I have a spring-boot application which runs in different environments (dev,qa,prod). In order to generate immutable builds which can run on all environments without any modification i have packaged environment specific configuration files into generated jar itself. But this creates another problem of exposing production database credentials to development team too. I can use external config server, but that's overkill for me for now.
How can i manage these configuration files to avoid this information leak and have immutable builds to support CI/CD ?
For dataleakage, it's advisable to encrypt the username/password with jasypt.
application connect to database
https://github.com/ulisesbocchio/jasypt-spring-boot
The password for the decryption has to be on the machine, though, so that should be there already, secured as much as possible (e.g. different user, or https://github.com/certnanny/KeyNanny)
I wouldn't put the configuration in the jar-file, though. It's not part of the applicaction logic, it's part of deployment process, and the deployer should be able to add new machines easily. If you use docker, it's different, of course.
Saving your credentials inside application is seems to insecure practice. You can save the credentials externally (external server to save secrets, or may be on same server inside different application or env variables). Reading data through env varables will keep your build intact.
If you are using any cloud services like aws or pivotal then they have such services to store your secrets.
You can create yml files for different profiles and specify profile in JVM arguments.
application.yml
application-name.yml
java -jar -Dspring.profiles.active=name
or in.conf
file:JAVA_OPTS=-Dspring.profiles.active=name
java -jar -Dspring.datasource.username=name -Dspring.datasource.password=pass
Read more
Most of my application config file (eq. application.yml) is like this:
If the environment variable is present, the application will load config from environment. otherwise will use the default value.
After this you can build single package and run everywhere.
In my case, I build the application into a docker image, And run in kubernetes, so the config properties will store in ConfigMaps and Secret.
When the Pod running, will load configmaps and secret to environment variable.
And Of course, you can also use other tools as well.