问题
I have a spring-boot application which runs in different environments (dev,qa,prod). In order to generate immutable builds which can run on all environments without any modification i have packaged environment specific configuration files into generated jar itself. But this creates another problem of exposing production database credentials to development team too. I can use external config server, but that's overkill for me for now.
How can i manage these configuration files to avoid this information leak and have immutable builds to support CI/CD ?
回答1:
For dataleakage, it's advisable to encrypt the username/password with jasypt.
application connect to database
https://github.com/ulisesbocchio/jasypt-spring-boot
The password for the decryption has to be on the machine, though, so that should be there already, secured as much as possible (e.g. different user, or https://github.com/certnanny/KeyNanny)
I wouldn't put the configuration in the jar-file, though. It's not part of the applicaction logic, it's part of deployment process, and the deployer should be able to add new machines easily. If you use docker, it's different, of course.
回答2:
Saving your credentials inside application is seems to insecure practice. You can save the credentials externally (external server to save secrets, or may be on same server inside different application or env variables). Reading data through env varables will keep your build intact.
If you are using any cloud services like aws or pivotal then they have such services to store your secrets.
回答3:
Most of my application config file (eq. application.yml) is like this:
datasource:
username: {database_username:root}
password: {database_password:root123}
sql-script-encoding: utf-8
driver-class-name: com.mysql.jdbc.Driver
url: jdbc:mysql://{database_host:localhost}:3306/dbname?useUnicode=true&characterEncoding=utf-8
If the environment variable is present, the application will load config from environment. otherwise will use the default value.
After this you can build single package and run everywhere.
In my case, I build the application into a docker image, And run in kubernetes, so the config properties will store in ConfigMaps and Secret.
When the Pod running, will load configmaps and secret to environment variable.
And Of course, you can also use other tools as well.
回答4:
You can create yml files for different profiles and specify profile in JVM arguments.
- Set common parameters for all profiles in
application.yml - Parameters for a specific profile set in
application-name.yml - Set profile in JVM arguments:
java -jar -Dspring.profiles.active=nameor in.conffile:JAVA_OPTS=-Dspring.profiles.active=name - Same as profile set db parameters:
java -jar -Dspring.datasource.username=name -Dspring.datasource.password=pass
Read more
来源:https://stackoverflow.com/questions/50371247/how-to-manage-spring-boot-application-configuration-for-different-environmnets