Description
Hello Spring Cloud Config Server Team,
We have a Spring Cloud Config Server via Spring Boot 2.4.2 + Ilford.
The back end is Hashicorp Vault. We are using only the config server jar, no Spring-Vault-Config, no BetterCloud, etc...
Our current setup is:
spring.cloud.config.server.vault.backend=cubbyhole/somepath
spring.cloud.config.server.vault.host=our-vault-instance
spring.cloud.config.server.vault.port=443
spring.cloud.config.server.vault.scheme=https
spring.cloud.config.server.vault.authentication=cert
spring.cloud.config.server.vault.ssl.key-store=file://path/to/keystore.p12
spring.cloud.config.server.vault.ssl.key-store-password=the-password
spring.cloud.config.server.vault.ssl.cert-auth-path=cert
#spring.cloud.config.server.vault.token=we are NOT using token
And on client side, very straightforward
spring.config.import=optional:configserver:https://the-config-server-with-vault-back-end:8080
When the client starts, we see this in spring cloud config server debug logs:
o.s.web.servlet.DispatcherServlet : GET "/the-config-server-route/vault-path", parameters={}
.m.m.a.ExceptionHandlerExceptionResolver : Resolved [java.lang.IllegalArgumentException: Missing required header in HttpServletRequest: X-Config-Token]
o.s.web.servlet.DispatcherServlet : Completed 400 BAD_REQUEST
s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
o.s.security.web.FilterChainProxy : Securing GET /error
s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
o.s.security.web.FilterChainProxy : Secured GET /error
o.s.web.servlet.DispatcherServlet : "ERROR" dispatch for GET "/error", parameters={}
s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/vnd.spring-cloud.config-server.v2+json', given [application/vnd.spring-cloud.config-server.v2+json] and supported [application/json, application/*+json, application/json, application/*+json]
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 400
As you can see, it is still expecting a token as if we were not trying to connect via cert, but via token.
Te expected behavior would have been a connection to HTTP POST https://vault:443/v1/auth/cert/login in order to fetch the token first.
However, it is currently not sending any request to v1/auth/cert/login (Vault log monitored) and directly failing with the MISSING TOKEN.
Thank you