Hi

We are thinking about start using Hashicorp Vault for storing passwords to our datasources,

Vault by HashiCorp

The problem is that we can't find any documentantion on how to include this in wildfly.

Add it as part of the application code with modules and use it when needed, yes. But we are thinking about read all values at startup and keep them in memory.

The reason to that is to minimize the dependency to Vault uptime and to get a failure directly if a password is not there (for any reason), instead of get an application error maybe a few hours later we get it immediately.

1. Anyone has any thought about that strategy?

2. What is the best way to implement Vault into Wildfly?

This is how we think it will work

Store a secret in Vault

Create a temporarily token to access it, valid for e.g. 5min

At startup we pass that token to wildfly

In standalone-ha.xml we point a URI to the vault server that uses the token to get the password. E.g. to postgres or ActiveMQ

<drivers>

  <driver name="postgresql" module="org.postgresql">

    <driver-class>org.postgresql.Driver</driver-class>

  </driver>

</drivers>

<datasources>

  <datasource jndi-name="java:jboss/datasources/StenusysDemoDS" pool-name="StenusysDemoDS" enabled="true" use-java-context="true">

    <connection-url>jdbc:postgresql://localhost:5432/StenusysDemo</connection-url>

    <driver>postgresql</driver>

    <security>

      <user-name>my-postgres-user</user-name>

      <password>vault://server.com:8200/........</password>

    </security>

  </datasource>

</datasources>

/Regards Fredrik