cleanup/vault_autoconfigured (#3766)

* Normalizing import statements.

* Refactored Vault code as autoconfigured beans.

* Removed unnecessary @import statements related to Vault autoconfiguration.

* Fixed dependencies.

* Now getting datasource URL from Spring DataSource config, not from Vault Database config.

* Removed explicit imports to avoid polluting application context (which is autoconfigured in the actual apps, but not understood by IntelliJ).

* Removed hanging comment.

* Reenabled DataSourceProperties, VaultDatabaseProperties.

Author: rfc3092

apps/brreg-stub/src/main/java/no/nav/brregstub/config/AppConfig.java

@@ -6,16 +6,12 @@
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
 
 import no.nav.testnav.libs.servletcore.config.ApplicationCoreConfig;
-import no.nav.testnav.libs.database.config.FlywayConfiguration;
-import no.nav.testnav.libs.database.config.VaultHikariConfiguration;
 
 @Configuration
 @EnableJpaAuditing
 @EnableJpaRepositories(basePackages = "no.nav.brregstub.database.repository")
 @Import({
-        ApplicationCoreConfig.class,
-        VaultHikariConfiguration.class,
-        FlywayConfiguration.class,
+        ApplicationCoreConfig.class
 })
 public class AppConfig {
 }

apps/brreg-stub/src/main/resources/application-prod.yml

@@ -1,5 +1,6 @@
-
 spring:
+  config:
+    import: "vault://"
   flyway:
     locations: classpath:db/migration/postgresql
   datasource:
@@ -30,5 +31,3 @@ spring:
         role: testnav-brregstub-admin
         backend: postgresql/preprod-fss
       fail-fast: true
-  config:
-    import: vault://

apps/testnorge-statisk-data-forvalter/src/main/java/no/nav/registre/sdforvalter/config/DbProdConfig.java

@@ -1,6 +1,6 @@
 spring:
   config:
-    import: vault://
+    import: "vault://"
   datasource:
     url: jdbc:postgresql://b27dbvl032.preprod.local:5432/testnav-statisk-data?useUnicode=yes&characterEncoding=UTF-8
     hikari:

apps/testnorge-statisk-data-forvalter/src/main/resources/application-prod.yml

@@ -1,16 +1,12 @@
 package no.nav.udistub.config;
 
-import no.nav.testnav.libs.database.config.FlywayConfiguration;
-import no.nav.testnav.libs.database.config.VaultHikariConfiguration;
 import no.nav.testnav.libs.servletcore.config.ApplicationCoreConfig;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 
 @Configuration
 @Import({
-        ApplicationCoreConfig.class,
-        FlywayConfiguration.class,
-        VaultHikariConfiguration.class
+        ApplicationCoreConfig.class
 })
 public class AppConfig {
 

apps/udi-stub/src/main/java/no/nav/udistub/config/AppConfig.java

@@ -1,4 +1,6 @@
 spring:
+  config:
+    import: "vault://"
   datasource:
     url: jdbc:postgresql://b27dbvl032.preprod.local:5432/testnav-udistub?autoReconnect=true&useSSL=false
     hikari:
@@ -23,8 +25,6 @@ spring:
         backend: postgresql/preprod-fss
         role: testnav-udistub-admin
         enabled: true
-  config:
-    import: vault://
   security:
     oauth2:
       resourceserver:

apps/udi-stub/src/main/resources/application-prod.yml

@@ -3,11 +3,10 @@ plugins {
 }
 
 dependencies {
-    api "org.springframework.cloud:spring-cloud-starter-vault-config"
-
     implementation "org.springframework.boot:spring-boot-starter-data-jpa"
+
     implementation "org.springframework.cloud:spring-cloud-vault-config-databases"
-    
+
     implementation "org.flywaydb:flyway-core"
     implementation "org.flywaydb:flyway-database-postgresql"
 }

libs/vault/build.gradle

@@ -0,0 +1,76 @@
+package no.nav.dolly.libs.vault.database;
+
+import com.zaxxer.hikari.HikariDataSource;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.flyway.FlywayConfigurationCustomizer;
+import org.springframework.boot.autoconfigure.jdbc.DataSourceProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.cloud.vault.config.databases.VaultDatabaseProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.vault.core.VaultTemplate;
+import org.springframework.vault.core.lease.SecretLeaseContainer;
+import org.springframework.vault.core.lease.domain.RequestedSecret;
+import org.springframework.vault.core.lease.event.SecretLeaseCreatedEvent;
+
+@AutoConfiguration
+@ConditionalOnProperty("spring.cloud.vault.database.enabled")
+@RequiredArgsConstructor
+@EnableConfigurationProperties({
+        DataSourceProperties.class,
+        VaultDatabaseProperties.class
+})
+@Slf4j
+public class VaultDatabaseAutoConfiguration implements InitializingBean {
+
+    private final DataSourceProperties dataSourceProperties;
+
+    @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
+    private final HikariDataSource dataSource;
+
+    @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
+    private final SecretLeaseContainer container;
+
+    private final VaultDatabaseProperties vaultDatabaseProperties;
+
+    @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
+    private final VaultTemplate vault;
+
+    /**
+     * Setup a rotating lease for the database credentials in Vault.
+     * Not configurable as a bean.
+     */
+    @Override
+    public void afterPropertiesSet() {
+
+        var secret = RequestedSecret.rotating(vaultDatabaseProperties.getBackend() + "/creds/" + vaultDatabaseProperties.getRole());
+        log.info("Setup vault lease for {}", secret);
+        container
+                .addLeaseListener(
+                        event -> {
+                            log.info("Triggering on event: {}", event);
+                            if (event.getSource() == secret && event instanceof SecretLeaseCreatedEvent lease) {
+                                log.info("Rotating username/password on event: {}", event);
+                                var username = lease.getSecrets().get("username").toString();
+                                var password = lease.getSecrets().get("password").toString();
+                                dataSource.setUsername(username);
+                                dataSource.setPassword(password);
+                                if (dataSource.getHikariPoolMXBean() != null) {
+                                    dataSource.getHikariPoolMXBean().softEvictConnections();
+                                }
+
+                            }
+                        });
+        container.addRequestedSecret(secret);
+
+    }
+
+    @Bean
+    FlywayConfigurationCustomizer flywayConfigurationCustomizer() {
+        return new VaultFlywayConfigurationCustomizer(vault, dataSourceProperties, vaultDatabaseProperties);
+    }
+
+}

libs/vault/src/main/java/no/nav/dolly/libs/vault/database/VaultDatabaseAutoConfiguration.java

@@ -0,0 +1,40 @@
+package no.nav.dolly.libs.vault.database;
+
+import lombok.AccessLevel;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.flywaydb.core.api.configuration.FluentConfiguration;
+import org.springframework.boot.autoconfigure.flyway.FlywayConfigurationCustomizer;
+import org.springframework.boot.autoconfigure.jdbc.DataSourceProperties;
+import org.springframework.cloud.vault.config.databases.VaultDatabaseProperties;
+import org.springframework.vault.core.VaultTemplate;
+import org.springframework.vault.support.VaultResponse;
+
+import java.util.Optional;
+
+@RequiredArgsConstructor(access = AccessLevel.PACKAGE)
+@Slf4j
+class VaultFlywayConfigurationCustomizer implements FlywayConfigurationCustomizer {
+
+    private final VaultTemplate vault;
+    private final DataSourceProperties dataSourceProperties;
+    private final VaultDatabaseProperties vaultDatabaseProperties;
+
+    @Override
+    public void customize(FluentConfiguration configuration) {
+
+        var secretPath = "%s/creds/%s".formatted(vaultDatabaseProperties.getBackend(), vaultDatabaseProperties.getRole());
+        var response = Optional
+                .of(vault.read(secretPath))
+                .map(VaultResponse::getData)
+                .orElseThrow(() -> new IllegalStateException("Could not read credentials from Vault path %s".formatted(secretPath)));
+        var username = response.get("username").toString();
+        var password = response.get("password").toString();
+        configuration
+                .dataSource(dataSourceProperties.getUrl(), username, password)
+                .initSql("SET ROLE \"%s\"".formatted(vaultDatabaseProperties.getRole()));
+        log.info("Flyway configured with credentials from Vault path {}", secretPath);
+
+    }
+
+}

libs/vault/src/main/java/no/nav/dolly/libs/vault/database/VaultFlywayConfigurationCustomizer.java

@@ -0,0 +1 @@
+no.nav.dolly.libs.vault.database.VaultDatabaseAutoConfiguration