K
Q

Is it possible to disable security on spring cloud stream starter apps?

7/2/2018

I am playing around with Spring Cloud Data Flow. I have successfully deployed SCDF on Kubernetes using the related documentation. When registering the 1.5.x based starter apps, everything is working as expected, no further configuration of the starter apps during the deployment of a stream definition is needed.

When using the 2.x based starter apps, there are some changes introduced by the switch to Spring Boot 2.0 that need to be accommodated for, e.g. the actuator endpoints changed. For reference, here are the properties that I provide during the deployment of the stream:

app.*.management.endpoints.web.exposure.include=health,info,binders
deployer.*.cpu=2
deployer.*.memory=4096
deployer.http.count=2
deployer.*.kubernetes.livenessProbePath=/actuator/health
deployer.*.kubernetes.readinessProbePath=/actuator/info

However, the readiness probe fails since the health and the info endpoint now seem to be protected by default. Therefore, the pods end up in crashloops since from the Kubernetes perspective they get never ready.

I worked around the situation by following the guide on patching the starter apps that my stream definition relies on (e.g. throughput sink) like this:

@SpringBootApplication
@Import({org.springframework.cloud.stream.app.throughput.sink.ThroughputSinkConfiguration.class})
public class DemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }

    @Configuration
    protected static class ThroughputSinkSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                .requestMatchers(EndpointRequest.to("health", "info")).permitAll();
        }

    }
}

Is there a way to specify this kind of security configuration via flags or properties? Shouldn't such a WebSecurityConfigurerAdapter be there by default to make the health and info endpoints accessible for Kubernetes?

-- omoser
java
kubernetes
spring-boot
spring-cloud-dataflow
spring-cloud-stream

Similar Questions

Do we need External Endpoints for orchestration micro services
error: the server doesn't have resource type "svc"
kubectl create from inside pod
Ingress ressource does not route correctly exposed services

2 Answers

7/2/2018

Artem's response is very relevant. I wanted to also share a few other approaches specific to security and OOTB apps.

  1. In 1.6 SNAPSHOTs, we have recently added support via spring-cloud/spring-cloud-deployer-kubernetes#236 to plug basic-auth realm to interact with secured actuator endpoints. They are applicable to both liveness and readiness probes. Here's the commit/docs for your reference.

  2. If you don't really want security at all, though not recommended, you can explicitly disable the Security configuration.

dataflow:>stream create foo -- definition "http | throughput"

dataflow:>stream deploy foo --properties app.*.spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration"

(i.e., all the Apps in the foo stream definition will start with SecurityAutoConfiguration excluded)

-- Sabby Anandan
Source: StackOverflow
7/2/2018

I would suggest to look into the situation from the other angle and provide credential from the Kubernetes to get access to your secured Microservice.

The problem of the current status-quo that all the resources has to be protected.

You can generate your own static password and store it in the application.properties do not reconfigure Kubernetes for each application restart: https://docs.spring.io/spring-boot/docs/2.0.3.RELEASE/reference/htmlsingle/#boot-features-security

-- Artem Bilan
Source: StackOverflow