I am playing around with Spring Cloud Data Flow. I have successfully deployed SCDF on Kubernetes using the related documentation. When registering the 1.5.x based starter apps, everything is working as expected, no further configuration of the starter apps during the deployment of a stream definition is needed.
When using the 2.x based starter apps, there are some changes introduced by the switch to Spring Boot 2.0 that need to be accommodated for, e.g. the actuator endpoints changed. For reference, here are the properties that I provide during the deployment of the stream:
app.*.management.endpoints.web.exposure.include=health,info,binders
deployer.*.cpu=2
deployer.*.memory=4096
deployer.http.count=2
deployer.*.kubernetes.livenessProbePath=/actuator/health
deployer.*.kubernetes.readinessProbePath=/actuator/info
However, the readiness probe fails since the health
and the info
endpoint now seem to be protected by default. Therefore, the pods end up in crashloops since from the Kubernetes perspective they get never ready.
I worked around the situation by following the guide on patching the starter apps that my stream definition relies on (e.g. throughput
sink) like this:
@SpringBootApplication
@Import({org.springframework.cloud.stream.app.throughput.sink.ThroughputSinkConfiguration.class})
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@Configuration
protected static class ThroughputSinkSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "info")).permitAll();
}
}
}
Is there a way to specify this kind of security configuration via flags or properties? Shouldn't such a WebSecurityConfigurerAdapter
be there by default to make the health
and info
endpoints accessible for Kubernetes?
Artem's response is very relevant. I wanted to also share a few other approaches specific to security and OOTB apps.
In 1.6 SNAPSHOTs, we have recently added support via spring-cloud/spring-cloud-deployer-kubernetes#236 to plug basic-auth realm to interact with secured actuator endpoints. They are applicable to both liveness and readiness probes. Here's the commit/docs for your reference.
If you don't really want security at all, though not recommended, you can explicitly disable the Security configuration.
dataflow:>stream create foo -- definition "http | throughput"
dataflow:>stream deploy foo --properties app.*.spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration"
(i.e., all the Apps in the foo
stream definition will start with SecurityAutoConfiguration
excluded)
I would suggest to look into the situation from the other angle and provide credential from the Kubernetes to get access to your secured Microservice.
The problem of the current status-quo that all the resources has to be protected.
You can generate your own static password and store it in the application.properties
do not reconfigure Kubernetes for each application restart: https://docs.spring.io/spring-boot/docs/2.0.3.RELEASE/reference/htmlsingle/#boot-features-security