500
discovery:
@@ -27,6 +40,8 @@ spring:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
+ config:
+ import: vault://secret/${spring.application.name}
app:
gift:
symbol: usdt
diff --git a/websocket/websocket-app/pom.xml b/websocket/websocket-app/pom.xml
index 16228b9ed..e64616340 100644
--- a/websocket/websocket-app/pom.xml
+++ b/websocket/websocket-app/pom.xml
@@ -71,6 +71,10 @@
co.nilin.opex.websocket.ports.postgres
websocket-persister-postgres
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
io.projectreactor
reactor-test
diff --git a/websocket/websocket-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/websocket/websocket-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/websocket/websocket-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER")
+ }
+}
\ No newline at end of file
diff --git a/websocket/websocket-app/src/main/resources/application-docker.yml b/websocket/websocket-app/src/main/resources/application-docker.yml
index b1d77a0de..1125c565d 100644
--- a/websocket/websocket-app/src/main/resources/application-docker.yml
+++ b/websocket/websocket-app/src/main/resources/application-docker.yml
@@ -5,9 +5,11 @@ spring:
host: ${REDIS_HOST}
r2dbc:
url: r2dbc:postgresql://${DB_IP_PORT}/opex_api
- username: opex
- password: hiopex
+ username: ${dbusername}
+ password: ${dbpassword}
cloud:
+ vault:
+ host: ${VAULT_HOST}
consul:
host: ${CONSUL_HOST}
port: 8500
diff --git a/websocket/websocket-app/src/main/resources/application-local.yml b/websocket/websocket-app/src/main/resources/application-local.yml
new file mode 100644
index 000000000..902453ec5
--- /dev/null
+++ b/websocket/websocket-app/src/main/resources/application-local.yml
@@ -0,0 +1,5 @@
+spring:
+ r2dbc:
+ url: r2dbc:postgresql://localhost:5437/opex_api
+ username: ${dbusername}
+ password: ${dbpassword}
\ No newline at end of file
diff --git a/websocket/websocket-app/src/main/resources/application.yml b/websocket/websocket-app/src/main/resources/application.yml
index a7a77a392..147c26f04 100644
--- a/websocket/websocket-app/src/main/resources/application.yml
+++ b/websocket/websocket-app/src/main/resources/application.yml
@@ -18,12 +18,27 @@ spring:
cloud:
bootstrap:
enabled: true
+ vault:
+ host: localhost
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
consul:
port: 8500
discovery:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
+ config:
+ import: vault://secret/${spring.application.name}
app:
auth:
cert-url: http://localhost:8083/auth/realms/opex/protocol/openid-connect/certs
\ No newline at end of file