The most common approach to configure your Spring Boot application is to create an application.properties|yaml
or
an application-profile.properties|yaml
file containing key-value pairs providing customization values to your
application or Spring Boot starters. Users may override these properties by specifying system properties or environment
variables.
Kubernetes provides a resource named ConfigMap to externalize the
parameters to pass to your application in the form of key-value pairs or embedded application.properties|yaml
files.
The Spring Cloud Kubernetes Config project makes Kubernetes `ConfigMap`s available
during application bootstrapping and triggers hot reloading of beans or Spring context when changes are detected on
observed `ConfigMap`s.
The default behavior is to create a ConfigMapPropertySource
based on a Kubernetes ConfigMap
which has metadata.name
of either the name of
your Spring application (as defined by its spring.application.name
property) or a custom name defined within the
bootstrap.properties
file under the following key spring.cloud.kubernetes.config.name
.
However, more advanced configuration are possible where multiple ConfigMaps can be used
This is made possible by the spring.cloud.kubernetes.config.sources
list.
For example one could define the following ConfigMaps
spring: application: name: cloud-k8s-app cloud: kubernetes: config: name: default-name namespace: default-namespace sources: # Spring Cloud Kubernetes will lookup a ConfigMap named c1 in namespace default-namespace - name: c1 # Spring Cloud Kubernetes will lookup a ConfigMap named default-name in whatever namespace n2 - namespace: n2 # Spring Cloud Kubernetes will lookup a ConfigMap named c3 in namespace n3 - namespace: n3 name: c3
In the example above, it spring.cloud.kubernetes.config.namespace
had not been set,
then the ConfigMap named c1
would be looked up in the namespace that the application runs
Any matching ConfigMap
that is found, will be processed as follows:
yaml
the content of any property named application.yaml
application.properties
The single exception to the aforementioned flow is when the ConfigMap
contains a single key that indicates
the file is a YAML or Properties file. In that case the name of the key does NOT have to be application.yaml
or
application.properties
(it can be anything) and the value of the property will be treated correctly.
This features facilitates the use case where the ConfigMap
was created using something like:
kubectl create configmap game-config --from-file=/path/to/app-config.yaml
Example:
Let’s assume that we have a Spring Boot application named demo
that uses properties to read its thread pool
configuration.
pool.size.core
pool.size.maximum
This can be externalized to config map in yaml
format:
kind: ConfigMap apiVersion: v1 metadata: name: demo data: pool.size.core: 1 pool.size.max: 16
Individual properties work fine for most cases but sometimes embedded yaml
is more convenient. In this case we will
use a single property named application.yaml
to embed our yaml
:
```yaml kind: ConfigMap apiVersion: v1 metadata: name: demo data: application.yaml: |- pool: size: core: 1 max:16
The following also works: ```yaml kind: ConfigMap apiVersion: v1 metadata: name: demo data: custom-name.yaml: |- pool: size: core: 1 max:16
Spring Boot applications can also be configured differently depending on active profiles which will be merged together
when the ConfigMap is read. It is possible to provide different property values for different profiles using an
application.properties|yaml
property, specifying profile-specific values each in their own document
(indicated by the ---
sequence) as follows:
kind: ConfigMap apiVersion: v1 metadata: name: demo data: application.yml: |- greeting: message: Say Hello to the World farewell: message: Say Goodbye --- spring: profiles: development greeting: message: Say Hello to the Developers farewell: message: Say Goodbye to the Developers --- spring: profiles: production greeting: message: Say Hello to the Ops
In the above case, the configuration loaded into your Spring Application with the development
profile will be:
greeting: message: Say Hello to the Developers farewell: message: Say Goodbye to the Developers
whereas if the production
profile is active, the configuration will be:
greeting: message: Say Hello to the Ops farewell: message: Say Goodbye
If both profiles are active, the property which appears last within the configmap will overwrite preceding values.
To tell to Spring Boot which profile
should be enabled at bootstrap, a system property can be passed to the Java
command launching your Spring Boot application using an env variable that you will define with the OpenShift
DeploymentConfig
or Kubernetes ReplicationConfig
resource file as follows:
apiVersion: v1 kind: DeploymentConfig spec: replicas: 1 ... spec: containers: - env: - name: JAVA_APP_DIR value: /deployments - name: JAVA_OPTIONS value: -Dspring.profiles.active=developer
Notes: - check the security configuration section, to access config maps from inside a pod you need to have the correct Kubernetes service accounts, roles and role bindings.
Table 3.1. Properties:
Name | Type | Default | Description |
---|---|---|---|
spring.cloud.kubernetes.config.enableApi | Boolean | true | Enable/Disable consuming ConfigMaps via APIs |
spring.cloud.kubernetes.config.enabled | Boolean | true | Enable Secrets PropertySource |
spring.cloud.kubernetes.config.name | String | ${spring.application.name} | Sets the name of ConfigMap to lookup |
spring.cloud.kubernetes.config.namespace | String | Client namespace | Sets the Kubernetes namespace where to lookup |
spring.cloud.kubernetes.config.paths | List | null | Sets the paths where ConfigMaps are mounted |
Kubernetes has the notion of [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) for storing
sensitive data such as password, OAuth tokens, etc. This project provides integration with Secrets
to make secrets
accessible by Spring Boot applications. This feature can be explicitly enabled/disabled using the spring.cloud.kubernetes.secrets.enabled
property.
The SecretsPropertySource
when enabled will lookup Kubernetes for Secrets
from the following sources:
1. reading recursively from secrets mounts
2. named after the application (as defined by spring.application.name
)
3. matching some labels
Please note that by default, consuming Secrets via API (points 2 and 3 above) is not enabled for security reasons and it is recommend that containers share secrets via mounted volumes. Otherwise proper RBAC security configurations must be provided to make sure that unauthorized access to Secrets occurs.
If the secrets are found their data is made available to the application.
Example:
Let’s assume that we have a spring boot application named demo
that uses properties to read its database
configuration. We can create a Kubernetes secret using the following command:
oc create secret generic db-secret --from-literal=username=user --from-literal=password=p455w0rd
This would create the following secret (shown using oc get secrets db-secret -o yaml
):
apiVersion: v1 data: password: cDQ1NXcwcmQ= username: dXNlcg== kind: Secret metadata: creationTimestamp: 2017-07-04T09:15:57Z name: db-secret namespace: default resourceVersion: "357496" selfLink: /api/v1/namespaces/default/secrets/db-secret uid: 63c89263-6099-11e7-b3da-76d6186905a8 type: Opaque
Note that the data contains Base64-encoded versions of the literal provided by the create command.
This secret can then be used by your application for example by exporting the secret’s value as environment variables:
apiVersion: v1 kind: Deployment metadata: name: ${project.artifactId} spec: template: spec: containers: - env: - name: DB_USERNAME valueFrom: secretKeyRef: name: db-secret key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password
You can select the Secrets to consume in a number of ways:
By listing the directories where secrets are mapped:
`
-Dspring.cloud.kubernetes.secrets.paths=/etc/secrets/db-secret,etc/secrets/postgresql
`
If you have all the secrets mapped to a common root, you can set them like:
``` -Dspring.cloud.kubernetes.secrets.paths=/etc/secrets ```
`
-Dspring.cloud.kubernetes.secrets.name=db-secret
``
-Dspring.cloud.kubernetes.secrets.labels.broker=activemq
-Dspring.cloud.kubernetes.secrets.labels.db=postgresql
`Table 3.2. Properties:
Name | Type | Default | Description |
---|---|---|---|
spring.cloud.kubernetes.secrets.enableApi | Boolean | false | Enable/Disable consuming secrets via APIs (examples 2 and 3) |
spring.cloud.kubernetes.secrets.enabled | Boolean | true | Enable Secrets PropertySource |
spring.cloud.kubernetes.secrets.name | String | ${spring.application.name} | Sets the name of the secret to lookup |
spring.cloud.kubernetes.secrets.namespace | String | Client namespace | Sets the Kubernetes namespace where to lookup |
spring.cloud.kubernetes.secrets.labels | Map | null | Sets the labels used to lookup secrets |
spring.cloud.kubernetes.secrets.paths | List | null | Sets the paths where secrets are mounted (example 1) |
Notes:
- The property spring.cloud.kubernetes.secrets.labels
behaves as defined by
Map-based binding.
- The property spring.cloud.kubernetes.secrets.paths
behaves as defined by
Collection-based binding.
- Access to secrets via API may be restricted for security reasons, the preferred way is to mount secret to the POD.
Example of application using secrets (though it hasn’t been updated to use the new spring-cloud-kubernetes
project):
spring-boot-camel-config
Some applications may need to detect changes on external property sources and update their internal status to reflect the new configuration.
The reload feature of Spring Cloud Kubernetes is able to trigger an application reload when a related ConfigMap
or
Secret
changes.
This feature is disabled by default and can be enabled using the configuration property spring.cloud.kubernetes.reload.enabled=true
(eg. in the application.properties file).
The following levels of reload are supported (property spring.cloud.kubernetes.reload.strategy
):
- refresh
(default): only configuration beans annotated with @ConfigurationProperties
or @RefreshScope
are reloaded.
This reload level leverages the refresh feature of Spring Cloud Context.
- restart_context
: the whole Spring ApplicationContext is gracefully restarted. Beans are recreated with the new configuration.
- shutdown
: the Spring ApplicationContext is shut down to activate a restart of the container.
When using this level, make sure that the lifecycle of all non-daemon threads is bound to the ApplicationContext
and that a replication controller or replica set is configured to restart the pod.
Example:
Assuming that the reload feature is enabled with default settings (refresh
mode), the following bean will be refreshed when the config map changes:
@Configuration @ConfigurationProperties(prefix = "bean") public class MyConfig { private String message = "a message that can be changed live"; // getter and setters }
A way to see that changes effectively happen is creating another bean that prints the message periodically.
@Component public class MyBean { @Autowired private MyConfig config; @Scheduled(fixedDelay = 5000) public void hello() { System.out.println("The message is: " + config.getMessage()); } }
The message printed by the application can be changed using a ConfigMap
as follows:
apiVersion: v1 kind: ConfigMap metadata: name: reload-example data: application.properties: |- bean.message=Hello World!
Any change to the property named bean.message
in the ConfigMap
associated to the pod will be reflected in the
output. More generally speaking, changes associated to properties prefixed with the value defined by the prefix
field of the @ConfigurationProperties
annotation will be detected and reflected in the application.
[Associating a ConfigMap
to a pod](#configmap-propertysource) is explained above.
The full example is available in [spring-cloud-kubernetes-reload-example](spring-cloud-kubernetes-examples/kubernetes-reload-example).
The reload feature supports two operating modes:
- event (default): watches for changes in config maps or secrets using the Kubernetes API (web socket).
Any event will produce a re-check on the configuration and a reload in case of changes.
The view
role on the service account is required in order to listen for config map changes. A higher level role (eg. edit
) is required for secrets
(secrets are not monitored by default).
- polling: re-creates the configuration periodically from config maps and secrets to see if it has changed.
The polling period can be configured using the property spring.cloud.kubernetes.reload.period
and defaults to 15 seconds.
It requires the same role as the monitored property source.
This means, for example, that using polling on file mounted secret sources does not require particular privileges.
Table 3.3. Properties:
Name | Type | Default | Description |
---|---|---|---|
spring.cloud.kubernetes.reload.period | Long | 15000 | The period in milliseconds for verifying changes when using the polling strategy |
spring.cloud.kubernetes.reload.enabled | Boolean | false | Enables monitoring of property sources and configuration reload |
spring.cloud.kubernetes.reload.monitoring-config-maps | Boolean | true | Allow monitoring changes in config maps |
spring.cloud.kubernetes.reload.monitoring-secrets | Boolean | false | Allow monitoring changes in secrets |
spring.cloud.kubernetes.reload.strategy | Enum | refresh | The strategy to use when firing a reload (refresh, restart_context, shutdown) |
spring.cloud.kubernetes.reload.mode | Enum | event | Specifies how to listen for changes in property sources (event, polling) |
Notes: - Properties under spring.cloud.kubernetes.reload. should not be used in config maps or secrets: changing such properties at runtime may lead to unexpected results; - Deleting a property or the whole config map does not restore the original state of the beans when using the refresh level.