Add the full vault path to the PropertySource. (#3180)

* Add option to add the full vault path to the PropertySource.

This allows clients to use properties from multiple vault sources that
end in the same key, e.g. foo/bar/application and bar/baz/application

Signed-off-by: Tristan Stenner <ts@ppi.de>

* Adjust the return propertySource names in unit tests to the full vault path

Signed-off-by: Tristan Stenner <ts@ppi.de>

* Add fullKeyPath documentation

Signed-off-by: Tristan Stenner <ts@ppi.de>

* polishing documentation

---------

Signed-off-by: Tristan Stenner <ts@ppi.de>
Co-authored-by: Ryan Baxter <ryan.baxter@broadcom.com>

Author: tstenner

docs/modules/ROOT/pages/server/environment-repository/vault-backend.adoc

@@ -56,6 +56,9 @@ The following table describes configurable Vault properties:
 |backend
 |secret
 
+|fullKeyPath
+|false
+
 |defaultKey
 |application
 
@@ -164,6 +167,28 @@ Properties written to `secret/application` are available to <<_vault_server,all
 An application with the name, `myApp`, would have any properties written to `secret/myApp` and `secret/application` available to it.
 When `myApp` has the `dev` profile enabled, properties written to all of the above paths would be available to it, with properties in the first path in the list taking priority over the others.
 
+[[full-key-path]]
+== Disambiguating Composite Property Sources
+
+By default, the config server generates property source names based on the vault key, e.g. `vault:myApp` in the example above.
+When composite vault backends have the same vault key, the config server client will overwrite preceding property sources.
+
+With `fullKeyPath` set to `true`, the property sources will contain the full backend path,
+e.g. `vault:secret/backendA/myApp` and `vault:secret/backendB/myApp`, preventing overwriting the preceding property source.
+
+[source,yaml]
+----
+spring.cloud.config.server.composite:
+  - type: vault
+    fullKeyPath: true
+    # ...
+    backend: secret/backendA
+  - type: vault
+    fullKeyPath: true
+    # ...
+    backend: secret/backendB
+----
+
 [[enabling-serach-by-label]]
 == Enabling Search by Label
 

spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/environment/AbstractVaultEnvironmentRepository.java

@@ -63,6 +63,14 @@ public abstract class AbstractVaultEnvironmentRepository implements EnvironmentR
 	 */
 	protected String defaultKey;
 
+	/**
+	 * The backend path in Vault where the secrets are stored. Used to disambiguate
+	 * multiple vault paths ending in the same key.
+	 */
+	protected String backend;
+
+	protected Boolean fullKeyPath;
+
 	/**
 	 * Vault profile separator. Defaults to comma.
 	 */
@@ -81,6 +89,8 @@ public AbstractVaultEnvironmentRepository(ObjectProvider<HttpServletRequest> req
 		this.profileSeparator = properties.getProfileSeparator();
 		this.enableLabel = properties.isEnableLabel();
 		this.defaultLabel = properties.getDefaultLabel();
+		this.backend = properties.getBackend();
+		this.fullKeyPath = properties.isFullKeyPath();
 		this.order = properties.getOrder();
 		this.request = request;
 		this.watch = watch;
@@ -100,6 +110,8 @@ public Environment findOne(String application, String profile, String label) {
 		var profiles = normalize(profile, DEFAULT_PROFILE);
 		var applications = normalize(application, this.defaultKey);
 
+		var backendPathPrefix = "vault:" + (this.fullKeyPath ? this.backend + "/" : "");
+
 		for (String prof : profiles) {
 			for (String app : applications) {
 				var key = vaultKey(app, prof, label);
@@ -112,7 +124,7 @@ public Environment findOne(String application, String profile, String label) {
 					var properties = yaml.getObject();
 
 					if (properties != null && !properties.isEmpty()) {
-						environment.add(new PropertySource("vault:" + key, properties));
+						environment.add(new PropertySource(backendPathPrefix + key, properties));
 					}
 				}
 			}

spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/environment/VaultEnvironmentProperties.java

@@ -52,6 +52,9 @@ public class VaultEnvironmentProperties implements HttpEnvironmentRepositoryProp
 	/** Vault backend. Defaults to secret. */
 	private String backend = "secret";
 
+	/** Include the full key path in the PropertySource name. Defaults to false */
+	private boolean fullKeyPath = false;
+
 	/**
 	 * The key in vault shared by all applications. Defaults to application. Set to empty
 	 * to disable.
@@ -163,6 +166,14 @@ public void setBackend(String backend) {
 		this.backend = backend;
 	}
 
+	public boolean isFullKeyPath() {
+		return fullKeyPath;
+	}
+
+	public void setFullKeyPath(boolean fullKeyPath) {
+		this.fullKeyPath = fullKeyPath;
+	}
+
 	public String getDefaultKey() {
 		return this.defaultKey;
 	}

spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/environment/vault/SpringVaultEnvironmentRepositoryTests.java

@@ -83,6 +83,23 @@ private void defaultKeyTest(String myPathKey, int version) {
 		assertThat(e.getPropertySources().get(1).getSource()).isEqualTo(Map.of("def-foo", "def-bar"));
 	}
 
+	@Test
+	public void findOneWithBackend() {
+		when(keyValueTemplate.get("myapp")).thenReturn(withVaultResponse("foo", "bar"));
+
+		var properties = new VaultEnvironmentProperties();
+		properties.setBackend("custom-path");
+		properties.setFullKeyPath(true);
+
+		var e = springVaultEnvironmentRepository(properties).findOne("myapp", null, null);
+
+		assertThat(e.getName()).isEqualTo("myapp");
+
+		assertThat(e.getPropertySources()).hasSize(1);
+		assertThat(e.getPropertySources().get(0).getName()).isEqualTo("vault:custom-path/myapp");
+		assertThat(e.getPropertySources().get(0).getSource()).isEqualTo(Map.of("foo", "bar"));
+	}
+
 	@Test
 	public void findOneWithSlashesInBackend() {
 		when(keyValueTemplate.get("myapp")).thenReturn(withVaultResponse("foo", "bar"));