Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Quarkus vault configuration with database credentials provider not working if application.properties externalized #24825

Closed
philippegoncalves opened this issue Apr 7, 2022 · 3 comments
Labels
area/vault kind/bug Something isn't working triage/out-of-date This issue/PR is no longer valid or relevant

Comments

@philippegoncalves
Copy link

Describe the bug

Hi,

in order to decouple dev and prod configuration files, we are trying to start our Quarkus application using the config quarkus.config.locations when running on prod. Our prod config file contains all the vault and database information used to connect to our database and it is not known by developers. Unfortunately it looks like external configurations are loaded after db connection is done through the credentials provider from vault, causing the app to not start and printing multiple exceptions. I have tried many combination and so far what is working:

  • having all the vault + database configuration in src/main/resources/application.properties (compile time)
  • having the configuration in /config/application.properties where the app is started (run time)
  • passing the configuration in command line, except quarkus.vault.credentials-provider.mydatabase.credentials-mount=database (run time)

Expected behavior

Vault configurations fro dynamic credentials provider could be externalized in a configuration file known at runtime.

Actual behavior

Starting the application without the dynamic credentials provider vault configuration in src/main/resources/application.properties does not work

How to Reproduce?

Issue can be reproduced easily:

  • Follow instruction to start a vault container https://quarkiverse.github.io/quarkiverse-docs/quarkus-vault/dev/index.html
  • Continue on "Dynamic Database Credentials" https://quarkiverse.github.io/quarkiverse-docs/quarkus-vault/dev/vault-datasource.html
  • Start the quarkus app in dev mode, app can be started
  • Remove the configurations from inside src/main/resources/applications.properties and move them to /test/application.properties
  • Start the quarkus app in dev mode passing -Dquarkus.config.locations=/test, app cannot be started and print out exceptions
  • Start the quarkus app in dev mode passing all the command line parameters from the original application.properties, app cannot be started
  • Put back quarkus.vault.credentials-provider.mydatabase.credentials-mount=database in src/main/resources/applications.properties
  • Start the quarkus app in dev mode passing all the command line parameters from the original application.properties, app can be started

Note that the issue is not met if using regular user/password without vault.

Output of uname -a or ver

Linux laptop 5.13.0-39-generic #44-Ubuntu SMP Thu Mar 24 15:35:05 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk version "1.8.0_312"

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.6.3.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Gradle 7.3.3

Additional information

No response

@philippegoncalves philippegoncalves added the kind/bug Something isn't working label Apr 7, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Apr 7, 2022

/cc @vsevel

@philippegoncalves philippegoncalves changed the title Quarkus vault configuration with database credentials provider not working if applications.properties externalized Quarkus vault configuration with database credentials provider not working if application.properties externalized Apr 7, 2022
@vsevel
Copy link
Contributor

vsevel commented Apr 8, 2022

hello, this may have been be already fixed by @radcortez in #24673, as it looks similar to #24465
please wait for 2.9 and test again your reproducer, or follow the above issue to see if it gets backported to one of the 2.8.x.
/cc @gsmet

@geoand
Copy link
Contributor

geoand commented Apr 8, 2022

#24673 has the backport label, so it should be included in 2.8.1.Final.

I am going to proactively close this as it does seem to be fixed already, but if it still fails when 2.8.1 is released, please comment and I'll reopen

@geoand geoand closed this as completed Apr 8, 2022
@geoand geoand added the triage/out-of-date This issue/PR is no longer valid or relevant label Apr 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/vault kind/bug Something isn't working triage/out-of-date This issue/PR is no longer valid or relevant
Projects
None yet
Development

No branches or pull requests

3 participants