My spring boot application is running in a docker environment. It is managed by docker swarm.
I am trying to restrict some of the api to certain apis but the spring security is receiving private ip address instead of public.
I want the application to recieve the public address for the request so that I can use spring security to restrict access apis to certain apis.
If this is not possbile is there another solution to this?
Related
Problem
Trying to use Spring boot admin to do a deep monitoring of spring boot micro services running in Kubernetes.
Spring boot admin listing the micro services but pointing to the internal IPs.
Spring boot admin application listing page showing the internal IP
The application details page has almost zero info
Details
Kubernetes 1.15
Spring boot applications are getting discovered by Spring boot admin using Spring cloud discovery
spring-cloud-kubernetes version 1.1.0.RELEASE
The problem is that the IPs are of internal pod network and would not be accessible to the users in any real world scenario.
Any hints on how to approach this scenario ? Any alternatives ?
Also I was wondering how spring boot admin would behave in case of pods with more than one replica. I think it is close to impossible to point to a unique pod replica through ingress or node port.
Hack I am working on
If I can start another pod which exposes the Linux desktop to the end user. From a browser of this desktop, user may be able to access the pod network ips. It is just a wild thought as a hack.
Spring Boot Admin register each application/client based on its name by below property.
spring.boot.admin.client.instance.name=${spring.application.name}
If all your pods have same name it can register based on individual ips by enabling perfer-ip property (which is false by default):
spring.boot.admin.client.instance.prefer-ip=true
In your case, you want to SBA to register based on the Kubernetes load balanced url, then service-base-url property should be set the corresponding application's url.
spring.boot.admin.client.instance.service-base-url=http://myapp.com
I am setting up the Spring-boot microservices with the cluster bi-direction Pivotal cloud cache.
I have set up the bi-directional cluster in Pivotal Cloud, I have a list of locators with ports.
I have already some online docs.
https://github.com/pivotal-cf/PCC-Sample-App-PizzaStore
But couldn't understand the on which configuration the spring boot app will know to connect.
I am looking for some tutorial or some reference where I can have spring boot app linked up with the PCC(gemfire)
The way you configure a app running in PCF (Pivotal Cloud Foundry) to talk to a PCC (Pivotal Cloud Cache) service instance is by binding the app to that service instance. You can bind it either by running the cf bind command or by adding the service name in the app`s manifest.yml, something like the below
path: build/libs/cloudcache-pizza-store-1.0.0-SNAPSHOT.jar
services:
- dev-service-instance
I hope you are using Spring Boot for Apache Geode & Pivotal GemFire (SBDG) in your app, if not I recommend you to use it as it makes connecting to PCC service instance extremely easy. SBDG has the logic to extract credentials, hostname:ports needed to connect to a service instance.
You as a app developer just need to
Create the service instance.
Bind your app to the service instance.
The boilerplate code for configuring credentials, hostnames, ips are handled by SBDG.
When you deploy an application in Cloud Foundry, (or Pivotal Cloud), you need to bind it to one or more services. Service details are then automatically exposed to the app via the VCAP_SERVICES environment variable. In the case of PCC this will include the name and port of the locator. By adding the spring-geode-starter (or spring-gemfire-starter) jar to the application it will automatically process the VCAP_SERVICES value and extract the necessary endpoint information in order to connect to the cluster.
Furthermore, if security is enabled on your PCC instance, you will also need to have created a service key. As with the locator details, the necessary credentials will be exposed via VCAP_SERVICES and the starter jar will automatically process and configure them.
I have integrated my Spring boot application with spring cloud aws secrets manager config and it's working. Now, i want the application to use Secrets Manager VPC endpoint instead of public endpoint. How can i do that?
I am not familiar with Spring boot, however, I suspect there should be no changes to your Spring boot config.
When you add a VPC endpoint, you have the option to use "Private DNS". What this does is changes DNS within the VPC so that all requests for the Secrets Manager endpoint use the VPC endpoint address. This makes the change transparent to your application.
Just turn on VPC endpoints with private DNS and you should be good to go.
Is there a way I can define the port for the management URLs (not the management.server.port) so that spring boot admin can identify the actuator URLs from the spring boot app for monitoring?
I'm running the spring boot app in a docker container and it's externally exposed on a different port using the Kubernetes NodePort.
If you are using service discovery for application lookup you could define the exposed management port in instance metadata. This metadata is used to build up the management URL.
More details documented here:
http://codecentric.github.io/spring-boot-admin/current/#spring-cloud-discovery-support
Handling is done in de.codecentric.boot.admin.server.cloud.discovery.DefaultServiceInstanceConverter
Example for Eureka:
eureka.instance.metadata-map.management.port=[K8S-EXPOSED-PORT]
If you are using Service Discovery, take a look into DefaultServiceInstanceConverter, try specifying the management.port property.
If you are not using Service Discovery, then take a look into de.codecentric.boot.admin.server.domain.values.Registration, you might need to use the builder apis to register your application correctly (try to set managementUrl properly). Note, you will need to do this in your client application (the one which is being monitored).
I am developing a microservice, using Spring Boot, that exposes REST Endpoint. Because of scalability, I have to run multiple instances of this services on a different port. What will be the configurations for the applications so that it can register with eureka and requests are load balanced? I am using Spring cloud config, Eureka server and zuul.
Attaching following entries in the client properties file will do the trick. This is for Spring cloud config dalston
eureka.instance.instanceId=${spring.application.name}:${spring.application.instance_id:${random.value}}
I guess you meant to register with Eureka instead of Config server.
To register multiple instances that might be running in the same host but listening on a different port you would need to set eureka.instance.metadataMap.instanceId to a unique value maybe using:
eureka.instance.metadataMap.instanceId=${spring.application.name}:${random.int}