2629 lines
116 KiB
HTML
2629 lines
116 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]-->
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta name="generator" content="Asciidoctor 1.5.3">
|
|
<title>Spring Cloud Config</title>
|
|
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700">
|
|
<style>
|
|
/* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */
|
|
/* Remove comment around @import statement below when using as a custom stylesheet */
|
|
/*@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700";*/
|
|
article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}
|
|
audio,canvas,video{display:inline-block}
|
|
audio:not([controls]){display:none;height:0}
|
|
[hidden],template{display:none}
|
|
script{display:none!important}
|
|
html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}
|
|
body{margin:0}
|
|
a{background:transparent}
|
|
a:focus{outline:thin dotted}
|
|
a:active,a:hover{outline:0}
|
|
h1{font-size:2em;margin:.67em 0}
|
|
abbr[title]{border-bottom:1px dotted}
|
|
b,strong{font-weight:bold}
|
|
dfn{font-style:italic}
|
|
hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}
|
|
mark{background:#ff0;color:#000}
|
|
code,kbd,pre,samp{font-family:monospace;font-size:1em}
|
|
pre{white-space:pre-wrap}
|
|
q{quotes:"\201C" "\201D" "\2018" "\2019"}
|
|
small{font-size:80%}
|
|
sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}
|
|
sup{top:-.5em}
|
|
sub{bottom:-.25em}
|
|
img{border:0}
|
|
svg:not(:root){overflow:hidden}
|
|
figure{margin:0}
|
|
fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}
|
|
legend{border:0;padding:0}
|
|
button,input,select,textarea{font-family:inherit;font-size:100%;margin:0}
|
|
button,input{line-height:normal}
|
|
button,select{text-transform:none}
|
|
button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}
|
|
button[disabled],html input[disabled]{cursor:default}
|
|
input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0}
|
|
input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box}
|
|
input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}
|
|
button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}
|
|
textarea{overflow:auto;vertical-align:top}
|
|
table{border-collapse:collapse;border-spacing:0}
|
|
*,*:before,*:after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}
|
|
html,body{font-size:100%}
|
|
body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto}
|
|
a:hover{cursor:pointer}
|
|
img,object,embed{max-width:100%;height:auto}
|
|
object,embed{height:100%}
|
|
img{-ms-interpolation-mode:bicubic}
|
|
.left{float:left!important}
|
|
.right{float:right!important}
|
|
.text-left{text-align:left!important}
|
|
.text-right{text-align:right!important}
|
|
.text-center{text-align:center!important}
|
|
.text-justify{text-align:justify!important}
|
|
.hide{display:none}
|
|
body{-webkit-font-smoothing:antialiased}
|
|
img,object,svg{display:inline-block;vertical-align:middle}
|
|
textarea{height:auto;min-height:50px}
|
|
select{width:100%}
|
|
.center{margin-left:auto;margin-right:auto}
|
|
.spread{width:100%}
|
|
p.lead,.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{font-size:1.21875em;line-height:1.6}
|
|
.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em}
|
|
div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr}
|
|
a{color:#2156a5;text-decoration:underline;line-height:inherit}
|
|
a:hover,a:focus{color:#1d4b8f}
|
|
a img{border:none}
|
|
p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility}
|
|
p aside{font-size:.875em;line-height:1.35;font-style:italic}
|
|
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em}
|
|
h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0}
|
|
h1{font-size:2.125em}
|
|
h2{font-size:1.6875em}
|
|
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em}
|
|
h4,h5{font-size:1.125em}
|
|
h6{font-size:1em}
|
|
hr{border:solid #ddddd8;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0}
|
|
em,i{font-style:italic;line-height:inherit}
|
|
strong,b{font-weight:bold;line-height:inherit}
|
|
small{font-size:60%;line-height:inherit}
|
|
code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9)}
|
|
ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit}
|
|
ul,ol,ul.no-bullet,ol.no-bullet{margin-left:1.5em}
|
|
ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em}
|
|
ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit}
|
|
ul.square{list-style-type:square}
|
|
ul.circle{list-style-type:circle}
|
|
ul.disc{list-style-type:disc}
|
|
ul.no-bullet{list-style:none}
|
|
ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0}
|
|
dl dt{margin-bottom:.3125em;font-weight:bold}
|
|
dl dd{margin-bottom:1.25em}
|
|
abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help}
|
|
abbr{text-transform:none}
|
|
blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd}
|
|
blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)}
|
|
blockquote cite:before{content:"\2014 \0020"}
|
|
blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)}
|
|
blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)}
|
|
@media only screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2}
|
|
h1{font-size:2.75em}
|
|
h2{font-size:2.3125em}
|
|
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em}
|
|
h4{font-size:1.4375em}}
|
|
table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede}
|
|
table thead,table tfoot{background:#f7f8f7;font-weight:bold}
|
|
table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left}
|
|
table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)}
|
|
table tr.even,table tr.alt,table tr:nth-of-type(even){background:#f8f8f7}
|
|
table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6}
|
|
body{tab-size:4}
|
|
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em}
|
|
h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400}
|
|
.clearfix:before,.clearfix:after,.float-group:before,.float-group:after{content:" ";display:table}
|
|
.clearfix:after,.float-group:after{clear:both}
|
|
*:not(pre)>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;padding:.1em .5ex;word-spacing:-.15em;background-color:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed}
|
|
pre,pre>code{line-height:1.45;color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;text-rendering:optimizeSpeed}
|
|
.keyseq{color:rgba(51,51,51,.8)}
|
|
kbd{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;display:inline-block;color:rgba(0,0,0,.8);font-size:.65em;line-height:1.45;background-color:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:0 .15em;padding:.2em .5em;vertical-align:middle;position:relative;top:-.1em;white-space:nowrap}
|
|
.keyseq kbd:first-child{margin-left:0}
|
|
.keyseq kbd:last-child{margin-right:0}
|
|
.menuseq,.menu{color:rgba(0,0,0,.8)}
|
|
b.button:before,b.button:after{position:relative;top:-1px;font-weight:400}
|
|
b.button:before{content:"[";padding:0 3px 0 2px}
|
|
b.button:after{content:"]";padding:0 2px 0 3px}
|
|
p a>code:hover{color:rgba(0,0,0,.9)}
|
|
#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em}
|
|
#header:before,#header:after,#content:before,#content:after,#footnotes:before,#footnotes:after,#footer:before,#footer:after{content:" ";display:table}
|
|
#header:after,#content:after,#footnotes:after,#footer:after{clear:both}
|
|
#content{margin-top:1.25em}
|
|
#content:before{content:none}
|
|
#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0}
|
|
#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #ddddd8}
|
|
#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #ddddd8;padding-bottom:8px}
|
|
#header .details{border-bottom:1px solid #ddddd8;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap}
|
|
#header .details span:first-child{margin-left:-.125em}
|
|
#header .details span.email a{color:rgba(0,0,0,.85)}
|
|
#header .details br{display:none}
|
|
#header .details br+span:before{content:"\00a0\2013\00a0"}
|
|
#header .details br+span.author:before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)}
|
|
#header .details br+span#revremark:before{content:"\00a0|\00a0"}
|
|
#header #revnumber{text-transform:capitalize}
|
|
#header #revnumber:after{content:"\00a0"}
|
|
#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #ddddd8;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem}
|
|
#toc{border-bottom:1px solid #efefed;padding-bottom:.5em}
|
|
#toc>ul{margin-left:.125em}
|
|
#toc ul.sectlevel0>li>a{font-style:italic}
|
|
#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0}
|
|
#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none}
|
|
#toc li{line-height:1.3334;margin-top:.3334em}
|
|
#toc a{text-decoration:none}
|
|
#toc a:active{text-decoration:underline}
|
|
#toctitle{color:#7a2518;font-size:1.2em}
|
|
@media only screen and (min-width:768px){#toctitle{font-size:1.375em}
|
|
body.toc2{padding-left:15em;padding-right:0}
|
|
#toc.toc2{margin-top:0!important;background-color:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #efefed;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto}
|
|
#toc.toc2 #toctitle{margin-top:0;margin-bottom:.8rem;font-size:1.2em}
|
|
#toc.toc2>ul{font-size:.9em;margin-bottom:0}
|
|
#toc.toc2 ul ul{margin-left:0;padding-left:1em}
|
|
#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em}
|
|
body.toc2.toc-right{padding-left:0;padding-right:15em}
|
|
body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #efefed;left:auto;right:0}}
|
|
@media only screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0}
|
|
#toc.toc2{width:20em}
|
|
#toc.toc2 #toctitle{font-size:1.375em}
|
|
#toc.toc2>ul{font-size:.95em}
|
|
#toc.toc2 ul ul{padding-left:1.25em}
|
|
body.toc2.toc-right{padding-left:0;padding-right:20em}}
|
|
#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
|
|
#content #toc>:first-child{margin-top:0}
|
|
#content #toc>:last-child{margin-bottom:0}
|
|
#footer{max-width:100%;background-color:rgba(0,0,0,.8);padding:1.25em}
|
|
#footer-text{color:rgba(255,255,255,.8);line-height:1.44}
|
|
.sect1{padding-bottom:.625em}
|
|
@media only screen and (min-width:768px){.sect1{padding-bottom:1.25em}}
|
|
.sect1+.sect1{border-top:1px solid #efefed}
|
|
#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400}
|
|
#content h1>a.anchor:before,h2>a.anchor:before,h3>a.anchor:before,#toctitle>a.anchor:before,.sidebarblock>.content>.title>a.anchor:before,h4>a.anchor:before,h5>a.anchor:before,h6>a.anchor:before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em}
|
|
#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible}
|
|
#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none}
|
|
#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221}
|
|
.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em}
|
|
.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic}
|
|
table.tableblock>caption.title{white-space:nowrap;overflow:visible;max-width:0}
|
|
.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{color:rgba(0,0,0,.85)}
|
|
table.tableblock #preamble>.sectionbody>.paragraph:first-of-type p{font-size:inherit}
|
|
.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%}
|
|
.admonitionblock>table td.icon{text-align:center;width:80px}
|
|
.admonitionblock>table td.icon img{max-width:none}
|
|
.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase}
|
|
.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #ddddd8;color:rgba(0,0,0,.6)}
|
|
.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0}
|
|
.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px}
|
|
.exampleblock>.content>:first-child{margin-top:0}
|
|
.exampleblock>.content>:last-child{margin-bottom:0}
|
|
.sidebarblock{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
|
|
.sidebarblock>:first-child{margin-top:0}
|
|
.sidebarblock>:last-child{margin-bottom:0}
|
|
.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center}
|
|
.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0}
|
|
.literalblock pre,.listingblock pre:not(.highlight),.listingblock pre[class="highlight"],.listingblock pre[class^="highlight "],.listingblock pre.CodeRay,.listingblock pre.prettyprint{background:#f7f7f8}
|
|
.sidebarblock .literalblock pre,.sidebarblock .listingblock pre:not(.highlight),.sidebarblock .listingblock pre[class="highlight"],.sidebarblock .listingblock pre[class^="highlight "],.sidebarblock .listingblock pre.CodeRay,.sidebarblock .listingblock pre.prettyprint{background:#f2f1f1}
|
|
.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;padding:1em;font-size:.8125em}
|
|
.literalblock pre.nowrap,.literalblock pre[class].nowrap,.listingblock pre.nowrap,.listingblock pre[class].nowrap{overflow-x:auto;white-space:pre;word-wrap:normal}
|
|
@media only screen and (min-width:768px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:.90625em}}
|
|
@media only screen and (min-width:1280px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:1em}}
|
|
.literalblock.output pre{color:#f7f7f8;background-color:rgba(0,0,0,.9)}
|
|
.listingblock pre.highlightjs{padding:0}
|
|
.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px}
|
|
.listingblock pre.prettyprint{border-width:0}
|
|
.listingblock>.content{position:relative}
|
|
.listingblock code[data-lang]:before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:#999}
|
|
.listingblock:hover code[data-lang]:before{display:block}
|
|
.listingblock.terminal pre .command:before{content:attr(data-prompt);padding-right:.5em;color:#999}
|
|
.listingblock.terminal pre .command:not([data-prompt]):before{content:"$"}
|
|
table.pyhltable{border-collapse:separate;border:0;margin-bottom:0;background:none}
|
|
table.pyhltable td{vertical-align:top;padding-top:0;padding-bottom:0;line-height:1.45}
|
|
table.pyhltable td.code{padding-left:.75em;padding-right:0}
|
|
pre.pygments .lineno,table.pyhltable td:not(.code){color:#999;padding-left:0;padding-right:.5em;border-right:1px solid #ddddd8}
|
|
pre.pygments .lineno{display:inline-block;margin-right:.25em}
|
|
table.pyhltable .linenodiv{background:none!important;padding-right:0!important}
|
|
.quoteblock{margin:0 1em 1.25em 1.5em;display:table}
|
|
.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em}
|
|
.quoteblock blockquote,.quoteblock blockquote p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify}
|
|
.quoteblock blockquote{margin:0;padding:0;border:0}
|
|
.quoteblock blockquote:before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)}
|
|
.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0}
|
|
.quoteblock .attribution{margin-top:.5em;margin-right:.5ex;text-align:right}
|
|
.quoteblock .quoteblock{margin-left:0;margin-right:0;padding:.5em 0;border-left:3px solid rgba(0,0,0,.6)}
|
|
.quoteblock .quoteblock blockquote{padding:0 0 0 .75em}
|
|
.quoteblock .quoteblock blockquote:before{display:none}
|
|
.verseblock{margin:0 1em 1.25em 1em}
|
|
.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility}
|
|
.verseblock pre strong{font-weight:400}
|
|
.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex}
|
|
.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic}
|
|
.quoteblock .attribution br,.verseblock .attribution br{display:none}
|
|
.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.025em;color:rgba(0,0,0,.6)}
|
|
.quoteblock.abstract{margin:0 0 1.25em 0;display:block}
|
|
.quoteblock.abstract blockquote,.quoteblock.abstract blockquote p{text-align:left;word-spacing:0}
|
|
.quoteblock.abstract blockquote:before,.quoteblock.abstract blockquote p:first-of-type:before{display:none}
|
|
table.tableblock{max-width:100%;border-collapse:separate}
|
|
table.tableblock td>.paragraph:last-child p>p:last-child,table.tableblock th>p:last-child,table.tableblock td>p:last-child{margin-bottom:0}
|
|
table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede}
|
|
table.grid-all th.tableblock,table.grid-all td.tableblock{border-width:0 1px 1px 0}
|
|
table.grid-all tfoot>tr>th.tableblock,table.grid-all tfoot>tr>td.tableblock{border-width:1px 1px 0 0}
|
|
table.grid-cols th.tableblock,table.grid-cols td.tableblock{border-width:0 1px 0 0}
|
|
table.grid-all *>tr>.tableblock:last-child,table.grid-cols *>tr>.tableblock:last-child{border-right-width:0}
|
|
table.grid-rows th.tableblock,table.grid-rows td.tableblock{border-width:0 0 1px 0}
|
|
table.grid-all tbody>tr:last-child>th.tableblock,table.grid-all tbody>tr:last-child>td.tableblock,table.grid-all thead:last-child>tr>th.tableblock,table.grid-rows tbody>tr:last-child>th.tableblock,table.grid-rows tbody>tr:last-child>td.tableblock,table.grid-rows thead:last-child>tr>th.tableblock{border-bottom-width:0}
|
|
table.grid-rows tfoot>tr>th.tableblock,table.grid-rows tfoot>tr>td.tableblock{border-width:1px 0 0 0}
|
|
table.frame-all{border-width:1px}
|
|
table.frame-sides{border-width:0 1px}
|
|
table.frame-topbot{border-width:1px 0}
|
|
th.halign-left,td.halign-left{text-align:left}
|
|
th.halign-right,td.halign-right{text-align:right}
|
|
th.halign-center,td.halign-center{text-align:center}
|
|
th.valign-top,td.valign-top{vertical-align:top}
|
|
th.valign-bottom,td.valign-bottom{vertical-align:bottom}
|
|
th.valign-middle,td.valign-middle{vertical-align:middle}
|
|
table thead th,table tfoot th{font-weight:bold}
|
|
tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7}
|
|
tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold}
|
|
p.tableblock>code:only-child{background:none;padding:0}
|
|
p.tableblock{font-size:1em}
|
|
td>div.verse{white-space:pre}
|
|
ol{margin-left:1.75em}
|
|
ul li ol{margin-left:1.5em}
|
|
dl dd{margin-left:1.125em}
|
|
dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0}
|
|
ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em}
|
|
ul.unstyled,ol.unnumbered,ul.checklist,ul.none{list-style-type:none}
|
|
ul.unstyled,ol.unnumbered,ul.checklist{margin-left:.625em}
|
|
ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1em;font-size:.85em}
|
|
ul.checklist li>p:first-child>input[type="checkbox"]:first-child{width:1em;position:relative;top:1px}
|
|
ul.inline{margin:0 auto .625em auto;margin-left:-1.375em;margin-right:0;padding:0;list-style:none;overflow:hidden}
|
|
ul.inline>li{list-style:none;float:left;margin-left:1.375em;display:block}
|
|
ul.inline>li>*{display:block}
|
|
.unstyled dl dt{font-weight:400;font-style:normal}
|
|
ol.arabic{list-style-type:decimal}
|
|
ol.decimal{list-style-type:decimal-leading-zero}
|
|
ol.loweralpha{list-style-type:lower-alpha}
|
|
ol.upperalpha{list-style-type:upper-alpha}
|
|
ol.lowerroman{list-style-type:lower-roman}
|
|
ol.upperroman{list-style-type:upper-roman}
|
|
ol.lowergreek{list-style-type:lower-greek}
|
|
.hdlist>table,.colist>table{border:0;background:none}
|
|
.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none}
|
|
td.hdlist1,td.hdlist2{vertical-align:top;padding:0 .625em}
|
|
td.hdlist1{font-weight:bold;padding-bottom:1.25em}
|
|
.literalblock+.colist,.listingblock+.colist{margin-top:-.5em}
|
|
.colist>table tr>td:first-of-type{padding:0 .75em;line-height:1}
|
|
.colist>table tr>td:last-of-type{padding:.25em 0}
|
|
.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd}
|
|
.imageblock.left,.imageblock[style*="float: left"]{margin:.25em .625em 1.25em 0}
|
|
.imageblock.right,.imageblock[style*="float: right"]{margin:.25em 0 1.25em .625em}
|
|
.imageblock>.title{margin-bottom:0}
|
|
.imageblock.thumb,.imageblock.th{border-width:6px}
|
|
.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em}
|
|
.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0}
|
|
.image.left{margin-right:.625em}
|
|
.image.right{margin-left:.625em}
|
|
a.image{text-decoration:none;display:inline-block}
|
|
a.image object{pointer-events:none}
|
|
sup.footnote,sup.footnoteref{font-size:.875em;position:static;vertical-align:super}
|
|
sup.footnote a,sup.footnoteref a{text-decoration:none}
|
|
sup.footnote a:active,sup.footnoteref a:active{text-decoration:underline}
|
|
#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em}
|
|
#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em 0;border-width:1px 0 0 0}
|
|
#footnotes .footnote{padding:0 .375em 0 .225em;line-height:1.3334;font-size:.875em;margin-left:1.2em;text-indent:-1.05em;margin-bottom:.2em}
|
|
#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none}
|
|
#footnotes .footnote:last-of-type{margin-bottom:0}
|
|
#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0}
|
|
.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0}
|
|
.gist .file-data>table td.line-data{width:99%}
|
|
div.unbreakable{page-break-inside:avoid}
|
|
.big{font-size:larger}
|
|
.small{font-size:smaller}
|
|
.underline{text-decoration:underline}
|
|
.overline{text-decoration:overline}
|
|
.line-through{text-decoration:line-through}
|
|
.aqua{color:#00bfbf}
|
|
.aqua-background{background-color:#00fafa}
|
|
.black{color:#000}
|
|
.black-background{background-color:#000}
|
|
.blue{color:#0000bf}
|
|
.blue-background{background-color:#0000fa}
|
|
.fuchsia{color:#bf00bf}
|
|
.fuchsia-background{background-color:#fa00fa}
|
|
.gray{color:#606060}
|
|
.gray-background{background-color:#7d7d7d}
|
|
.green{color:#006000}
|
|
.green-background{background-color:#007d00}
|
|
.lime{color:#00bf00}
|
|
.lime-background{background-color:#00fa00}
|
|
.maroon{color:#600000}
|
|
.maroon-background{background-color:#7d0000}
|
|
.navy{color:#000060}
|
|
.navy-background{background-color:#00007d}
|
|
.olive{color:#606000}
|
|
.olive-background{background-color:#7d7d00}
|
|
.purple{color:#600060}
|
|
.purple-background{background-color:#7d007d}
|
|
.red{color:#bf0000}
|
|
.red-background{background-color:#fa0000}
|
|
.silver{color:#909090}
|
|
.silver-background{background-color:#bcbcbc}
|
|
.teal{color:#006060}
|
|
.teal-background{background-color:#007d7d}
|
|
.white{color:#bfbfbf}
|
|
.white-background{background-color:#fafafa}
|
|
.yellow{color:#bfbf00}
|
|
.yellow-background{background-color:#fafa00}
|
|
span.icon>.fa{cursor:default}
|
|
.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default}
|
|
.admonitionblock td.icon .icon-note:before{content:"\f05a";color:#19407c}
|
|
.admonitionblock td.icon .icon-tip:before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111}
|
|
.admonitionblock td.icon .icon-warning:before{content:"\f071";color:#bf6900}
|
|
.admonitionblock td.icon .icon-caution:before{content:"\f06d";color:#bf3400}
|
|
.admonitionblock td.icon .icon-important:before{content:"\f06a";color:#bf0000}
|
|
.conum[data-value]{display:inline-block;color:#fff!important;background-color:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold}
|
|
.conum[data-value] *{color:#fff!important}
|
|
.conum[data-value]+b{display:none}
|
|
.conum[data-value]:after{content:attr(data-value)}
|
|
pre .conum[data-value]{position:relative;top:-.125em}
|
|
b.conum *{color:inherit!important}
|
|
.conum:not([data-value]):empty{display:none}
|
|
dt,th.tableblock,td.content,div.footnote{text-rendering:optimizeLegibility}
|
|
h1,h2,p,td.content,span.alt{letter-spacing:-.01em}
|
|
p strong,td.content strong,div.footnote strong{letter-spacing:-.005em}
|
|
p,blockquote,dt,td.content,span.alt{font-size:1.0625rem}
|
|
p{margin-bottom:1.25rem}
|
|
.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em}
|
|
.exampleblock>.content{background-color:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc}
|
|
.print-only{display:none!important}
|
|
@media print{@page{margin:1.25cm .75cm}
|
|
*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important}
|
|
a{color:inherit!important;text-decoration:underline!important}
|
|
a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important}
|
|
a[href^="http:"]:not(.bare):after,a[href^="https:"]:not(.bare):after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em}
|
|
abbr[title]:after{content:" (" attr(title) ")"}
|
|
pre,blockquote,tr,img,object,svg{page-break-inside:avoid}
|
|
thead{display:table-header-group}
|
|
svg{max-width:100%}
|
|
p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3}
|
|
h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid}
|
|
#toc,.sidebarblock,.exampleblock>.content{background:none!important}
|
|
#toc{border-bottom:1px solid #ddddd8!important;padding-bottom:0!important}
|
|
.sect1{padding-bottom:0!important}
|
|
.sect1+.sect1{border:0!important}
|
|
#header>h1:first-child{margin-top:1.25rem}
|
|
body.book #header{text-align:center}
|
|
body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em 0}
|
|
body.book #header .details{border:0!important;display:block;padding:0!important}
|
|
body.book #header .details span:first-child{margin-left:0!important}
|
|
body.book #header .details br{display:block}
|
|
body.book #header .details br+span:before{content:none!important}
|
|
body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important}
|
|
body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always}
|
|
.listingblock code[data-lang]:before{display:block}
|
|
#footer{background:none!important;padding:0 .9375em}
|
|
#footer-text{color:rgba(0,0,0,.6)!important;font-size:.9em}
|
|
.hide-on-print{display:none!important}
|
|
.print-only{display:block!important}
|
|
.hide-for-print{display:none!important}
|
|
.show-for-print{display:inherit!important}}
|
|
</style>
|
|
</head>
|
|
<body class="article">
|
|
<div id="header">
|
|
<h1>Spring Cloud Config</h1>
|
|
<div id="toc" class="toc">
|
|
<div id="toctitle">Table of Contents</div>
|
|
<ul class="sectlevel1">
|
|
<li><a href="#_quick_start">Quick Start</a>
|
|
<ul class="sectlevel2">
|
|
<li><a href="#_client_side_usage">Client Side Usage</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#_spring_cloud_config_server">Spring Cloud Config Server</a>
|
|
<ul class="sectlevel2">
|
|
<li><a href="#_environment_repository">Environment Repository</a></li>
|
|
<li><a href="#_health_indicator">Health Indicator</a></li>
|
|
<li><a href="#_security">Security</a></li>
|
|
<li><a href="#_encryption_and_decryption">Encryption and Decryption</a></li>
|
|
<li><a href="#_key_management">Key Management</a></li>
|
|
<li><a href="#_creating_a_key_store_for_testing">Creating a Key Store for Testing</a></li>
|
|
<li><a href="#_using_multiple_keys_and_key_rotation">Using Multiple Keys and Key Rotation</a></li>
|
|
<li><a href="#_serving_encrypted_properties">Serving Encrypted Properties</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#_serving_alternative_formats">Serving Alternative Formats</a></li>
|
|
<li><a href="#_serving_plain_text">Serving Plain Text</a></li>
|
|
<li><a href="#_embedding_the_config_server">Embedding the Config Server</a></li>
|
|
<li><a href="#_push_notifications_and_spring_cloud_bus">Push Notifications and Spring Cloud Bus</a></li>
|
|
<li><a href="#_spring_cloud_config_client">Spring Cloud Config Client</a>
|
|
<ul class="sectlevel2">
|
|
<li><a href="#config-first-bootstrap">Config First Bootstrap</a></li>
|
|
<li><a href="#discovery-first-bootstrap">Discovery First Bootstrap</a></li>
|
|
<li><a href="#config-client-fail-fast">Config Client Fail Fast</a></li>
|
|
<li><a href="#config-client-retry">Config Client Retry</a></li>
|
|
<li><a href="#_locating_remote_configuration_resources">Locating Remote Configuration Resources</a></li>
|
|
<li><a href="#_security_2">Security</a></li>
|
|
<li><a href="#_vault_2">Vault</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div id="content">
|
|
<div id="preamble">
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p><strong>1.4.0.M1</strong></p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Spring Cloud Config provides server and client-side support for externalized configuration in a distributed system. With the Config Server you have a central place to manage external properties for applications across all environments. The concepts on both client and server map identically to the Spring <code>Environment</code> and <code>PropertySource</code> abstractions, so they fit very well with Spring applications, but can be used with any application running in any language. As an application moves through the deployment pipeline from dev to test and into production you can manage the configuration between those environments and be certain that applications have everything they need to run when they migrate. The default implementation of the server storage backend uses git so it easily supports labelled versions of configuration environments, as well as being accessible to a wide range of tooling for managing the content. It is easy to add alternative implementations and plug them in with Spring configuration.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect1">
|
|
<h2 id="_quick_start">Quick Start</h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p>Start the server:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ cd spring-cloud-config-server
|
|
$ ../mvnw spring-boot:run</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The server is a Spring Boot application so you can run it from your
|
|
IDE instead if you prefer (the main class is
|
|
<code>ConfigServerApplication</code>). Then try out a client:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ curl localhost:8888/foo/development
|
|
{"name":"foo","label":"master","propertySources":[
|
|
{"name":"https://github.com/scratches/config-repo/foo-development.properties","source":{"bar":"spam"}},
|
|
{"name":"https://github.com/scratches/config-repo/foo.properties","source":{"foo":"bar"}}
|
|
]}</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The default strategy for locating property sources is to clone a git
|
|
repository (at <code>spring.cloud.config.server.git.uri</code>) and use it to
|
|
initialize a mini <code>SpringApplication</code>. The mini-application’s
|
|
<code>Environment</code> is used to enumerate property sources and publish them
|
|
via a JSON endpoint.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The HTTP service has resources in the form:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>/{application}/{profile}[/{label}]
|
|
/{application}-{profile}.yml
|
|
/{label}/{application}-{profile}.yml
|
|
/{application}-{profile}.properties
|
|
/{label}/{application}-{profile}.properties</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>where the "application" is injected as the <code>spring.config.name</code> in the
|
|
<code>SpringApplication</code> (i.e. what is normally "application" in a regular
|
|
Spring Boot app), "profile" is an active profile (or comma-separated
|
|
list of properties), and "label" is an optional git label (defaults to
|
|
"master".)</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Spring Cloud Config Server pulls configuration for remote clients
|
|
from a git repository (which must be provided):</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/spring-cloud-samples/config-repo</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_client_side_usage">Client Side Usage</h3>
|
|
<div class="paragraph">
|
|
<p>To use these features in an application, just build it as a Spring
|
|
Boot application that depends on spring-cloud-config-client (e.g. see
|
|
the test cases for the config-client, or the sample app). The most
|
|
convenient way to add the dependency is via a Spring Boot starter
|
|
<code>org.springframework.cloud:spring-cloud-starter-config</code>. There is also a
|
|
parent pom and BOM (<code>spring-cloud-starter-parent</code>) for Maven users and a
|
|
Spring IO version management properties file for Gradle and Spring CLI
|
|
users. Example Maven configuration:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">pom.xml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-xml" data-lang="xml"> <parent>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-parent</artifactId>
|
|
<version>1.3.5.RELEASE</version>
|
|
<relativePath /> <!-- lookup parent from repository -->
|
|
</parent>
|
|
|
|
<dependencyManagement>
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.springframework.cloud</groupId>
|
|
<artifactId>spring-cloud-dependencies</artifactId>
|
|
<version>Brixton.RELEASE</version>
|
|
<type>pom</type>
|
|
<scope>import</scope>
|
|
</dependency>
|
|
</dependencies>
|
|
</dependencyManagement>
|
|
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.springframework.cloud</groupId>
|
|
<artifactId>spring-cloud-starter-config</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-test</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
</dependencies>
|
|
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-maven-plugin</artifactId>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
|
|
<!-- repositories also needed for snapshots and milestones --></code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Then you can create a standard Spring Boot application, like this simple HTTP server:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>@SpringBootApplication
|
|
@RestController
|
|
public class Application {
|
|
|
|
@RequestMapping("/")
|
|
public String home() {
|
|
return "Hello World!";
|
|
}
|
|
|
|
public static void main(String[] args) {
|
|
SpringApplication.run(Application.class, args);
|
|
}
|
|
|
|
}</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>When it runs it will pick up the external configuration from the
|
|
default local config server on port 8888 if it is running. To modify
|
|
the startup behaviour you can change the location of the config server
|
|
using <code>bootstrap.properties</code> (like <code>application.properties</code> but for
|
|
the bootstrap phase of an application context), e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>spring.cloud.config.uri: http://myconfigserver.com</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The bootstrap properties will show up in the <code>/env</code> endpoint as a
|
|
high-priority property source, e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ curl localhost:8080/env
|
|
{
|
|
"profiles":[],
|
|
"configService:https://github.com/spring-cloud-samples/config-repo/bar.properties":{"foo":"bar"},
|
|
"servletContextInitParams":{},
|
|
"systemProperties":{...},
|
|
...
|
|
}</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>(a property source called "configService:<URL of remote
|
|
repository>/<file name>" contains the property "foo" with value
|
|
"bar" and is highest priority).</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
the URL in the property source name is the git repository not
|
|
the config server URL.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect1">
|
|
<h2 id="_spring_cloud_config_server">Spring Cloud Config Server</h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p>The Server provides an HTTP, resource-based API for external
|
|
configuration (name-value pairs, or equivalent YAML content). The
|
|
server is easily embeddable in a Spring Boot application using the
|
|
<code>@EnableConfigServer</code> annotation. So this app is a config server:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">ConfigServer.java</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-java" data-lang="java">@SpringBootApplication
|
|
@EnableConfigServer
|
|
public class ConfigServer {
|
|
public static void main(String[] args) {
|
|
SpringApplication.run(ConfigServer.class, args);
|
|
}
|
|
}</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Like all Spring Boot apps it runs on port 8080 by default, but you
|
|
can switch it to the conventional port 8888 in various ways. The
|
|
easiest, which also sets a default configuration repository,
|
|
is by launching it with <code>spring.config.name=configserver</code> (there
|
|
is a <code>configserver.yml</code> in the Config Server jar). Another is
|
|
to use your own <code>application.properties</code>, e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">application.properties</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-properties" data-lang="properties">server.port: 8888
|
|
spring.cloud.config.server.git.uri: file://${user.home}/config-repo</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>where <code>${user.home}/config-repo</code> is a git repository containing
|
|
YAML and properties files.</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
in Windows you need an extra "/" in the file URL if it is
|
|
absolute with a drive prefix, e.g. <code><a href="file:///${user.home}/config-repo" class="bare">file:///${user.home}/config-repo</a></code>.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
<div class="paragraph">
|
|
<p>Here’s a recipe for creating the git repository in the example
|
|
above:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ cd $HOME
|
|
$ mkdir config-repo
|
|
$ cd config-repo
|
|
$ git init .
|
|
$ echo info.foo: bar > application.properties
|
|
$ git add -A .
|
|
$ git commit -m "Add application.properties"</pre>
|
|
</div>
|
|
</div>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock warning">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Warning</div>
|
|
</td>
|
|
<td class="content">
|
|
using the local filesystem for your git repository is
|
|
intended for testing only. Use a server to host your
|
|
configuration repositories in production.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock warning">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Warning</div>
|
|
</td>
|
|
<td class="content">
|
|
the initial clone of your configuration repository will
|
|
be quick and efficient if you only keep text files in it. If you start
|
|
to store binary files, especially large ones, you may experience
|
|
delays on the first request for configuration and/or out of memory
|
|
errors in the server.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_environment_repository">Environment Repository</h3>
|
|
<div class="paragraph">
|
|
<p>Where do you want to store the configuration data for the Config
|
|
Server? The strategy that governs this behaviour is the
|
|
<code>EnvironmentRepository</code>, serving <code>Environment</code> objects. This
|
|
<code>Environment</code> is a shallow copy of the domain from the Spring
|
|
<code>Environment</code> (including <code>propertySources</code> as the main feature). The
|
|
<code>Environment</code> resources are parametrized by three variables:</p>
|
|
</div>
|
|
<div class="ulist">
|
|
<ul>
|
|
<li>
|
|
<p><code>{application}</code> maps to "spring.application.name" on the client side;</p>
|
|
</li>
|
|
<li>
|
|
<p><code>{profile}</code> maps to "spring.profiles.active" on the client (comma separated list); and</p>
|
|
</li>
|
|
<li>
|
|
<p><code>{label}</code> which is a server side feature labelling a "versioned" set of config files.</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Repository implementations generally behave just like a Spring Boot
|
|
application loading configuration files from a "spring.config.name"
|
|
equal to the <code>{application}</code> parameter, and "spring.profiles.active"
|
|
equal to the <code>{profiles}</code> parameter. Precedence rules for profiles are
|
|
also the same as in a regular Boot application: active profiles take
|
|
precedence over defaults, and if there are multiple profiles the last
|
|
one wins (like adding entries to a <code>Map</code>).</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Example: a client application has this bootstrap configuration:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">bootstrap.yml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
application:
|
|
name: foo
|
|
profiles:
|
|
active: dev,mysql</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>(as usual with a Spring Boot application, these properties could also
|
|
be set as environment variables or command line arguments).</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If the repository is file-based, the server will create an
|
|
<code>Environment</code> from <code>application.yml</code> (shared between all clients), and
|
|
<code>foo.yml</code> (with <code>foo.yml</code> taking precedence). If the YAML files have
|
|
documents inside them that point to Spring profiles, those are applied
|
|
with higher precedence (in order of the profiles listed), and if
|
|
there are profile-specific YAML (or properties) files these are also
|
|
applied with higher precedence than the defaults. Higher precedence
|
|
translates to a <code>PropertySource</code> listed earlier in the
|
|
<code>Environment</code>. (These are the same rules as apply in a standalone
|
|
Spring Boot application.)</p>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_git_backend">Git Backend</h4>
|
|
<div class="paragraph">
|
|
<p>The default implementation of <code>EnvironmentRepository</code> uses a Git
|
|
backend, which is very convenient for managing upgrades and physical
|
|
environments, and also for auditing changes. To change the location of
|
|
the repository you can set the "spring.cloud.config.server.git.uri"
|
|
configuration property in the Config Server (e.g. in
|
|
<code>application.yml</code>). If you set it with a <code>file:</code> prefix it should work
|
|
from a local repository so you can get started quickly and easily
|
|
without a server, but in that case the server operates directly on the
|
|
local repository without cloning it (it doesn’t matter if it’s not
|
|
bare because the Config Server never makes changes to the "remote"
|
|
repository). To scale the Config Server up and make it highly
|
|
available, you would need to have all instances of the server pointing
|
|
to the same repository, so only a shared file system would work. Even
|
|
in that case it is better to use the <code>ssh:</code> protocol for a shared
|
|
filesystem repository, so that the server can clone it and use a local
|
|
working copy as a cache.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>This repository implementation maps the <code>{label}</code> parameter of the
|
|
HTTP resource to a git label (commit id, branch name or tag). If the
|
|
git branch or tag name contains a slash ("/") then the label in the
|
|
HTTP URL should be specified with the special string "(_)" instead (to
|
|
avoid ambiguity with other URL paths). For example, if the label is
|
|
<code>foo/bar</code>, replacing the slash would result in a label that looks like
|
|
<code>foo(_)bar</code>. Be careful with the brackets in
|
|
the URL if you are using a command line client like curl (e.g. escape
|
|
them from the shell with quotes '').</p>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_placeholders_in_git_uri">Placeholders in Git URI</h5>
|
|
<div class="paragraph">
|
|
<p>Spring Cloud Config Server supports a git repository URL with
|
|
placeholders for the <code>{application}</code> and <code>{profile}</code> (and <code>{label}</code> if
|
|
you need it, but remember that the label is applied as a git label
|
|
anyway). So you can easily support a "one repo per application" policy
|
|
using (for example):</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/myorg/{application}</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>or a "one repo per profile" policy using a similar pattern but with
|
|
<code>{profile}</code>.</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_pattern_matching_and_multiple_repositories">Pattern Matching and Multiple Repositories</h5>
|
|
<div class="paragraph">
|
|
<p>There is also support for more complex requirements with pattern
|
|
matching on the application and profile name. The pattern format is a
|
|
comma-separated list of <code>{application}/{profile}</code> names with wildcards
|
|
(where a pattern beginning with a wildcard may need to be
|
|
quoted). Example:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/spring-cloud-samples/config-repo
|
|
repos:
|
|
simple: https://github.com/simple/config-repo
|
|
special:
|
|
pattern: special*/dev*,*special*/dev*
|
|
uri: https://github.com/special/config-repo
|
|
local:
|
|
pattern: local*
|
|
uri: file:/home/configsvc/config-repo</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If <code>{application}/{profile}</code> does not match any of the patterns, it
|
|
will use the default uri defined under
|
|
"spring.cloud.config.server.git.uri". In the above example, for the
|
|
"simple" repository, the pattern is <code>simple/*</code> (i.e. it only matches
|
|
one application named "simple" in all profiles). The "local"
|
|
repository matches all application names beginning with "local" in all
|
|
profiles (the <code>/*</code> suffix is added automatically to any pattern that
|
|
doesn’t have a profile matcher).</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
the "one-liner" short cut used in the "simple" example above can
|
|
only be used if the only property to be set is the URI. If you need to
|
|
set anything else (credentials, pattern, etc.) you need to use the full
|
|
form.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The <code>pattern</code> property in the repo is actually an array, so you can
|
|
use a YAML array (or <code>[0]</code>, <code>[1]</code>, etc. suffixes in properties files)
|
|
to bind to multiple patterns. You may need to do this if you are going
|
|
to run apps with multiple profiles. Example:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/spring-cloud-samples/config-repo
|
|
repos:
|
|
development:
|
|
pattern:
|
|
- '*/development'
|
|
- '*/staging'
|
|
uri: https://github.com/development/config-repo
|
|
staging:
|
|
pattern:
|
|
- '*/qa'
|
|
- '*/production'
|
|
uri: https://github.com/staging/config-repo</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
Spring Cloud will guess that a pattern containing a profile that
|
|
doesn’t end in <code>*</code> implies that you actually want to match a list of
|
|
profiles starting with this pattern (so <code>*/staging</code> is a shortcut for
|
|
<code>["*/staging", "*/staging,*"]</code>). This is common where you need to run
|
|
apps in the "development" profile locally but also the "cloud" profile
|
|
remotely, for instance.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Every repository can also optionally store config files in
|
|
sub-directories, and patterns to search for those directories can be
|
|
specified as <code>searchPaths</code>. For example at the top level:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/spring-cloud-samples/config-repo
|
|
searchPaths: foo,bar*</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>In this example the server searches for config files in the top level
|
|
and in the "foo/" sub-directory and also any sub-directory whose name
|
|
begins with "bar".</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>By default the server clones remote repositories when configuration
|
|
is first requested. The server can be configured to clone the repositories
|
|
at startup. For example at the top level:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://git/common/config-repo.git
|
|
repos:
|
|
team-a:
|
|
pattern: team-a-*
|
|
cloneOnStart: true
|
|
uri: http://git/team-a/config-repo.git
|
|
team-b:
|
|
pattern: team-b-*
|
|
cloneOnStart: false
|
|
uri: http://git/team-b/config-repo.git
|
|
team-c:
|
|
pattern: team-c-*
|
|
uri: http://git/team-a/config-repo.git</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>In this example the server clones team-a’s config-repo on startup before it
|
|
accepts any requests. All other repositories will not be cloned until
|
|
configuration from the repository is requested.</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
Setting a repository to be cloned when the Config Server starts up can
|
|
help to identify a misconfigured configuration source (e.g., an invalid
|
|
repository URI) quickly, while the Config Server is starting up. With
|
|
<code>cloneOnStart</code> not enabled for a configuration source, the Config Server may
|
|
start successfully with a misconfigured or invalid configuration source and
|
|
not detect an error until an application requests configuration from that
|
|
configuration source.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_authentication">Authentication</h5>
|
|
<div class="paragraph">
|
|
<p>To use HTTP basic authentication on the remote repository add the
|
|
"username" and "password" properties separately (not in the URL),
|
|
e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/spring-cloud-samples/config-repo
|
|
username: trolley
|
|
password: strongpassword</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you don’t use HTTPS and user credentials, SSH should also work out
|
|
of the box when you store keys in the default directories (<code>~/.ssh</code>)
|
|
and the uri points to an SSH location,
|
|
e.g. "<a href="mailto:git@github.com">git@github.com</a>:configuration/cloud-configuration". It is important that an entry for the Git server be present in the <code>~/.ssh/known_hosts</code> file and that it is in <code>ssh-rsa</code> format. Other formats (like <code>ecdsa-sha2-nistp256</code>) are not supported. To avoid surprises, you should ensure that only one entry is present in the <code>known_hosts</code> file for the Git server and that it is matching with the URL you provided to the config server. If you used a hostname in the URL, you want to have exactly that in the <code>known_hosts</code> file, not the IP.
|
|
The repository is accessed using JGit, so any documentation you find on
|
|
that should be applicable. HTTPS proxy settings can be set in
|
|
<code>~/.git/config</code> or in the same way as for any other JVM process via
|
|
system properties (<code>-Dhttps.proxyHost</code> and <code>-Dhttps.proxyPort</code>).</p>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
If you don’t know where your <code>~/.git</code> directory is use <code>git config
|
|
--global</code> to manipulate the settings (e.g. <code>git config --global
|
|
http.sslVerify false</code>).
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_authentication_with_aws_codecommit">Authentication with AWS CodeCommit</h5>
|
|
<div class="paragraph">
|
|
<p><a href="http://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html">AWS CodeCommit</a> authentication can also be
|
|
done. AWS CodeCommit uses an authentication helper when using Git from the command line. This helper is not
|
|
used with the JGit library, so a JGit CredentialProvider for AWS CodeCommit will be created if the Git
|
|
URI matches the AWS CodeCommit pattern. AWS CodeCommit URIs always look like
|
|
<a href="https://git-codecommit.${AWS_REGION}.amazonaws.com/${repopath}" class="bare">https://git-codecommit.${AWS_REGION}.amazonaws.com/${repopath}</a>.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you provide a username and password with an AWS CodeCommit URI, then these must be
|
|
the <a href="http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html">AWS accessKeyId and secretAccessKey</a>
|
|
to be used to access the repository. If you do not specify a username and password,
|
|
then the accessKeyId and secretAccessKey will be retrieved using the
|
|
<a href="http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html">AWS Default Credential Provider Chain</a>.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If your Git URI matches the CodeCommit URI pattern (above) then you must provide
|
|
valid AWS credentials in the username and password, or in one of the locations supported
|
|
by the default credential provider chain. AWS EC2 instances may use
|
|
<a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html">IAM Roles for EC2 Instances</a>.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Note: The aws-java-sdk-core jar is an optional dependency. If the aws-java-sdk-core jar is not on your
|
|
classpath, then the AWS Code Commit credential provider will not be created regardless of the git server URI.</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_git_ssh_configuration_using_properties">Git SSH configuration using properties</h5>
|
|
<div class="paragraph">
|
|
<p>By default, the JGit library used by Spring Cloud Config Server uses SSH configuration files such as <code>~/.ssh/known_hosts</code> and <code>/etc/ssh/ssh_config</code> when connecting to Git repositories using an SSH URI.
|
|
In cloud environments such as Cloud Foundry, the local filesystem may be ephemeral or not easily accessible. For cases such as these, SSH configuration can be set using
|
|
Java properties. In order to activate property based SSH configuration, the property <code>spring.cloud.config.server.git.ignoreLocalSshSettings</code> must be set to <code>true</code>.
|
|
Example:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml"> spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: git@gitserver.com:team/repo1.git
|
|
ignoreLocalSshSettings: true
|
|
hostKey: someHostKey
|
|
hostKeyAlgorithm: ssh-rsa
|
|
privateKey: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEpgIBAAKCAQEAx4UbaDzY5xjW6hc9jwN0mX33XpTDVW9WqHp5AKaRbtAC3DqX
|
|
IXFMPgw3K45jxRb93f8tv9vL3rD9CUG1Gv4FM+o7ds7FRES5RTjv2RT/JVNJCoqF
|
|
ol8+ngLqRZCyBtQN7zYByWMRirPGoDUqdPYrj2yq+ObBBNhg5N+hOwKjjpzdj2Ud
|
|
1l7R+wxIqmJo1IYyy16xS8WsjyQuyC0lL456qkd5BDZ0Ag8j2X9H9D5220Ln7s9i
|
|
oezTipXipS7p7Jekf3Ywx6abJwOmB0rX79dV4qiNcGgzATnG1PkXxqt76VhcGa0W
|
|
DDVHEEYGbSQ6hIGSh0I7BQun0aLRZojfE3gqHQIDAQABAoIBAQCZmGrk8BK6tXCd
|
|
fY6yTiKxFzwb38IQP0ojIUWNrq0+9Xt+NsypviLHkXfXXCKKU4zUHeIGVRq5MN9b
|
|
BO56/RrcQHHOoJdUWuOV2qMqJvPUtC0CpGkD+valhfD75MxoXU7s3FK7yjxy3rsG
|
|
EmfA6tHV8/4a5umo5TqSd2YTm5B19AhRqiuUVI1wTB41DjULUGiMYrnYrhzQlVvj
|
|
5MjnKTlYu3V8PoYDfv1GmxPPh6vlpafXEeEYN8VB97e5x3DGHjZ5UrurAmTLTdO8
|
|
+AahyoKsIY612TkkQthJlt7FJAwnCGMgY6podzzvzICLFmmTXYiZ/28I4BX/mOSe
|
|
pZVnfRixAoGBAO6Uiwt40/PKs53mCEWngslSCsh9oGAaLTf/XdvMns5VmuyyAyKG
|
|
ti8Ol5wqBMi4GIUzjbgUvSUt+IowIrG3f5tN85wpjQ1UGVcpTnl5Qo9xaS1PFScQ
|
|
xrtWZ9eNj2TsIAMp/svJsyGG3OibxfnuAIpSXNQiJPwRlW3irzpGgVx/AoGBANYW
|
|
dnhshUcEHMJi3aXwR12OTDnaLoanVGLwLnkqLSYUZA7ZegpKq90UAuBdcEfgdpyi
|
|
PhKpeaeIiAaNnFo8m9aoTKr+7I6/uMTlwrVnfrsVTZv3orxjwQV20YIBCVRKD1uX
|
|
VhE0ozPZxwwKSPAFocpyWpGHGreGF1AIYBE9UBtjAoGBAI8bfPgJpyFyMiGBjO6z
|
|
FwlJc/xlFqDusrcHL7abW5qq0L4v3R+FrJw3ZYufzLTVcKfdj6GelwJJO+8wBm+R
|
|
gTKYJItEhT48duLIfTDyIpHGVm9+I1MGhh5zKuCqIhxIYr9jHloBB7kRm0rPvYY4
|
|
VAykcNgyDvtAVODP+4m6JvhjAoGBALbtTqErKN47V0+JJpapLnF0KxGrqeGIjIRV
|
|
cYA6V4WYGr7NeIfesecfOC356PyhgPfpcVyEztwlvwTKb3RzIT1TZN8fH4YBr6Ee
|
|
KTbTjefRFhVUjQqnucAvfGi29f+9oE3Ei9f7wA+H35ocF6JvTYUsHNMIO/3gZ38N
|
|
CPjyCMa9AoGBAMhsITNe3QcbsXAbdUR00dDsIFVROzyFJ2m40i4KCRM35bC/BIBs
|
|
q0TY3we+ERB40U8Z2BvU61QuwaunJ2+uGadHo58VSVdggqAo0BSkH58innKKt96J
|
|
69pcVH/4rmLbXdcmNYGm6iu+MlPQk4BUZknHSmVHIFdJ0EPupVaQ8RHT
|
|
-----END RSA PRIVATE KEY-----</code></pre>
|
|
</div>
|
|
</div>
|
|
<table class="tableblock frame-all grid-all spread">
|
|
<caption class="title">Table 1. SSH Configuration properties</caption>
|
|
<colgroup>
|
|
<col style="width: 50%;">
|
|
<col style="width: 50%;">
|
|
</colgroup>
|
|
<thead>
|
|
<tr>
|
|
<th class="tableblock halign-left valign-top">Property Name</th>
|
|
<th class="tableblock halign-left valign-top">Remarks</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>ignoreLocalSshSettings</strong></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">If true, use property based SSH config instead of file based. Must be set at as <code>spring.cloud.config.server.git.ignoreLocalSshSettings</code>, <strong>not</strong> inside a repository definition.</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>privateKey</strong></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">Valid SSH private key. Must be set if <code>ignoreLocalSshSettings</code> is true and Git URI is SSH format</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>hostKey</strong></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">Valid SSH host key. Must be set if <code>hostKeyAlgorithm</code> is also set</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>hostKeyAlgorithm</strong></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">One of <code>ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 ,ecdsa-sha2-nistp521</code>. Must be set if <code>hostKey</code> is also set</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>strictHostKeyChecking</strong></p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>true</code> or <code>false</code>. If false, ignore errors with host key</p></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_placeholders_in_git_search_paths">Placeholders in Git Search Paths</h5>
|
|
<div class="paragraph">
|
|
<p>Spring Cloud Config Server also supports a search path with
|
|
placeholders for the <code>{application}</code> and <code>{profile}</code> (and <code>{label}</code> if
|
|
you need it). Example:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/spring-cloud-samples/config-repo
|
|
searchPaths: '{application}'</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>searches the repository for files in the same name as the directory
|
|
(as well as the top level). Wildcards are also valid in a search
|
|
path with placeholders (any matching directory is included in the
|
|
search).</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_force_pull_in_git_repositories">Force pull in Git Repositories</h5>
|
|
<div class="paragraph">
|
|
<p>As mentioned before Spring Cloud Config Server makes a clone of the
|
|
remote git repository and if somehow the local copy gets dirty (e.g.
|
|
folder content changes by OS process) so Spring Cloud Config Server
|
|
cannot update the local copy from remote repository.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>To solve this there is a <code>force-pull</code> property that will make Spring Cloud
|
|
Config Server force pull from remote repository if the local copy is dirty.
|
|
Example:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://github.com/spring-cloud-samples/config-repo
|
|
force-pull: true</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you have a multiple repositories configuration you can configure the
|
|
<code>force-pull</code> property per repository. Example:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
git:
|
|
uri: https://git/common/config-repo.git
|
|
force-pull: true
|
|
repos:
|
|
team-a:
|
|
pattern: team-a-*
|
|
uri: http://git/team-a/config-repo.git
|
|
force-pull: true
|
|
team-b:
|
|
pattern: team-b-*
|
|
uri: http://git/team-b/config-repo.git
|
|
force-pull: true
|
|
team-c:
|
|
pattern: team-c-*
|
|
uri: http://git/team-a/config-repo.git</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
The default value for <code>force-pull</code> property is <code>false</code>.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_version_control_backend_filesystem_use">Version Control Backend Filesystem Use</h4>
|
|
<div class="admonitionblock warning">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Warning</div>
|
|
</td>
|
|
<td class="content">
|
|
With VCS based backends (git, svn) files are checked out or cloned to the local filesystem. By default they are put in the system temporary directory with a prefix of <code>config-repo-</code>. On linux, for example it could be <code>/tmp/config-repo-<randomid></code>. Some operating systems <a href="http://serverfault.com/questions/377348/when-does-tmp-get-cleared/377349#377349">routinely clean out</a> temporary directories. This can lead to unexpected behaviour such as missing properties. To avoid this problem, change the directory Config Server uses, by setting <code>spring.cloud.config.server.git.basedir</code> or <code>spring.cloud.config.server.svn.basedir</code> to a directory that does not reside in the system temp structure.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_file_system_backend">File System Backend</h4>
|
|
<div class="paragraph">
|
|
<p>There is also a "native" profile in the Config Server that doesn’t use
|
|
Git, but just loads the config files from the local classpath or file
|
|
system (any static URL you want to point to with
|
|
"spring.cloud.config.server.native.searchLocations"). To use the
|
|
native profile just launch the Config Server with
|
|
"spring.profiles.active=native".</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
Remember to use the <code>file:</code> prefix for file resources (the
|
|
default without a prefix is usually the classpath). Just as with any
|
|
Spring Boot configuration you can embed <code>${}</code>-style environment
|
|
placeholders, but remember that absolute paths in Windows require an
|
|
extra "/", e.g. <code><a href="file:///${user.home}/config-repo" class="bare">file:///${user.home}/config-repo</a></code>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock warning">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Warning</div>
|
|
</td>
|
|
<td class="content">
|
|
The default value of the <code>searchLocations</code> is identical to a
|
|
local Spring Boot application (so <code>[classpath:/, classpath:/config,
|
|
file:./, file:./config]</code>). This does not expose the
|
|
<code>application.properties</code> from the server to all clients because any
|
|
property sources present in the server are removed before being sent
|
|
to the client.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
A filesystem backend is great for getting started quickly and
|
|
for testing. To use it in production you need to be sure that the
|
|
file system is reliable, and shared across all instances of the
|
|
Config Server.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The search locations can contain placeholders for <code>{application}</code>,
|
|
<code>{profile}</code> and <code>{label}</code>. In this way you can segregate the
|
|
directories in the path, and choose a strategy that makes sense for
|
|
you (e.g. sub-directory per application, or sub-directory per
|
|
profile).</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you don’t use placeholders in the search locations, this repository
|
|
also appends the <code>{label}</code> parameter of the HTTP resource to a suffix
|
|
on the search path, so properties files are loaded from each search
|
|
location <strong>and</strong> a subdirectory with the same name as the label (the
|
|
labelled properties take precedence in the Spring Environment). Thus
|
|
the default behaviour with no placeholders is the same as adding a
|
|
search location ending with <code>/{label}/</code>. For example <code>file:/tmp/config</code>
|
|
is the same as <code>file:/tmp/config,file:/tmp/config/{label}</code>. This behavior can be
|
|
disabled by setting <code>spring.cloud.config.server.native.addLabelLocations=false</code>.</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_vault_backend">Vault Backend</h4>
|
|
<div class="paragraph">
|
|
<p>Spring Cloud Config Server also supports <a href="https://www.vaultproject.io">Vault</a> as a backend.</p>
|
|
</div>
|
|
<div class="sidebarblock">
|
|
<div class="content">
|
|
<div class="paragraph">
|
|
<p>Vault is a tool for securely accessing secrets. A secret is anything
|
|
that you want to tightly control access to, such as API keys, passwords,
|
|
certificates, and more. Vault provides a unified interface to any secret,
|
|
while providing tight access control and recording a detailed audit log.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>For more information on Vault see the <a href="https://www.vaultproject.io/intro/index.html">Vault quickstart guide</a>.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>To enable the config server to use a Vault backend you must run your config server
|
|
with the <code>vault</code> profile. For example in your config server’s <code>application.properties</code>
|
|
you can add <code>spring.profiles.active=vault</code>.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>By default the config server will assume your Vault server is running at
|
|
<code><a href="http://127.0.0.1:8200" class="bare">http://127.0.0.1:8200</a></code>. It also will assume that the name of backend
|
|
is <code>secret</code> and the key is <code>application</code>. All of these defaults can be
|
|
configured in your config server’s <code>application.properties</code>. Below is a
|
|
table of configurable Vault properties. All properties are prefixed with
|
|
<code>spring.cloud.config.server.vault</code>.</p>
|
|
</div>
|
|
<table class="tableblock frame-all grid-all spread">
|
|
<colgroup>
|
|
<col style="width: 50%;">
|
|
<col style="width: 50%;">
|
|
</colgroup>
|
|
<thead>
|
|
<tr>
|
|
<th class="tableblock halign-left valign-top">Name</th>
|
|
<th class="tableblock halign-left valign-top">Default Value</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">host</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">127.0.0.1</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">8200</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">scheme</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">http</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">backend</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">secret</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">defaultKey</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">application</p></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">profileSeparator</p></td>
|
|
<td class="tableblock halign-left valign-top"><p class="tableblock">,</p></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<div class="paragraph">
|
|
<p>All configurable properties can be found in
|
|
<code>org.springframework.cloud.config.server.environment.VaultEnvironmentRepository</code>.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>With your config server running you can make HTTP requests to the server to retrieve
|
|
values from the Vault backend. To do this you will need a token for your Vault server.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>First place some data in you Vault. For example</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-sh" data-lang="sh">$ vault write secret/application foo=bar baz=bam
|
|
$ vault write secret/myapp foo=myappsbar</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Now make the HTTP request to your config server to retrieve the values.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p><code>$ curl -X "GET" "http://localhost:8888/myapp/default" -H "X-Config-Token: yourtoken"</code></p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>You should see a response similar to this after making the above request.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-json" data-lang="json">{
|
|
"name":"myapp",
|
|
"profiles":[
|
|
"default"
|
|
],
|
|
"label":null,
|
|
"version":null,
|
|
"state":null,
|
|
"propertySources":[
|
|
{
|
|
"name":"vault:myapp",
|
|
"source":{
|
|
"foo":"myappsbar"
|
|
}
|
|
},
|
|
{
|
|
"name":"vault:application",
|
|
"source":{
|
|
"baz":"bam",
|
|
"foo":"bar"
|
|
}
|
|
}
|
|
]
|
|
}</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_multiple_properties_sources">Multiple Properties Sources</h5>
|
|
<div class="paragraph">
|
|
<p>When using Vault you can provide your applications with multiple properties sources.
|
|
For example, assume you have written data to the following paths in Vault.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-sh" data-lang="sh">secret/myApp,dev
|
|
secret/myApp
|
|
secret/application,dev
|
|
secret/application</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Properties written to <code>secret/application</code> are available to
|
|
<a href="#_vault_server">all applications using the Config Server</a>. An
|
|
application with the name <code>myApp</code> would have any properties
|
|
written to <code>secret/myApp</code> and <code>secret/application</code> available to it.
|
|
When <code>myApp</code> has the <code>dev</code> profile enabled then properties written to
|
|
all of the above paths would be available to it, with properties in
|
|
the first path in the list taking priority over the others.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_sharing_configuration_with_all_applications">Sharing Configuration With All Applications</h4>
|
|
<div class="sect4">
|
|
<h5 id="_file_based_repositories">File Based Repositories</h5>
|
|
<div class="paragraph">
|
|
<p>With file-based (i.e. git, svn and native) repositories, resources
|
|
with file names in <code>application*</code> are shared between all client
|
|
applications (so <code>application.properties</code>, <code>application.yml</code>,
|
|
<code>application-*.properties</code> etc.). You can use resources with these
|
|
file names to configure global defaults and have them overridden by
|
|
application-specific files as necessary.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The #_property_overrides[property overrides] feature can also be used
|
|
for setting global defaults, and with placeholders applications are
|
|
allowed to override them locally.</p>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
With the "native" profile (local file system backend) it is
|
|
recommended that you use an explicit search location that isn’t part
|
|
of the server’s own configuration. Otherwise the <code>application*</code>
|
|
resources in the default search locations are removed because they are
|
|
part of the server.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_vault_server">Vault Server</h5>
|
|
<div class="paragraph">
|
|
<p>When using Vault as a backend you can share configuration with
|
|
all applications by placing configuration in
|
|
<code>secret/application</code>. For example, if you run this Vault command</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-sh" data-lang="sh">$ vault write secret/application foo=bar baz=bam</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>All applications using the config server will have the properties
|
|
<code>foo</code> and <code>baz</code> available to them.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_composite_environment_repositories">Composite Environment Repositories</h4>
|
|
<div class="paragraph">
|
|
<p>In some scenarios you may wish to pull configuration data from multiple
|
|
environment repositories. To do this just enable
|
|
multiple profiles in your config server’s application properties or YAML file.
|
|
If, for example, you want to pull configuration data from a Git repository
|
|
as well as a SVN repository you would set the following properties for your
|
|
configuration server.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
profiles:
|
|
active: git, svn
|
|
cloud:
|
|
config:
|
|
server:
|
|
svn:
|
|
uri: file:///path/to/svn/repo
|
|
order: 2
|
|
git:
|
|
uri: file:///path/to/git/repo
|
|
order: 1</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>In addition to each repo specifying a URI, you can also specify an <code>order</code> property.
|
|
The <code>order</code> property allows you to specify the priority order for all your repositories.
|
|
The lower the numerical value of the <code>order</code> property the higher priority it will have.
|
|
The priority order of a repository will help resolve any potential conflicts between
|
|
repositories that contain values for the same properties.</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
Any type of failure when retrieving values from an environment repositoy
|
|
will result in a failure for the entire composite environment.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
When using a composite environment it is important that all repos contain
|
|
the same label(s). If you have an environment similar to the one above and you request
|
|
configuration data with the label <code>master</code> but the SVN
|
|
repo does not contain a branch called <code>master</code> the entire request will fail.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="sect4">
|
|
<h5 id="_custom_composite_environment_repositories">Custom Composite Environment Repositories</h5>
|
|
<div class="paragraph">
|
|
<p>It is also possible to provide your own <code>EnvironmentRepository</code> bean
|
|
to be included as part of a composite environment in addition to
|
|
using one of the environment repositories from Spring Cloud. To do this your bean
|
|
must implement the <code>EnvironmentRepository</code> interface. If you would like to control
|
|
the priority of you custom <code>EnvironmentRepository</code> within the composite
|
|
environment you should also implement the <code>Ordered</code> interface and override the
|
|
<code>getOrdered</code> method. If you do not implement the <code>Ordered</code> interface then your
|
|
<code>EnvironmentRepository</code> will be given the lowest priority.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_property_overrides">Property Overrides</h4>
|
|
<div class="paragraph">
|
|
<p>The Config Server has an "overrides" feature that allows the operator
|
|
to provide configuration properties to all applications that cannot be
|
|
accidentally changed by the application using the normal Spring Boot
|
|
hooks. To declare overrides just add a map of name-value pairs to
|
|
<code>spring.cloud.config.server.overrides</code>. For example</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
overrides:
|
|
foo: bar</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>will cause all applications that are config clients to read <code>foo=bar</code>
|
|
independent of their own configuration. (Of course an application can
|
|
use the data in the Config Server in any way it likes, so overrides
|
|
are not enforceable, but they do provide useful default behaviour if
|
|
they are Spring Cloud Config clients.)</p>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
Normal, Spring environment placeholders with "${}" can be escaped
|
|
(and resolved on the client) by using backslash ("\") to escape the
|
|
"$" or the "{", e.g. <code>\${app.foo:bar}</code> resolves to "bar" unless the
|
|
app provides its own "app.foo". Note that in YAML you don’t need to
|
|
escape the backslash itself, but in properties files you do, when you
|
|
configure the overrides on the server.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>You can change the priority of all overrides in the client to be more
|
|
like default values, allowing applications to supply their own values
|
|
in environment variables or System properties, by setting the flag
|
|
<code>spring.cloud.config.overrideNone=true</code> (default is false) in the
|
|
remote repository.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_health_indicator">Health Indicator</h3>
|
|
<div class="paragraph">
|
|
<p>Config Server comes with a Health Indicator that checks if the configured
|
|
<code>EnvironmentRepository</code> is working. By default it asks the <code>EnvironmentRepository</code>
|
|
for an application named <code>app</code>, the <code>default</code> profile and the default
|
|
label provided by the <code>EnvironmentRepository</code> implementation.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>You can configure the Health Indicator to check more applications
|
|
along with custom profiles and custom labels, e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
server:
|
|
health:
|
|
repositories:
|
|
myservice:
|
|
label: mylabel
|
|
myservice-dev:
|
|
name: myservice
|
|
profiles: development</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>You can disable the Health Indicator by setting <code>spring.cloud.config.server.health.enabled=false</code>.</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_security">Security</h3>
|
|
<div class="paragraph">
|
|
<p>You are free to secure your Config Server in any way that makes sense
|
|
to you (from physical network security to OAuth2 bearer
|
|
tokens), and Spring Security and Spring Boot make it easy to do pretty
|
|
much anything.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>To use the default Spring Boot configured HTTP Basic security, just
|
|
include Spring Security on the classpath (e.g. through
|
|
<code>spring-boot-starter-security</code>). The default is a username of "user"
|
|
and a randomly generated password, which isn’t going to be very useful
|
|
in practice, so we recommend you configure the password (via
|
|
<code>security.user.password</code>) and encrypt it (see below for instructions
|
|
on how to do that).</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_encryption_and_decryption">Encryption and Decryption</h3>
|
|
<div class="admonitionblock important">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Important</div>
|
|
</td>
|
|
<td class="content">
|
|
<strong>Prerequisites:</strong> to use the encryption and decryption features
|
|
you need the full-strength JCE installed in your JVM (it’s not there by default).
|
|
You can download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files"
|
|
from Oracle, and follow instructions for installation (essentially replace the 2 policy files
|
|
in the JRE lib/security directory with the ones that you downloaded).
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If the remote property sources contain encrypted content (values
|
|
starting with <code>{cipher}</code>) they will be decrypted before sending to
|
|
clients over HTTP. The main advantage of this set up is that the
|
|
property values don’t have to be in plain text when they are "at rest"
|
|
(e.g. in a git repository). If a value cannot be decrypted it is
|
|
removed from the property source and an additional property is added
|
|
with the same key, but prefixed with "invalid." and a value that means
|
|
"not applicable" (usually "<n/a>"). This is largely to prevent cipher
|
|
text being used as a password and accidentally leaking.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you are setting up a remote config repository for config client
|
|
applications it might contain an <code>application.yml</code> like this, for
|
|
instance:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">application.yml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
datasource:
|
|
username: dbuser
|
|
password: '{cipher}FKSAJDFGYOS8F7GLHAKERGFHLSAJ'</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Encrypted values in a .properties file must not be wrapped in quotes, otherwise the value will not be decrypted:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">application.properties</div>
|
|
<div class="content">
|
|
<pre>spring.datasource.username: dbuser
|
|
spring.datasource.password: {cipher}FKSAJDFGYOS8F7GLHAKERGFHLSAJ</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>You can safely push this plain text to a shared git repository and the
|
|
secret password is protected.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The server also exposes <code>/encrypt</code> and <code>/decrypt</code> endpoints (on the
|
|
assumption that these will be secured and only accessed by authorized
|
|
agents). If you are editing a remote config file you can use the Config Server
|
|
to encrypt values by POSTing to the <code>/encrypt</code> endpoint, e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ curl localhost:8888/encrypt -d mysecret
|
|
682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda</pre>
|
|
</div>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
If the value you are encrypting has characters in it that need to be URL encoded you should use
|
|
the <code>--data-urlencode</code> option to <code>curl</code> to make sure they are encoded properly.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
Be sure not to include any of the curl command statistics in the encrypted value.
|
|
Outputting the value to a file can help avoid this problem.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The inverse operation is also available via <code>/decrypt</code> (provided the server is
|
|
configured with a symmetric key or a full key pair):</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ curl localhost:8888/decrypt -d 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
|
|
mysecret</pre>
|
|
</div>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
If you are testing like this with curl, then use
|
|
<code>--data-urlencode</code> (instead of <code>-d</code>) or set an explicit <code>Content-Type:
|
|
text/plain</code> to make sure curl encodes the data correctly when there
|
|
are special characters ('+' is particularly tricky).
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Take the encrypted value and add the <code>{cipher}</code> prefix before you put
|
|
it in the YAML or properties file, and before you commit and push it
|
|
to a remote, potentially insecure store.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The <code>/encrypt</code> and <code>/decrypt</code> endpoints also both accept paths of the
|
|
form <code>/*/{name}/{profiles}</code> which can be used to control cryptography
|
|
per application (name) and profile when clients call into the main
|
|
Environment resource.</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
to control the cryptography in this granular way you must also
|
|
provide a <code>@Bean</code> of type <code>TextEncryptorLocator</code> that creates a
|
|
different encryptor per name and profiles. The one that is provided
|
|
by default does not do this (so all encryptions use the same key).
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The <code>spring</code> command line client (with Spring Cloud CLI extensions
|
|
installed) can also be used to encrypt and decrypt, e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ spring encrypt mysecret --key foo
|
|
682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
|
|
$ spring decrypt --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
|
|
mysecret</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>To use a key in a file (e.g. an RSA public key for encryption) prepend
|
|
the key value with "@" and provide the file path, e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ spring encrypt mysecret --key @${HOME}/.ssh/id_rsa.pub
|
|
AQAjPgt3eFZQXwt8tsHAVv/QHiY5sI2dRcR+...</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The key argument is mandatory (despite having a <code>--</code> prefix).</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_key_management">Key Management</h3>
|
|
<div class="paragraph">
|
|
<p>The Config Server can use a symmetric (shared) key or an asymmetric
|
|
one (RSA key pair). The asymmetric choice is superior in terms of
|
|
security, but it is often more convenient to use a symmetric key since
|
|
it is just a single property value to configure.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>To configure a symmetric key you just need to set <code>encrypt.key</code> to a
|
|
secret String (or use an enviroment variable <code>ENCRYPT_KEY</code> to keep it
|
|
out of plain text configuration files).</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>To configure an asymmetric key you can either set the key as a
|
|
PEM-encoded text value (in <code>encrypt.key</code>), or via a keystore (e.g. as
|
|
created by the <code>keytool</code> utility that comes with the JDK). The
|
|
keystore properties are <code>encrypt.keyStore.*</code> with <code>*</code> equal to</p>
|
|
</div>
|
|
<div class="ulist">
|
|
<ul>
|
|
<li>
|
|
<p><code>location</code> (a <code>Resource</code> location),</p>
|
|
</li>
|
|
<li>
|
|
<p><code>password</code> (to unlock the keystore) and</p>
|
|
</li>
|
|
<li>
|
|
<p><code>alias</code> (to identify which key in the store is to be
|
|
used).</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The encryption is done with the public key, and a private key is
|
|
needed for decryption. Thus in principle you can configure only the
|
|
public key in the server if you only want to do encryption (and are
|
|
prepared to decrypt the values yourself locally with the private
|
|
key). In practice you might not want to do that because it spreads the
|
|
key management process around all the clients, instead of
|
|
concentrating it in the server. On the other hand it’s a useful option
|
|
if your config server really is relatively insecure and only a
|
|
handful of clients need the encrypted properties.</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_creating_a_key_store_for_testing">Creating a Key Store for Testing</h3>
|
|
<div class="paragraph">
|
|
<p>To create a keystore for testing you can do something like this:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>$ keytool -genkeypair -alias mytestkey -keyalg RSA \
|
|
-dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
|
|
-keypass changeme -keystore server.jks -storepass letmein</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Put the <code>server.jks</code> file in the classpath (for instance) and then in
|
|
your <code>application.yml</code> for the Config Server:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">encrypt:
|
|
keyStore:
|
|
location: classpath:/server.jks
|
|
password: letmein
|
|
alias: mytestkey
|
|
secret: changeme</code></pre>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_using_multiple_keys_and_key_rotation">Using Multiple Keys and Key Rotation</h3>
|
|
<div class="paragraph">
|
|
<p>In addition to the <code>{cipher}</code> prefix in encrypted property values, the
|
|
Config Server looks for <code>{name:value}</code> prefixes (zero or many) before
|
|
the start of the (Base64 encoded) cipher text. The keys are passed to
|
|
a <code>TextEncryptorLocator</code> which can do whatever logic it needs to
|
|
locate a <code>TextEncryptor</code> for the cipher. If you have configured a
|
|
keystore (<code>encrypt.keystore.location</code>) the default locator will look
|
|
for keys in the store with aliases as supplied by the "key" prefix,
|
|
i.e. with a cipher text like this:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">foo:
|
|
bar: `{cipher}{key:testkey}...`</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>the locator will look for a key named "testkey". A secret can also be
|
|
supplied via a <code>{secret:…​}</code> value in the prefix, but if it is not
|
|
the default is to use the keystore password (which is what you get
|
|
when you build a keytore and don’t specify a secret). If you <strong>do</strong>
|
|
supply a secret it is recommended that you also encrypt the secrets
|
|
using a custom <code>SecretLocator</code>.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>Key rotation is hardly ever necessary on cryptographic grounds if the
|
|
keys are only being used to encrypt a few bytes of configuration data
|
|
(i.e. they are not being used elsewhere), but occasionally you might
|
|
need to change the keys if there is a security breach for instance. In
|
|
that case all the clients would need to change their source config
|
|
files (e.g. in git) and use a new <code>{key:…​}</code> prefix in all the
|
|
ciphers, checking beforehand of course that the key alias is available
|
|
in the Config Server keystore.</p>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
the <code>{name:value}</code> prefixes can also be added to plaintext posted
|
|
to the <code>/encrypt</code> endpoint, if you want to let the Config Server
|
|
handle all encryption as well as decryption.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_serving_encrypted_properties">Serving Encrypted Properties</h3>
|
|
<div class="paragraph">
|
|
<p>Sometimes you want the clients to decrypt the configuration locally,
|
|
instead of doing it in the server. In that case you can still have
|
|
/encrypt and /decrypt endpoints (if you provide the <code>encrypt.*</code>
|
|
configuration to locate a key), but you need to explicitly switch off
|
|
the decryption of outgoing properties using
|
|
<code>spring.cloud.config.server.encrypt.enabled=false</code>. If you don’t care
|
|
about the endpoints, then it should work if you configure neither the
|
|
key nor the enabled flag.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect1">
|
|
<h2 id="_serving_alternative_formats">Serving Alternative Formats</h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p>The default JSON format from the environment endpoints is perfect for
|
|
consumption by Spring applications because it maps directly onto the
|
|
<code>Environment</code> abstraction. If you prefer you can consume the same data
|
|
as YAML or Java properties by adding a suffix to the resource path
|
|
(".yml", ".yaml" or ".properties"). This can be useful for consumption
|
|
by applications that do not care about the structure of the JSON
|
|
endpoints, or the extra metadata they provide, for example an
|
|
application that is not using Spring might benefit from the simplicity
|
|
of this approach.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The YAML and properties representations have an additional flag
|
|
(provided as a boolean query parameter <code>resolvePlaceholders</code>) to
|
|
signal that placeholders in the source documents, in the standard
|
|
Spring <code>${…​}</code> form, should be resolved in the output where possible
|
|
before rendering. This is a useful feature for consumers that don’t
|
|
know about the Spring placeholder conventions.</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
there are limitations in using the YAML or properties formats,
|
|
mainly in relation to the loss of metadata. The JSON is structured as
|
|
an ordered list of property sources, for example, with names that
|
|
correlate with the source. The YAML and properties forms are coalesced
|
|
into a single map, even if the origin of the values has multiple
|
|
sources, and the names of the original source files are lost. The YAML
|
|
representation is not necessarily a faithful representation of the
|
|
YAML source in a backing repository either: it is constructed from a
|
|
list of flat property sources, and assumptions have to be made about
|
|
the form of the keys.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect1">
|
|
<h2 id="_serving_plain_text">Serving Plain Text</h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p>Instead of using the <code>Environment</code> abstraction (or one of the
|
|
alternative representations of it in YAML or properties format) your
|
|
applications might need generic plain text configuration files,
|
|
tailored to their environment. The Config Server provides these
|
|
through an additional endpoint at <code>/{name}/{profile}/{label}/{path}</code>
|
|
where "name", "profile" and "label" have the same meaning as the
|
|
regular environment endpoint, but "path" is a file name
|
|
(e.g. <code>log.xml</code>). The source files for this endpoint are located in
|
|
the same way as for the environment endpoints: the same search path is
|
|
used as for properties or YAML files, but instead of aggregating all
|
|
matching resources, only the first one to match is returned.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>After a resource is located, placeholders in the normal format
|
|
(<code>${…​}</code>) are resolved using the effective <code>Environment</code> for the
|
|
application name, profile and label supplied. In this way the resource
|
|
endpoint is tightly integrated with the environment
|
|
endpoints. Example, if you have this layout for a GIT (or SVN)
|
|
repository:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>application.yml
|
|
nginx.conf</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>where <code>nginx.conf</code> looks like this:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>server {
|
|
listen 80;
|
|
server_name ${nginx.server.name};
|
|
}</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>and <code>application.yml</code> like this:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">nginx:
|
|
server:
|
|
name: example.com
|
|
---
|
|
spring:
|
|
profiles: development
|
|
nginx:
|
|
server:
|
|
name: develop.com</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>then the <code>/foo/default/master/nginx.conf</code> resource looks like this:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>server {
|
|
listen 80;
|
|
server_name example.com;
|
|
}</pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>and <code>/foo/development/master/nginx.conf</code> like this:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre>server {
|
|
listen 80;
|
|
server_name develop.com;
|
|
}</pre>
|
|
</div>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
just like the source files for environment configuration, the
|
|
"profile" is used to resolve the file name, so if you want a
|
|
profile-specific file then <code>/*/development/*/logback.xml</code> will be
|
|
resolved by a file called <code>logback-development.xml</code> (in preference
|
|
to <code>logback.xml</code>).
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect1">
|
|
<h2 id="_embedding_the_config_server">Embedding the Config Server</h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p>The Config Server runs best as a standalone application, but if you
|
|
need to you can embed it in another application. Just use the
|
|
<code>@EnableConfigServer</code> annotation. An optional property that can be
|
|
useful in this case is <code>spring.cloud.config.server.bootstrap</code> which is
|
|
a flag to indicate that the server should configure itself from its
|
|
own remote repository. The flag is off by default because it can delay
|
|
startup, but when embedded in another application it makes sense to
|
|
initialize the same way as any other application.</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
It should be obvious, but remember that if you use the bootstrap
|
|
flag the config server will need to have its name and repository URI
|
|
configured in <code>bootstrap.yml</code>.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>To change the location of the server endpoints you can (optionally)
|
|
set <code>spring.cloud.config.server.prefix</code>, e.g. "/config", to serve the
|
|
resources under a prefix. The prefix should start but not end with a
|
|
"/". It is applied to the <code>@RequestMappings</code> in the Config Server
|
|
(i.e. underneath the Spring Boot prefixes <code>server.servletPath</code> and
|
|
<code>server.contextPath</code>).</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you want to read the configuration for an application directly from
|
|
the backend repository (instead of from the config server) that’s
|
|
basically an embedded config server with no endpoints. You can switch
|
|
off the endpoints entirely if you don’t use the <code>@EnableConfigServer</code>
|
|
annotation (just set <code>spring.cloud.config.server.bootstrap=true</code>).</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect1">
|
|
<h2 id="_push_notifications_and_spring_cloud_bus">Push Notifications and Spring Cloud Bus</h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p>Many source code repository providers (like Github, Gitlab or Bitbucket
|
|
for instance) will notify you of changes in a repository through a
|
|
webhook. You can configure the webhook via the provider’s user
|
|
interface as a URL and a set of events in which you are
|
|
interested. For instance
|
|
<a href="https://developer.github.com/v3/activity/events/types/#pushevent">Github</a>
|
|
will POST to the webhook with a JSON body containing a list of
|
|
commits, and a header "X-Github-Event" equal to "push". If you add a
|
|
dependency on the <code>spring-cloud-config-monitor</code> library and activate
|
|
the Spring Cloud Bus in your Config Server, then a "/monitor" endpoint
|
|
is enabled.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>When the webhook is activated the Config Server will send a
|
|
<code>RefreshRemoteApplicationEvent</code> targeted at the applications it thinks
|
|
might have changed. The change detection can be strategized, but by
|
|
default it just looks for changes in files that match the application
|
|
name (e.g. "foo.properties" is targeted at the "foo" application, and
|
|
"application.properties" is targeted at all applications). The strategy
|
|
if you want to override the behaviour is <code>PropertyPathNotificationExtractor</code>
|
|
which accepts the request headers and body as parameters and returns a list
|
|
of file paths that changed.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The default configuration works out of the box with Github, Gitlab or
|
|
Bitbucket. In addition to the JSON notifications from Github, Gitlab
|
|
or Bitbucket you can trigger a change notification by POSTing to
|
|
"/monitor" with a form-encoded body parameters <code>path={name}</code>. This will
|
|
broadcast to applications matching the "{name}" pattern (can contain
|
|
wildcards).</p>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
the <code>RefreshRemoteApplicationEvent</code> will only be transmitted if
|
|
the <code>spring-cloud-bus</code> is activated in the Config Server and in the
|
|
client application.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
<div class="admonitionblock note">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Note</div>
|
|
</td>
|
|
<td class="content">
|
|
the default configuration also detects filesystem changes in
|
|
local git repositories (the webhook is not used in that case but as
|
|
soon as you edit a config file a refresh will be broadcast).
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect1">
|
|
<h2 id="_spring_cloud_config_client">Spring Cloud Config Client</h2>
|
|
<div class="sectionbody">
|
|
<div class="paragraph">
|
|
<p>A Spring Boot application can take immediate advantage of the Spring
|
|
Config Server (or other external property sources provided by the
|
|
application developer), and it will also pick up some additional
|
|
useful features related to <code>Environment</code> change events.</p>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="config-first-bootstrap">Config First Bootstrap</h3>
|
|
<div class="paragraph">
|
|
<p>This is the default behaviour for any application which has the Spring
|
|
Cloud Config Client on the classpath. When a config client starts up
|
|
it binds to the Config Server (via the bootstrap configuration
|
|
property <code>spring.cloud.config.uri</code>) and initializes Spring
|
|
<code>Environment</code> with remote property sources.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The net result of this is that all client apps that want to consume
|
|
the Config Server need a <code>bootstrap.yml</code> (or an environment variable)
|
|
with the server address in <code>spring.cloud.config.uri</code> (defaults to
|
|
"http://localhost:8888").</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="discovery-first-bootstrap">Discovery First Bootstrap</h3>
|
|
<div class="paragraph">
|
|
<p>If you are using a `DiscoveryClient implementation, such as Spring Cloud Netflix
|
|
and Eureka Service Discovery or Spring Cloud Consul (Spring Cloud Zookeeper does
|
|
not support this yet), then you can have the Config Server register with the
|
|
Discovery Service if you want to, but in the default "Config First" mode,
|
|
clients won’t be able to take advantage of the registration.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you prefer to use <code>DiscoveryClient</code> to locate the Config Server, you can do
|
|
that by setting <code>spring.cloud.config.discovery.enabled=true</code> (default
|
|
"false"). The net result of that is that client apps all need a
|
|
<code>bootstrap.yml</code> (or an environment variable) with the appropriate discovery
|
|
configuration. For example, with Spring Cloud Netflix, you need to define the
|
|
Eureka server address, e.g. in <code>eureka.client.serviceUrl.defaultZone</code>. The
|
|
price for using this option is an extra network round trip on start up to
|
|
locate the service registration. The benefit is that the Config Server
|
|
can change its co-ordinates, as long as the Discovery Service is a fixed point. The
|
|
default service id is "configserver" but you can change that on the
|
|
client with <code>spring.cloud.config.discovery.serviceId</code> (and on the server
|
|
in the usual way for a service, e.g. by setting <code>spring.application.name</code>).</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The discovery client implementations all support some kind of metadata
|
|
map (e.g. for Eureka we have <code>eureka.instance.metadataMap</code>). Some
|
|
additional properties of the Config Server may need to be configured
|
|
in its service registration metadata so that clients can connect
|
|
correctly. If the Config Server is secured with HTTP Basic you can
|
|
configure the credentials as "username" and "password". And if the
|
|
Config Server has a context path you can set "configPath". Example,
|
|
for a Config Server that is a Eureka client:</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">bootstrap.yml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">eureka:
|
|
instance:
|
|
...
|
|
metadataMap:
|
|
user: osufhalskjrtl
|
|
password: lviuhlszvaorhvlo5847
|
|
configPath: /config</code></pre>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="config-client-fail-fast">Config Client Fail Fast</h3>
|
|
<div class="paragraph">
|
|
<p>In some cases, it may be desirable to fail startup of a service if
|
|
it cannot connect to the Config Server. If this is the desired
|
|
behavior, set the bootstrap configuration property
|
|
<code>spring.cloud.config.failFast=true</code> and the client will halt with
|
|
an Exception.</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="config-client-retry">Config Client Retry</h3>
|
|
<div class="paragraph">
|
|
<p>If you expect that the config server may occasionally be unavailable when
|
|
your app starts, you can ask it to keep trying after a failure. First you need
|
|
to set <code>spring.cloud.config.failFast=true</code>, and then you need to add
|
|
<code>spring-retry</code> and <code>spring-boot-starter-aop</code> to your classpath. The default
|
|
behaviour is to retry 6 times with an initial backoff interval of 1000ms and an
|
|
exponential multiplier of 1.1 for subsequent backoffs. You can configure these
|
|
properties (and others) using <code>spring.cloud.config.retry.*</code> configuration properties.</p>
|
|
</div>
|
|
<div class="admonitionblock tip">
|
|
<table>
|
|
<tr>
|
|
<td class="icon">
|
|
<div class="title">Tip</div>
|
|
</td>
|
|
<td class="content">
|
|
To take full control of the retry add a <code>@Bean</code> of type
|
|
<code>RetryOperationsInterceptor</code> with id "configServerRetryInterceptor". Spring
|
|
Retry has a <code>RetryInterceptorBuilder</code> that makes it easy to create one.
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_locating_remote_configuration_resources">Locating Remote Configuration Resources</h3>
|
|
<div class="paragraph">
|
|
<p>The Config Service serves property sources from <code>/{name}/{profile}/{label}</code>, where the default bindings in the client app are</p>
|
|
</div>
|
|
<div class="ulist">
|
|
<ul>
|
|
<li>
|
|
<p>"name" = <code>${spring.application.name}</code></p>
|
|
</li>
|
|
<li>
|
|
<p>"profile" = <code>${spring.profiles.active}</code> (actually <code>Environment.getActiveProfiles()</code>)</p>
|
|
</li>
|
|
<li>
|
|
<p>"label" = "master"</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>All of them can be overridden by setting <code>spring.cloud.config.*</code>
|
|
(where <code>*</code> is "name", "profile" or "label"). The "label" is useful for
|
|
rolling back to previous versions of configuration; with the default
|
|
Config Server implementation it can be a git label, branch name or
|
|
commit id. Label can also be provided as a comma-separated list, in
|
|
which case the items in the list are tried on-by-one until one succeeds.
|
|
This can be useful when working on a feature branch, for instance,
|
|
when you might want to align the config label with your branch, but
|
|
make it optional (e.g. <code>spring.cloud.config.label=myfeature,develop</code>).</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_security_2">Security</h3>
|
|
<div class="paragraph">
|
|
<p>If you use HTTP Basic security on the server then clients just need to
|
|
know the password (and username if it isn’t the default). You can do
|
|
that via the config server URI, or via separate username and password
|
|
properties, e.g.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">bootstrap.yml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
uri: https://user:secret@myconfig.mycompany.com</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>or</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">bootstrap.yml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
uri: https://myconfig.mycompany.com
|
|
username: user
|
|
password: secret</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The <code>spring.cloud.config.password</code> and <code>spring.cloud.config.username</code>
|
|
values override anything that is provided in the URI.</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you deploy your apps on Cloud Foundry then the best way to provide
|
|
the password is through service credentials, e.g. in the URI, since
|
|
then it doesn’t even need to be in a config file. An example which
|
|
works locally and for a user-provided service on Cloud Foundry named
|
|
"configserver":</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">bootstrap.yml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
uri: ${vcap.services.configserver.credentials.uri:http://user:password@localhost:8888}</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>If you use another form of security you might need to <a href="#custom-rest-template">provide a
|
|
<code>RestTemplate</code></a> to the <code>ConfigServicePropertySourceLocator</code> (e.g. by
|
|
grabbing it in the bootstrap context and injecting one).</p>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_health_indicator_2">Health Indicator</h4>
|
|
<div class="paragraph">
|
|
<p>The Config Client supplies a Spring Boot Health Indicator that attempts to load configuration from Config Server. The health indicator can be disabled by setting <code>health.config.enabled=false</code>. The response is also cached for performance reasons. The default cache time to live is 5 minutes. To change that value set the <code>health.config.time-to-live</code> property (in milliseconds).</p>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="custom-rest-template">Providing A Custom RestTemplate</h4>
|
|
<div class="paragraph">
|
|
<p>In some cases you might need to customize the requests made to the config server from
|
|
the client. Typically this involves passing special <code>Authorization</code> headers to
|
|
authenticate requests to the server. To provide a custom <code>RestTemplate</code> follow the
|
|
steps below.</p>
|
|
</div>
|
|
<div class="olist arabic">
|
|
<ol class="arabic">
|
|
<li>
|
|
<p>Create a new configuration bean with an implementation of <code>PropertySourceLocator</code>.</p>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">CustomConfigServiceBootstrapConfiguration.java</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-java" data-lang="java">@Configuration
|
|
public class CustomConfigServiceBootstrapConfiguration {
|
|
@Bean
|
|
public ConfigServicePropertySourceLocator configServicePropertySourceLocator() {
|
|
ConfigClientProperties clientProperties = configClientProperties();
|
|
ConfigServicePropertySourceLocator configServicePropertySourceLocator = new ConfigServicePropertySourceLocator(clientProperties);
|
|
configServicePropertySourceLocator.setRestTemplate(customRestTemplate(clientProperties));
|
|
return configServicePropertySourceLocator;
|
|
}
|
|
}</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="olist arabic">
|
|
<ol class="arabic">
|
|
<li>
|
|
<p>In <code>resources/META-INF</code> create a file called
|
|
<code>spring.factories</code> and specify your custom configuration.</p>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">spring.factories</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-properties" data-lang="properties">org.springframework.cloud.bootstrap.BootstrapConfiguration = com.my.config.client.CustomConfigServiceBootstrapConfiguration</code></pre>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect3">
|
|
<h4 id="_vault">Vault</h4>
|
|
<div class="paragraph">
|
|
<p>When using Vault as a backend to your config server the client will need to
|
|
supply a token for the server to retrieve values from Vault. This token
|
|
can be provided within the client by setting <code>spring.cloud.config.token</code>
|
|
in <code>bootstrap.yml</code>.</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="title">bootstrap.yml</div>
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-yaml" data-lang="yaml">spring:
|
|
cloud:
|
|
config:
|
|
token: YourVaultToken</code></pre>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="sect2">
|
|
<h3 id="_vault_2">Vault</h3>
|
|
<div class="sect3">
|
|
<h4 id="_nested_keys_in_vault">Nested Keys In Vault</h4>
|
|
<div class="paragraph">
|
|
<p>Vault supports the ability to nest keys in a value stored in Vault. For example</p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p><code>echo -n '{"appA": {"secret": "appAsecret"}, "bar": "baz"}' | vault write secret/myapp -</code></p>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>This command will write a JSON object to your Vault. To access these values in Spring
|
|
you would use the traditional dot(.) annotation. For example</p>
|
|
</div>
|
|
<div class="listingblock">
|
|
<div class="content">
|
|
<pre class="prettyprint highlight"><code class="language-java" data-lang="java">@Value("${appA.secret}")
|
|
String name = "World";</code></pre>
|
|
</div>
|
|
</div>
|
|
<div class="paragraph">
|
|
<p>The above code would set the <code>name</code> variable to <code>appAsecret</code>.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prettify/r298/prettify.min.css">
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/prettify/r298/prettify.min.js"></script>
|
|
<script>prettyPrint()</script>
|
|
</body>
|
|
</html> |