hyness / spring-cloud-config-server Goto Github PK

Setting the environment property SPRING_SECURITY_USER_PASSWORD is not working! While using GCP Cloud Run and Secrets.

Example:

docker run -it -p 8888:8888
-e SPRING_PROFILES_ACTIVE=security
-e SPRING_SECURITY_USER_NAME=myuser
-e SPRING_SECURITY_USER_PASSWORD=
hyness/spring-cloud-config-server

Version 3.1.0-jdk11

it took me a couple of days to find out that since the use of the Cloud Native buildpacks the .ssh directory is under /home/cnb/.ssh
docker run --rm --name=test -it -p 8888:8888 -v $HOME/.ssh:/home/cnb/.ssh hyness/spring-cloud-config-server [email protected]:user/private-github-repo.git --spring.cloud.config.server.git.default-label=main

It might be useful to add this to the documentation or a wiki page. Posting this to save people tons of time.

Originally posted by @fennekit in #60 (comment)

Create a workflow that verifies that changes do not introduce regressions

It appears the new entrypoint.sh script isn't working as expected. After pulling the container, java fails to startup:

$ docker run --rm -it hyness/spring-cloud-config-server
Error: Could not find or load main class

Checking out the additions of entrypoint.sh, it looks like quoting "${JAVA_OPTS}" causes the issue. When I remove the quotes from that script inside the container, and re-run it, the script seems to work:

# cat /opt/spring-cloud-config-server/entrypoint.sh
#!/bin/sh

java ${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom -jar \
/opt/spring-cloud-config-server/target/spring-cloud-config-server.jar --server.port=8888 \
--spring.config.name=application "$@"

# sh /opt/spring-cloud-config-server/entrypoint.sh

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.2.2.RELEASE)

2020-01-31 21:01:39.091  INFO 414 --- [           main] o.s.c.c.server.ConfigServerApplication   : No active profile set, falling back to default profiles: default
2020-01-31 21:01:40.468  INFO 414 --- [           main] o.s.cloud.context.scope.GenericScope     : BeanFactory id=e6ccd91b-1415-353c-a35a-5b63eb34d5d7
...

Hi,
I have just a very short question: are there any plans to provide the docker image with preconfigured AWSS3 as Configuration Storage?
That would be really great.
Best regards
Marco

I try to mount a local config dir without using a git repo ...

in my docker-compose.yaml:

configserver:
    image: hyness/spring-cloud-config-server:1.3.0.RELEASE
    ports:
      - "8888:8888"
    volumes:
      - ./configuration:/config

I would have expected, that the configserver uses the yaml files I have in that folder.

But instead I get:

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.springframework.boot.actuate.autoconfigure.EndpointAutoConfiguration$$EnhancerBySpringCGLIB$$8e9f1d35]: Constructor threw exception; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'configServerHealthIndicator' defined in class path resource 
[org/springframework/cloud/config/server/config/EnvironmentRepositoryConfiguration.class]: 
Unsatisfied dependency expressed through method 'configServerHealthIndicator' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.cloud.config.server.config.CompositeConfiguration': 
Unsatisfied dependency expressed through method 'setEnvironmentRepos' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'defaultEnvironmentRepository' defined in class path resource 
[org/springframework/cloud/config/server/config/EnvironmentRepositoryConfiguration$DefaultRepositoryConfiguration.class]: Invocation of init method failed; nested exception is 
java.lang.IllegalStateException: **You need to configure a uri for the git repository**

Hi,
I see that end points encrpt/decrypt wont work, is JCE not setup yet?

Hi, currently trying to debug my configuration and make sure files are passed over. We also made some changes to this to run a configentry.sh script to move our settings into a docker file built on top of this. However, looks like the image no longer contains an executable we can do (used to be /bin/sh it looks like).

It seems I can only get the environment variables to work for a GIT configuration. It keeps claiming my application.yml file is invalid. The same file use to work in the 2.2.2 release.

I would love to mount a different banner.txt when the config server starts. should be possible by defining a volume mount.

I am trying to use the docker image with a private GitHub repository and get the following error (see below). If I use a a public repository works fine, but as soon as it is private and i use the token I get the following error. The token should allow access and does via the command line. Yet it fails when run in the image.

I have two factor authentication on if that help. I also tried using my username and password, still same issue.

Would appreciate any help. I am trying to setup a single Java application to use with Cloud Config, but I would primarily end up using it with Python applications. So my Java knowledge is limited.

org.eclipse.jgit.api.errors.TransportException: https://[email protected]/devsetgo/myfiles.git: Authentication is required but no CredentialsProvider has been registered

jvmTarget is hardcoded to 11 in gradle.properties

I would like to see if there is a support available for git clone via ssh.
Below is the command used to bring up the container
docker run -it -p 8888:8888 \ -e SPRING_CLOUD_CONFIG_SERVER_GIT_URI=sssh://[email protected]/AppConfig.git \ docker pull hyness/spring-cloud-config-server

Hitting config server url gives me the below

There was an unexpected error (type=Not Found, status=404).
Cannot clone or checkout repository: ssh://[email protected]/AppConfig.git

Is it possible to update log4j so spring cloud server is not vulnerable?

Thanks a lot for creating & maintaining this project!

It would be great if we could enable metrics endpoints for integrations with monitoring tools like Prometheus.

My use case is that I want to monitor the Spring Cloud Config Server with Prometheus. For that I need to expose /actuator/prometheus.

Right now I'm able to set management.endpoints.web.exposure.include=health,info,metrics which exposes /actuator/metrics. However, I need the /actuator/prometheus endpoint which exposes metrics in a custom format.

I think 2 changes would be required here:

1. include the micrometer-registry-prometheus in the application artifact
2. document the fact that users can now set management.endpoints.web.exposure.include=prometheus to enable Prometheus metrics

What do you think?

Hi,

After installing the config server I tried fetching a plain text file as:

$ wget http://config-server/*/mz/develop/filename.xml

I see the following error in config server logs:

herServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.cloud.config.se
rver.environment.FailedToConstructEnvironmentException: Could not construct context for config=* profile=mz label= includeOrigin=false;
 nested exception is java.lang.IllegalStateException: Config name '*' cannot contain wildcards] with root cause

As per documentation the above should work. When I give some random text instead of '*', it works:

$ wget http://config-server/xyz/mz/develop/filename.xml

Not sure why it is not allowing wildcards.

Hello, we had some issues on AWS authentication, trying to clone the repository using an IAM role.
Actually the spring cloud config server provide the following ways to authenticate to AWS (the authentication will be taken by the following order):

1- Java System Properties - aws.accessKeyId and aws.secretAccessKey
2- Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
3 - Web Identity Token credentials from system properties or environment variables
4 - Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
5 - Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment 6 6 - variable is set and security manager has permission to access the variable,
7 - Instance profile credentials delivered through the Amazon EC2 metadata service

(You can find this information in the following link: AWS SDK for Java )

These ways of authentication are not available on the current image.
We would need that because we cannot read the credentials assumed by the pod, only passing it manually via ENV VAR and we need the new version of AWS SDK with support to IAM role anywhere. Based on that we would like to ask an update on AWS SDK to a version above 2.10.

Thanks in advance!

We have configured AWS ECS without ELB & mentioned spring uri as bitbucket ssh url

when i invoke the properties using https i'm getting error like below

ttps://localhost:8888/api/test
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

could you please help me

We run a github appliance which listens on https. In order to access it from the config server it's necessary to provider a truststore containing the git server's tls certificate , ow:

org.eclipse.jgit.api.errors.TransportException: https://xxx/Development/spring-config-server-test.git: Secure connection to https://xxx/Development/spring-config-server-test.git could not be established because of SSL problems
...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Secondly - I am using the jwilder/nginx-proxy image to listen on https and provide basic authentication. I read the other comment about basic authentication as not being your wish to support. However any thoughts about enabling https support so I can forgo a proxy?

To make this work the following needs to be added to the java command line: -Djavax.net.ssl.trustStore= and -Djavax.net.ssl.keyStore= and access to the cert stores.

Any thoughts about enabling this?

When running the cloud config server this error is presented on startup. Looks like some compilation had 11 as the target, cant see how though...

`Picked up JAVA_TOOL_OPTIONS: -Djava.security.properties=/layers/paketo-buildpacks_bellsoft-liberica/java-security-properties/java-security.properties -XX:+ExitOnOutOfMemoryError -XX:ActiveProcessorCount=8 -XX:MaxDirectMemorySize=10M -Xmx18355449K -XX:MaxMetaspaceSize=160518K -XX:ReservedCodeCacheSize=240M -Xss1M -XX:+UnlockDiagnosticVMOptions -XX:NativeMemoryTracking=summary -XX:+PrintNMTStatistics -Dorg.springframework.cloud.bindings.boot.enable=true
Exception in thread "main" java.lang.UnsupportedClassVersionError: org/freshlegacycode/cloud/config/server/ConfigServerApplicationKt has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:473)
at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:135)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:46)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)

Native Memory Tracking:`

Hi team,
does this image support gitlab instead of a local repository? can I set http proxy or https proxy for git?

Thanks,
Jeven

I've been running images over the last 2 days hyness/spring-cloud-config-server:jdk11. I'm adding an application.yml inside the image. Sometimes the image runs fine, sometimes not. The reported error is:

***************************
APPLICATION FAILED TO START
***************************

Description:

Invalid config server configuration.

The application.yml file is not changing between when the image runs and when it doesn't.

I've done a diff between the the image that works and one that doesn't and I can see these changes in \opt\spring-cloud-config-server\entrypoint.sh.

-java -cp /opt/spring-cloud-config-server ${JAVA_OPTS} org.springframework.boot.loader.JarLauncher \
+java ${JAVA_OPTS} org.springframework.boot.loader.JarLauncher \

I suspect that different images are being tagged with jdk11 as I can see there is some development underway in this project. Would that be the case?

Thanks in advance, and great work on this project by the way!

Hi,

While running as a docker image as below it, works fine.

docker run -it -p 8888:8888 \
    -v /etc/springboot_configs/application.yaml:/config/application.yaml \
      hyness/spring-cloud-config-server:3.0.5

Invoking this command works and it fetches the values from the git.
curl http://localhost:8888/spboot-sink/gcpnpr

Now, I am trying to run this container to run as a cloud run service, and the application.yaml is provided as a secret and expected to work as a volume in the cloud run.

Here is how, I am running the cloud run command:

gcloud run deploy spring-cloud-config-server \
--image=us-west1-docker.pkg.dev/gcp-demo-prj/testrepo/spring-cloud-config-server@sha256:xxxxxxx \
--vpc-connector=projects/gcp-demo-prj/locations/us-west1/connectors/serverless-connector \
--allow-unauthenticated \
--port=8888 \
[email protected] \
--memory=1Gi \
--min-instances=1 \
--max-instances=2 \
--set-secrets=/config/application.yaml=configserver:latest \
--region=us-west1 \
--project=gcp-demo-prj

However it does not work. The the service running fine, I am not able to fetch the details from the git.

Appreciate any help on this.

Using placeholders in a customized banner.txt file does not work anymore in the 2.2.3 release. I use ${application.version}. It did work in the 2.2.2 release. The other static banner changes do display, so I know the path is correct.

https://docs.spring.io/spring-boot/docs/2.1.11.BUILD-SNAPSHOT/reference/html/boot-features-spring-application.html#boot-features-banner

Hi there,
I know the config server requires the settings... Can you add the steps to configure the server? As you did not expose any volumes, I wonder how you are using this...

thanks

I have been using this this compose file locally without issue. I have deployed it to an Ubuntu VM in Azure but every time I docker-compose up, It throws an error starting up stating:
Caused by: java.lang.OutOfMemoryError: Java heap space at com.jcraft.jsch.KeyPairRSA.parse(KeyPairRSA.java:223) ~[jsch-0.1.54.jar!/:na] at com.jcraft.jsch.KeyPair.load(KeyPair.java:943) ~[jsch-0.1.54.jar!/:na] at org.springframework.cloud.config.server.ssh.PrivateKeyValidator.isPrivateKeyFormatCorrect(PrivateKeyValidator.java:82) ~[spring-cloud-config-server-2.1.0.RELEASE.jar!/:2.1.0.RELEASE]

I have tried setting the JVM_OPTS environment variable in the compse file for Xmx and Xms but this does not seem to help. I have also tried VMs with both 1gb and 2gb of system memory. Nothing but this container runs on the VM.

simple run with a volume not working since 2 days ago. i can't get the files mounted.

docker run -it -p 8888:8888 -v mypath:/config -e SPRING_PROFILES_ACTIVE=native hyness/spring-cloud-config-server

curl http://localhost:8888/service-dev.properties will return empty
cat /config/service-dev.properties inside container will show the content of file correctly.

Discussed in #80

This is handy dockerized spring cloud config server, but I would really like to use some basic security for client accessing. Right now anybody can do requests to this setup and get everything, which might include passwords etc. (Having them encrypted in the underlying git repo obviously doesn't protect them in this use case.)

Could you add simple basic http security for clients, as touched upon briefly in http://cloud.spring.io/spring-cloud-static/spring-cloud-config/1.3.3.RELEASE/multi/multi__spring_cloud_config_server.html#_security ?

(@alzamabar asked the same on the docker hub page.)

Legacy builds are using the deprecated adoptopenjdk image

The git examples and CI worklow need to be updated

Current version of spring cloud config server(2.2.2.RELEASE) has a bug that header with Vault namespace isn't included into auth methods other than token. It has been already fixed and will be included into next release.

But nevertheless there is a note in spring cloud config server specification:
If you omit the X-Config-Token header and use a server property to set the authentication, the Config Server application needs an additional dependency on Spring Vault to enable the additional authentication options. See the Spring Vault Reference Guide for how to add that dependency.

So if we would like to use docker image with spring-cloud-config-server (vault backend and kubernetes authentication) the additional dependency for spring-vault-core should be added as a dependency ?

The environment variable needs to be SPRING_BANNER_LOCATION instead of BANNER_LOCATION.

The images when pulled from docker hub have a creation date of "1980-01-01T00:00:01Z".

This leads to queries as to whether this is an up-to-date image, etc.

I tried --server.port=8080 in the entrypoint.sh script and

server:
port: 8080

in the application.yml and neither changes the value displayed in the config server log output.

I am replacing a custom spring-boot config server with this centralized image. Works fine, good work. But so far, my config server was also a discovery client and registered itself on localhost:8761 ... is it possible to do so with this image as well? Or might this be supported?

I am getting this below error when trying to set SPRING_CLOUD_CONFIG_SERVER_GIT_URI to ssh://[email protected]:< my user>/<my repo>repo.git

Caused by: org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:251) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:306) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:200) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.cloneToBasedir(JGitEnvironmentRepository.java:589) ~[spring-cloud-config-server-2.1.3.RELEASE.jar!/:2.1.3.RELEASE]
	at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.initClonedRepository(JGitEnvironmentRepository.java:340) ~[spring-cloud-config-server-2.1.3.RELEASE.jar!/:2.1.3.RELEASE]
	at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.afterPropertiesSet(JGitEnvironmentRepository.java:256) ~[spring-cloud-config-server-2.1.3.RELEASE.jar!/:2.1.3.RELEASE]
	at org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentRepository.afterPropertiesSet(MultipleJGitEnvironmentRepository.java:66) ~[spring-cloud-config-server-2.1.3.RELEASE.jar!/:2.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1837) ~[spring-beans-5.1.7.RELEASE.jar!/:5.1.7.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1774) ~[spring-beans-5.1.7.RELEASE.jar!/:5.1.7.RELEASE]
	... 161 common frames omitted
Caused by: org.eclipse.jgit.errors.NoRemoteRepositoryException: ssh://[email protected]:user/repo.git
: not found.
	at org.eclipse.jgit.transport.TransportLocal$1.open(TransportLocal.java:132) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.transport.TransportBundleFile$1.open(TransportBundleFile.java:107) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.transport.Transport.open(Transport.java:553) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.transport.Transport.open(Transport.java:429) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.transport.Transport.open(Transport.java:308) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.transport.Transport.open(Transport.java:277) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:235) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
	... 169 common frames omitted

Any idea ?