Externalizing secrets in Spring Boot - using Karmahostage

Often times when running applications in a production environment, you'll have a variety of configurable properties. We're all aware that storing these properties as constants in code is a no-go. However, a lot of times, you'll have to configure properties that are supposed to be kept secret. Database usernames, passwords, api keys, you name it. It's considered bad practice to put these secrets in property files.

Today we'll look at Karmahostage Secret Management. Karmahostage is a saas solution which allows you to perform various cryptographic algorithms on data, manage cryptographic keys and store secrets. Their vault solution is perfect for storing application secrets and is a valid alternative for a Kubernetes Secret or ConfigMap.

Prerequisites

Creating a new application on Karmahostage

Visit Karmahostage and register if you haven't already done so. Go through the process and create a new secret for your freshly generated application.

Also find the API key settings for your application and reveal the API key. You'll need this to authenticate towards the Karmahostage APIs.

Adding the dependencies

First of all, we'll need to add the karmahostage starter dependency. All of our packages are hosted on github, so the first thing you'll need to do is add the repository.

<repositories>
    <repository>
        <id>github</id>
        <name>GitHub Karmahostage API Apache Maven Packages</name>
        <url>https://maven.pkg.github.com/Karmahostage/maven-repo</url>
    </repository>
</repositories>

Secondly, import the maven bom for the Karmahostage dependencies.

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.karmahostage.cloud</groupId>
            <artifactId>spring-cloud-karmahostage-dependencies</artifactId>
            <version>0.0.5</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

Lastly you'll need to add a dependency to spring-cloud-starter-karmahostage. This will add the spring-cloud-starter-karmahostage-secrets dependency and activate it.

<dependency>
    <groupId>com.karmahostage.cloud</groupId>
    <artifactId>spring-cloud-starter-karmahostage</artifactId>
</dependency>

Configuring the environment

Spring Cloud Karmahostage will only work if you add an API key. An API key is linked to an application in KH.

bootstrap.properties

spring.cloud.karmahostage.apiKey=$PUT_KEY_HERE

The library will look at the paths defined with property spring.cloud.karmahostage.secret.paths.

Example

An updated example can be found at the spring-cloud-karmahostage repository.