Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Excessively number of calls made by spring-cloud-vault

See original GitHub issue

Hi, im using spring-cloud-vault to retrieve secrets from hashicorp vault, everything works fine, but i tought that spring-cloud-vault makes the calls only when the application starts, but when i enabled the debug mode, i can see it keeps making a lot of calls and it affects the application, some of the connection gets shutdown and it have a huge impact on the network traffic.

This is how it is intended to work or its a bug?

here is my configuration:

spring.cloud.vault.generic.enabled=true
spring.cloud.vault.generic.backend=kv
spring.cloud.vault.token={token}
spring.cloud.vault.authentication=TOKEN
spring.cloud.vault.namespace={namespace}
spring.cloud.vault.uri={URL}
spring.cloud.vault.application-name={Application}

spring.cloud.vault.ssl.trust-store=classpath:keystore.jks
spring.cloud.vault.ssl.trust-store-password=changeit

//increased the values for testing
spring.cloud.vault.connection-timeout=1000000
spring.cloud.vault.read-timeout=1000000
spring.cloud.vault.config.order=-10

and here my log entries

2020-03-05 17:43:55 [main] INFO  o.h.annotations.common.Version - HCANN000001: Hibernate Commons Annotations {5.1.0.Final}
2020-03-05 17:43:58 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 17:43:58 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 17:43:59 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 17:43:59 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 17:44:09 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 17:44:09 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 17:44:09 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 17:44:09 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 17:44:19 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 17:44:19 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 17:44:20 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 17:44:20 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 17:44:30 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 17:44:30 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 17:44:30 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 17:44:30 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 17:44:37 [main] WARN  o.h.e.j.e.i.JdbcEnvironmentInitiator - HHH000342: Could not obtain connection to query metadata : IO Error: The Network Adapter could not establish the connection
2020-03-05 17:44:37 [main] WARN  o.s.b.w.s.c.AnnotationConfigServletWebServerApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException:

As you can see it making a lot of calls to the same url consecutive. if it is working as intended, we should have a option to disabled it or set an interval on when spring-cloud vault should refresh those secrets.

and even when the application starts it keeps making a lot of calls:

2020-03-05 18:09:53 [main] INFO  o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8082"]
2020-03-05 18:09:53 [main] INFO  o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8082 (http) with context path '/application'
2020-03-05 18:09:54 [main] INFO  c.e.e.t.a.w.application - Started application in 78.233 seconds (JVM running for 79.392)
2020-03-05 18:09:59 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 18:09:59 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 18:09:59 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 18:09:59 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 18:10:09 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 18:10:09 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 18:10:10 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 18:10:10 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 18:10:20 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 18:10:20 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 18:10:20 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 18:10:20 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 18:10:30 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 18:10:30 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 18:10:31 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 18:10:31 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 18:10:41 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 18:10:41 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 18:10:41 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Response 200 OK
2020-03-05 18:10:41 [Spring-Cloud-Vault-1] DEBUG o.s.web.client.RestTemplate - Reading to [org.springframework.vault.support.VaultResponse]
2020-03-05 18:10:51 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - HTTP GET https://vault:443/v1/kv/data/secrets
2020-03-05 18:10:51 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Accept=[application/json, application/*+json]
2020-03-05 18:10:52 [Spring-Cloud-Vault-2] DEBUG o.s.web.client.RestTemplate - Response 200 OK

Issue Analytics

State:
Created 4 years ago
Comments:9 (6 by maintainers)

Top GitHub Comments

1reaction

mp911decommented, Dec 2, 2020

Thanks a lot, @stefanocke. That’s a Spring Vault issue. I created spring-projects/spring-vault#601 to fix that issue.

0reactions

stefanockecommented, Nov 12, 2020

@mp911de Steps to reproduce:

Download the Spring Initializer App with Spring MVC and Vault Config and unzip

https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.3.5.RELEASE&packaging=jar&jvmVersion=11&groupId=com.example&artifactId=vault-gh391&name=vault-gh391&description=Demo project for https%3A%2F%2Fgithub.com%2Fspring-cloud%2Fspring-cloud-vault%2Fissues%2F391&packageName=com.example.vault-gh391&dependencies=cloud-starter-vault-config,web

If you need, please change from maven to gradle.

Install vault and start vault in dev mode vault server -dev

Run the following script within the demo app directory But at first, insert your vault root token.

#!/bin/bash
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN=<!!!insert root token here!!!>

vault kv put secret/application foo=bar

export SPRING_CLOUD_VAULT_TOKEN=$VAULT_TOKEN
export SPRING_CLOUD_VAULT_URI=$VAULT_ADDR

export LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_VAULT_CORE=DEBUG

mvn spring-boot:run

Observe the log You will see, that secret/application is renewed every 10 seconds:

2020-11-12 08:15:54.501  INFO 35528 --- [           main] c.e.vaultgh391.VaultGh391Application     : Started VaultGh391Application in 4.648 seconds (JVM running for 4.945)
2020-11-12 08:16:02.461 DEBUG 35528 --- [g-Cloud-Vault-1] cretLeaseContainer$LeaseRenewalScheduler : Renewing secret without lease secret/application
2020-11-12 08:16:02.465 DEBUG 35528 --- [g-Cloud-Vault-1] o.s.v.core.lease.SecretLeaseContainer    : Secret secret/application with cache hint is qualified for renewal
2020-11-12 08:16:02.465 DEBUG 35528 --- [g-Cloud-Vault-1] cretLeaseContainer$LeaseRenewalScheduler : Scheduling renewal for secret secret/application, with cache hint duration 0
2020-11-12 08:16:12.466 DEBUG 35528 --- [g-Cloud-Vault-1] cretLeaseContainer$LeaseRenewalScheduler : Renewing secret without lease secret/application
2020-11-12 08:16:12.470 DEBUG 35528 --- [g-Cloud-Vault-1] o.s.v.core.lease.SecretLeaseContainer    : Secret secret/application with cache hint is qualified for renewal
2020-11-12 08:16:12.470 DEBUG 35528 --- [g-Cloud-Vault-1] cretLeaseContainer$LeaseRenewalScheduler : Scheduling renewal for secret secret/application, with cache hint duration 0
2020-11-12 08:16:22.471 DEBUG 35528 --- [g-Cloud-Vault-1] cretLeaseContainer$LeaseRenewalScheduler : Renewing secret without lease secret/application
2020-11-12 08:16:22.474 DEBUG 35528 --- [g-Cloud-Vault-1] o.s.v.core.lease.SecretLeaseContainer    : Secret secret/application with cache hint is qualified for renewal
2020-11-12 08:16:22.474 DEBUG 35528 --- [g-Cloud-Vault-1] cretLeaseContainer$LeaseRenewalScheduler : Scheduling renewal for secret secret/application, with cache hint duration 0
2020-11-12 08:16:32.476 DEBUG 35528 --- [g-Cloud-Vault-2] cretLeaseContainer$LeaseRenewalScheduler : Renewing secret without lease secret/application
2020-11-12 08:16:32.480 DEBUG 35528 --- [g-Cloud-Vault-2] o.s.v.core.lease.SecretLeaseContainer    : Secret secret/application with cache hint is qualified for renewal
2020-11-12 08:16:32.480 DEBUG 35528 --- [g-Cloud-Vault-2] cretLeaseContainer$LeaseRenewalScheduler : Scheduling renewal for secret secret/application, with cache hint duration 0

Top Results From Across the Web

Spring Cloud Config

RELEASE. Spring Cloud Config provides server-side and client-side support for externalized configuration in a distributed system. With the Config Server, ...

Spring Cloud Config Server with Vault - Stack Overflow

I am trying to mix native and vault profile with config server backend: spring: profiles: active: native, vault cloud: config: server: ...

Java Application Demo | Vault - HashiCorp Developer

The Java application in this demo leverages the Spring Cloud Vault library which ... Incidents of data breaches which expose sensitive information make...

Spring Cloud Integration with HashiCorp Vault and Consul

Spring Cloud enables teams to build a variety of solutions for distributed systems, microservices and cloud native applications.

Spring Cloud Services config-server may report Vault backend ...

Article Number: 09692 □ Publication Date: September 16, 2020.