I have a spring-boot application which runs in different environments (dev,qa,prod). In order to generate immutable builds which can run on all environments without any modification i have packaged environment specific configuration files into generated jar itself. But this creates another problem of exposing production database credentials to development team too. I can use external config server, but that's overkill for me for now.
How can i manage these configuration files to avoid this information leak and have immutable builds to support CI/CD ?
For dataleakage, it's advisable to encrypt the username/password with jasypt.
application connect to database
https://github.com/ulisesbocchio/jasypt-spring-boot
The password for the decryption has to be on the machine, though, so that should be there already, secured as much as possible (e.g. different user, or https://github.com/certnanny/KeyNanny)
I wouldn't put the configuration in the jar-file, though. It's not part of the applicaction logic, it's part of deployment process, and the deployer should be able to add new machines easily. If you use docker, it's different, of course.