0

I am trying to deploy the Spring Cloud Data Flow Server to an enterprise Pivotal Cloud Foundry instance using an application manifest.yml.

My first concern is externalizing the SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_USERNAME and SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_PASSWORD properties from the manifest so I'm not storing them in plain text in version control. Is there a best practice to accomplish that? Where does that fit into the workflow of deploying a Data Flow Server and associated Streams/Tasks? My initial idea is to create a new Cloud Foundry user for the Data Flow Server that can deploy applications to the org/space I am using, then potentially use Spring Cloud Config to inject the credentials into the env. Is that a typical solution?

My second concern is requiring TLS/HTTPS for all of the Data Flow Server's web endpoints. I again attempted to omit the properties concerning the key store locations from the manifest in the SPRING_APPLICATION_JSON env entry, but that again caused initialization to fail. Does the Cloud Foundry Java buildpack have a standard location for those certificate stores, or is that specific to my Cloud Foundry instance? I also want to redirect all HTTP requests to HTTPS? Do I need to create a custom build of the Cloud Foundry Data Flow Server to do that?

Thanks for any help.

UPDATE:

Based on other SO posts, I have now resolved that I do not need to enable HTTPS/TLS from the Data Flow Server config in its embedded Tomcat server because it is sitting behind Cloud Foundry's proxy. However, I cannot see a way to require and redirect to HTTPS endpoints other than creating a customized build of the Data Flow Server for Cloud Foundry with the proper configuration.

Robert St. John
  • 100
  • 6

2 Answers2

3

You can refer the documentation for this here.

Ilayaperumal Gopinathan
  • 4,099
  • 1
  • 13
  • 12
1

The Security section from the docs linked in the previous answer should be useful. I'll attempt to reply few specific questions.

I'm not storing them in plain text in version control

A few of our customers use Config-Server + Vault integration for encrypted password credentials.

My initial idea is to create a new Cloud Foundry user for the Data Flow Server that can deploy applications to the org/space I am using, then potentially use Spring Cloud Config to inject the credentials into the env. Is that a typical solution?

This whole experience will be automated with e2e OAuth/SSO workflow with Spring Cloud Data Flow's tile, which will be available as a BETA tile by this month. There won't be any clear-text passwords - everything will be OAuth token driven, and the service-broker will control the lifecycle of SCDF's service-instance. Please reach out to PCF account rep and we would gladly add you to the BETA program.

Sabby Anandan
  • 5,636
  • 2
  • 12
  • 21
  • Apparently that whole section on Authentication and Cloud Foundry UAA/SSO is missing from the [1.2.3.RELEASE reference](https://docs.spring.io/spring-cloud-dataflow-server-cloudfoundry/docs/1.2.3.RELEASE/reference/htmlsingle/#getting-started-security-cloud-foundry), which is the document I've been reading. That information sure would have been helpful. It's in the [1.2.2.RELEASE reference](https://docs.spring.io/spring-cloud-dataflow-server-cloudfoundry/docs/1.2.2.RELEASE/reference/htmlsingle/#getting-started-security), as well as the current snapshot reference. – Robert St. John Sep 07 '17 at 14:15
  • Thanks for the feedback! We discovered that recently, too, and it has been addressed in the master/snapshot. We will cut a new release to fix this asap. – Sabby Anandan Sep 07 '17 at 15:06
  • Just for clarification, are you saying that I should create a separate PCF user account for the Data Flow Server to use for deploying stream and task applications, and provide that user name and password to the Data Flow Server configuration from Spring Cloud Config Server/Vault? – Robert St. John Sep 07 '17 at 18:57
  • What user should be used in SCDF for orchestrating pipelines is entirely up to the business requirements. I've seen other customers leveraging Vault to store the user credentials, so it is not in plain-text anymore. This security experience is what we will enhance in the SCDF-tile, which is coming soon. – Sabby Anandan Sep 07 '17 at 21:39
  • @RobertSt.John: We released [1.2.4.RELEASE](https://docs.spring.io/spring-cloud-dataflow-server-cloudfoundry/docs/1.2.4.RELEASE/reference/htmlsingle/#getting-started-security) and that should include the missing docs. – Sabby Anandan Sep 08 '17 at 14:55
  • Thank you @SabbyAnandan for your answer and letting me know about the release. Do you have any insight on the second part of my question, requiring/redirecting to HTTPS for accessing the Data Flow Server web endpoints behind a Cloud Foundry proxy? Does that require a custom build of the Cloud Foundry Data Flow Server? – Robert St. John Sep 08 '17 at 20:36