vault integration for secrets

docker-compose.yml

@@ -1,4 +1,4 @@
-version: '3.1'
+version: '3.8'
 services:
   db:
     image: mysql
@@ -7,3 +7,23 @@ services:
     environment:
       MYSQL_ROOT_PASSWORD: my-secret-pw
       MYSQL_DATABASE: vault-integration-db
+    networks:
+      - vault-network
+
+  vault:
+    image: hashicorp/vault:latest
+    ports:
+      - "8200:8200"
+    environment:
+      VAULT_ADDR: "http://0.0.0.0:8200"
+      VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"
+    cap_add:
+      - IPC_LOCK
+    networks:
+      - vault-network
+
+networks:
+  vault-network:
+    ipam:
+      config:
+        - subnet: 172.21.0.0/24

pom.xml

@@ -1,4 +1,3 @@
-<?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
@@ -28,6 +27,7 @@
   </scm>
   <properties>
     <java.version>17</java.version>
+    <spring-cloud.version>2023.0.3</spring-cloud.version>
   </properties>
   <dependencies>
     <dependency>
@@ -37,23 +37,52 @@
     <dependency>
       <groupId>com.mysql</groupId>
       <artifactId>mysql-connector-j</artifactId>
-      <version>8.4.0</version>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-starter-vault-config</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.projectlombok</groupId>
+      <artifactId>lombok</artifactId>
+      <optional>true</optional>
     </dependency>
-
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-test</artifactId>
       <scope>test</scope>
     </dependency>
   </dependencies>
-
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-dependencies</artifactId>
+        <version>${spring-cloud.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
   <build>
     <plugins>
       <plugin>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-maven-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>
+              <groupId>org.projectlombok</groupId>
+              <artifactId>lombok</artifactId>
+            </exclude>
+          </excludes>
+        </configuration>
       </plugin>
     </plugins>
   </build>
-
-</project>
+</project>

src/main/java/com/examples/vaultintegration/controller/EmployeeController.java

@@ -0,0 +1,30 @@
+package com.examples.vaultintegration.controller;
+
+import com.examples.vaultintegration.dao.EmployeeRepository;
+import com.examples.vaultintegration.model.Employee;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/employee")
+public class EmployeeController {
+
+    @Autowired
+    EmployeeRepository employeeRepository;
+
+    @GetMapping
+    public ResponseEntity<Employee> getEmployee() {
+        Employee employee = employeeRepository.getEmployee(1);
+        return new ResponseEntity(employee, HttpStatus.OK);
+    }
+
+    @PostMapping
+    public ResponseEntity saveEmployee(@RequestBody Employee emp) {
+        employeeRepository.saveEmployee(emp);
+        System.out.println("employee saved");
+        return new ResponseEntity(HttpStatus.CREATED);
+    }
+}

src/main/java/com/examples/vaultintegration/dao/EmployeeRepository.java

@@ -0,0 +1,10 @@
+package com.examples.vaultintegration.dao;
+
+import com.examples.vaultintegration.model.Employee;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface EmployeeRepository {
+    Employee getEmployee(int id);
+    void saveEmployee(Employee employee);
+}

src/main/java/com/examples/vaultintegration/dao/EmployeeRepositoryImpl.java

@@ -0,0 +1,45 @@
+package com.examples.vaultintegration.dao;
+
+import com.examples.vaultintegration.model.Employee;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.RowMapper;
+import org.springframework.stereotype.Repository;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.Random;
+
+@Repository
+public class EmployeeRepositoryImpl implements EmployeeRepository {
+
+    @Autowired
+    private JdbcTemplate jdbcTemplate;
+
+    @Override
+    public Employee getEmployee(int id) {
+        jdbcTemplate.queryForObject("select id, first_name, last_name from employee where id=" + id,
+                new RowMapper<Object>() {
+                    @Override
+                    public Object mapRow(ResultSet rs, int rowNum) throws SQLException {
+                        Employee emp = new Employee();
+                        emp.setId(rs.getInt("id"));
+                        emp.setFirstName(rs.getString("first_name"));
+                        emp.setLastName(rs.getString("last_name"));
+                        return emp;
+                    }
+
+        });
+        return null;
+    }
+
+    @Override
+    public void saveEmployee(Employee employee) {
+        String sql = "insert into employee(id, first_name, last_name) values(?, ?, ?)";
+        System.out.println(sql+"" +employee.getFirstName()+" "+employee.getLastName());
+        Random rand = new Random();
+        int rand_int1 = rand.nextInt(1000);
+        int cnt = jdbcTemplate.update(sql, rand_int1, employee.getFirstName(), employee.getLastName());
+        System.out.println("saved emp count: "+ cnt);
+    }
+}

src/main/java/com/examples/vaultintegration/model/Employee.java

@@ -0,0 +1,14 @@
+package com.examples.vaultintegration.model;
+
+import lombok.Data;
+import org.springframework.stereotype.Component;
+
+@Data
+@Component
+public class Employee {
+
+    private int id;
+    private String firstName;
+    private String lastName;
+
+}

src/main/resources/application.properties

@@ -1,4 +1,18 @@
-spring.application.name=vault-integration
-spring.datasource.url= jdbc:mysql://localhost:3306/vault-integration-db
-spring.datasource.username=root
-spring.datasource.password=my-secret-pw
+spring.application.name=mysql
+spring.cloud.vault.uri=http://127.0.0.1:8200
+spring.cloud.vault.authentication=TOKEN
+#Root token.
+#spring.cloud.vault.token=vault-plaintext-root-token
+#UserName & Pwd token
+spring.cloud.vault.token=hvs.CAESID_ilu7cXvbfXUoX0p1Xo6IifvSMVvYf_KKHvKcBDXezGh4KHGh2cy50V0p1bmtXb1NKVFB0QjdQcWZZNHRDcmg
+spring.cloud.vault.kv.enabled=true
+spring.cloud.vault.kv.backend=secret
+spring.cloud.vault.kv.default-context=mysql
+spring.config.import: vault://
+
+spring.jpa.database-platform=org.hibernate.dialect.MySQLDialect
+spring.jpa.properties.hibernate.temp.use_jdbc_metadata_defaults=false
+
+spring.datasource.url=jdbc:mysql://localhost:3306/vault-integration-db
+spring.datasource.username=${dbusername}
+spring.datasource.password=${dbpassword}

src/main/resources/vault_auth_config/vault-cert.hcl

@@ -0,0 +1,85 @@
+#This allows the role to be able to renew the cert and tokens associated
+
+path "pki_int/issue/*" {
+
+    capabilities = ["create", "update"]
+
+}
+
+path "pki_int/certs" {
+
+    capabilities = ["list"]
+
+}
+
+path "pki_int/revoke" {
+
+    capabilities = ["create", "update"]
+
+}
+
+path "pki_int/tidy" {
+
+capabilities = ["create", "update"]
+
+}
+
+path "pki/cert/ca" {
+
+capabilities = ["read"]
+
+}
+
+path "auth/token/renew" {
+
+    capabilities = ["update"]
+
+}
+
+path "auth/token/renew-self" {
+
+    capabilities = ["update"]
+
+}
+
+# Roles to create, update secrets 
+
+path "/sys/mounts" {
+    capabilities = ["read", "update", "list"]
+    }
+
+path "/sys/mounts/*" {
+
+    capabilities = ["update", "create"]
+
+}
+
+path "sys/policies/acl" {
+
+    capabilities = ["read"]
+
+}
+
+path "secret/*" {
+
+    capabilities = ["read", "create", "update", "delete"]
+
+}
+
+#This allows it to view secrets {{path}} will need to be updated
+
+#v1 kv pair path
+
+path "{{path}}/*" {
+
+  capabilities = ["read", "list"]
+
+}
+
+#v2 kv pair path
+
+path "{{path}}/+/*" {
+
+  capabilities = ["read", "list"]
+
+}