Kubernetes provides a resource named ConfigMap to externalize theparameters to pass to your application in the form of key-value pairs or embedded application.properties or application.yaml files.The Spring Cloud Kubernetes Config project makes Kubernetes ConfigMap instances availableduring application bootstrapping and triggers hot reloading of beans or Spring context when changes are detected onobserved ConfigMap instances.

The default behavior is to create a Fabric8ConfigMapPropertySource based on a Kubernetes ConfigMap that has a metadata.name value of either the name ofyour Spring application (as defined by its spring.application.name property) or a custom name defined within thebootstrap.properties file under the following key: spring.cloud.kubernetes.config.name.

However, more advanced configuration is possible where you can use multiple ConfigMap instances.The spring.cloud.kubernetes.config.sources list makes this possible.For example, you could define the following ConfigMap instances:

In the preceding example, if spring.cloud.kubernetes.config.namespace had not been set,the ConfigMap named c1 would be looked up in the namespace that the application runs.See Namespace resolution to get a better understanding of how the namespaceof the application is resolved.

Any matching ConfigMap that is found is processed as follows:

• Apply individual configuration properties.

• Apply as yaml the content of any property named application.yaml.

• Apply as a properties file the content of any property named application.properties.

The single exception to the aforementioned flow is when the ConfigMap contains a single key that indicatesthe file is a YAML or properties file. In that case, the name of the key does NOT have to be application.yaml orapplication.properties (it can be anything) and the value of the property is treated correctly.This features facilitates the use case where the ConfigMap was created by using something like the following:

Assume that we have a Spring Boot application named demo that uses the following properties to read its thread poolconfiguration.

• pool.size.core

• pool.size.maximum

This can be externalized to config map in yaml format as follows:

Individual properties work fine for most cases. However, sometimes, embedded yaml is more convenient. In this case, weuse a single property named application.yaml to embed our yaml, as follows:

The following example also works:

You can also configure Spring Boot applications differently depending on active profiles that are merged togetherwhen the ConfigMap is read. You can provide different property values for different profiles by using anapplication.properties or application.yaml property, specifying profile-specific values, each in their own document(indicated by the --- sequence), as follows:

In the preceding case, the configuration loaded into your Spring Application with the development profile is as follows:

However, if the production profile is active, the configuration becomes:

If both profiles are active, the property that appears last within the ConfigMap overwrites any preceding values.

Another option is to create a different config map per profile and spring boot will automatically fetch it basedon active profiles

To tell Spring Boot which profile should be enabled at bootstrap, you can pass SPRING_PROFILES_ACTIVE environment variable. To do so, you can launch your Spring Boot application with an environment variable that you can define it in the PodSpec at the container specification. Deployment resource file, as follows:

You could run into a situation where there are multiple configs maps that have the same property names. For example:

and

Depending on the order in which you place these in bootstrap.yaml|properties, you might end up with an un-expected result (the last config map wins). For example:

will result in property greetings.message being Say Hello from one.

There is a way to change this default configuration by specifying useNameAsPrefix. For example:

Such a configuration will result in two properties being generated:

• greetings.message equal to Say Hello from one.

• config-map-two.greetings.message equal to Say Hello from two

Notice that spring.cloud.kubernetes.config.useNameAsPrefix has a lower priority than spring.cloud.kubernetes.config.sources.useNameAsPrefix.This allows you to set a "default" strategy for all sources, at the same time allowing to override only a few.

If using the config map name is not an option, you can specify a different strategy, called : explicitPrefix. Since this is an explicit prefix thatyou select, it can only be supplied to the sources level. At the same time it has a higher priority than useNameASPrefix. Let’s suppose we have a third config map with these entries:

A configuration like the one below:

will result in three properties being generated:

• greetings.message equal to Say Hello from one.

• two.greetings.message equal to Say Hello from two.

• config-map-three.greetings.message equal to Say Hello from three.

Another option for using ConfigMap instances is to mount them into the Pod by running the Spring Cloud Kubernetes applicationand having Spring Cloud Kubernetes read them from the file system.This behavior is controlled by the spring.cloud.kubernetes.config.paths property. You can use it inaddition to or instead of the mechanism described earlier.You can specify multiple (exact) file paths in spring.cloud.kubernetes.config.paths by using the , delimiter.

Kubernetes has the notion of Secrets for storingsensitive data such as passwords, OAuth tokens, and so on. This project provides integration with Secrets to make secretsaccessible by Spring Boot applications. You can explicitly enable or disable This feature by setting the spring.cloud.kubernetes.secrets.enabled property.

When enabled, the Fabric8SecretsPropertySource looks up Kubernetes for Secrets from the following sources:

1. Reading recursively from secrets mounts

2. Named after the application (as defined by spring.application.name)

3. Matching some labels

Note:

By default, consuming Secrets through the API (points 2 and 3 above) is not enabled for security reasons. The permission 'list' on secrets allows clients to inspect secrets values in the specified namespace.Further, we recommend that containers share secrets through mounted volumes.

If you enable consuming Secrets through the API, we recommend that you limit access to Secrets by using an authorization policy, such as RBAC.For more information about risks and best practices when consuming Secrets through the API refer to this doc.

If the secrets are found, their data is made available to the application.

Assume that we have a spring boot application named demo that uses properties to read its databaseconfiguration. We can create a Kubernetes secret by using the following command:

The preceding command would create the following secret (which you can see by using kubectl get secrets db-secret -o yaml):

Note that the data contains Base64-encoded versions of the literal provided by the create command.

Your application can then use this secret — for example, by exporting the secret’s value as environment variables:

You can select the Secrets to consume in a number of ways:

1. By listing the directories where secrets are mapped:

   -Dspring.cloud.kubernetes.secrets.paths=/etc/secrets/db-secret,etc/secrets/postgresql

   If you have all the secrets mapped to a common root, you can set them like:

   -Dspring.cloud.kubernetes.secrets.paths=/etc/secrets

2. By setting a named secret:

   -Dspring.cloud.kubernetes.secrets.name=db-secret

3. By defining a list of labels:

   -Dspring.cloud.kubernetes.secrets.labels.broker=activemq
   -Dspring.cloud.kubernetes.secrets.labels.db=postgresql

As the case with ConfigMap, more advanced configuration is also possible where you can use multiple Secretinstances. The spring.cloud.kubernetes.secrets.sources list makes this possible.For example, you could define the following Secret instances:

In the preceding example, if spring.cloud.kubernetes.secrets.namespace had not been set,the Secret named s1 would be looked up in the namespace that the application runs.See namespace-resolution to get a better understanding of how the namespaceof the application is resolved.

Notes:

• The spring.cloud.kubernetes.secrets.labels property behaves as defined byMap-based binding.

• The spring.cloud.kubernetes.secrets.paths property behaves as defined byCollection-based binding.

• Access to secrets through the API may be restricted for security reasons. The preferred way is to mount secrets to the Pod.

You can find an example of an application that uses secrets (though it has not been updated to use the new spring-cloud-kubernetes project) atspring-boot-camel-config

Finding an application namespace happens on a best-effort basis. There are some steps that we iterate in orderto find it. The easiest and most common one, is to specify it in the proper configuration, for example:

Remember that the same can be done for config maps. If such a namespace is not specified, it will be read (in this order):

1. from property spring.cloud.kubernetes.client.namespace

2. from a String residing in a file denoted by spring.cloud.kubernetes.client.serviceAccountNamespacePath property

3. from a String residing in /var/run/secrets/kubernetes.io/serviceaccount/namespace file(kubernetes default namespace path)

4. from a designated client method call (for example fabric8’s : KubernetesClient::getNamespace), if the client providessuch a method.

Failure to find a namespace from the above steps will result in an Exception being raised.

Some applications may need to detect changes on external property sources and update their internal status to reflect the new configuration.The reload feature of Spring Cloud Kubernetes is able to trigger an application reload when a related ConfigMap orSecret changes.

By default, this feature is disabled. You can enable it by using the spring.cloud.kubernetes.reload.enabled=true configuration property (for example, in the application.properties file).

The following levels of reload are supported (by setting the spring.cloud.kubernetes.reload.strategy property):

• refresh (default): Only configuration beans annotated with @ConfigurationProperties or @RefreshScope are reloaded.This reload level leverages the refresh feature of Spring Cloud Context.

• restart_context: the whole Spring ApplicationContext is gracefully restarted. Beans are recreated with the new configuration.In order for the restart context functionality to work properly you must enable and expose the restart actuator endpoint

• shutdown: the Spring ApplicationContext is shut down to activate a restart of the container. When you use this level, make sure that the lifecycle of all non-daemon threads is bound to the ApplicationContextand that a replication controller or replica set is configured to restart the pod.

Assuming that the reload feature is enabled with default settings (refresh mode), the following bean is refreshed when the config map changes:

To see that changes effectively happen, you can create another bean that prints the message periodically, as follows

You can change the message printed by the application by using a ConfigMap, as follows:

Any change to the property named bean.message in the ConfigMap associated with the pod is reflected in theoutput. More generally speaking, changes associated to properties prefixed with the value defined by the prefixfield of the @ConfigurationProperties annotation are detected and reflected in the application.Associating a ConfigMap with a pod is explained earlier in this chapter.

The full example is available in spring-cloud-kubernetes-reload-example.

The reload feature supports two operating modes:* Event (default): Watches for changes in config maps or secrets by using the Kubernetes API (web socket).Any event produces a re-check on the configuration and, in case of changes, a reload.The view role on the service account is required in order to listen for config map changes. A higher level role (such as edit) is required for secrets(by default, secrets are not monitored).* Polling: Periodically re-creates the configuration from config maps and secrets to see if it has changed.You can configure the polling period by using the spring.cloud.kubernetes.reload.period property and defaults to 15 seconds.It requires the same role as the monitored property source.This means, for example, that using polling on file-mounted secret sources does not require particular privileges.

Notes:* You should not use properties under spring.cloud.kubernetes.reload in config maps or secrets. Changing such properties at runtime may lead to unexpected results.* Deleting a property or the whole config map does not restore the original state of the beans when you use the refresh level.

When the application runs as a pod inside Kubernetes, a Spring profile named kubernetes automatically gets activated.This lets you customize the configuration, to define beans that are applied when the Spring Boot application is deployedwithin the Kubernetes platform (for example, different development and production configuration).

When you include the spring-cloud-kubernetes-fabric8-istio module in the application classpath, a new profile is added to the application,provided the application is running inside a Kubernetes Cluster with Istio installed. You can then usespring @Profile("istio") annotations in your Beans and @Configuration classes.

The Istio awareness module uses me.snowdrop:istio-client to interact with Istio APIs, letting us discover traffic rules, circuit breakers, and so on,making it easy for our Spring Boot applications to consume this data to dynamically configure themselves according to the environment.

Most of the components provided in this project need to know the namespace. For Kubernetes (1.3+), the namespace is made available to the pod as part of the service account secret and is automatically detected by the client.For earlier versions, it needs to be specified as an environment variable to the pod. A quick way to do this is as follows:

For distributions of Kubernetes that support more fine-grained role-based access within the cluster, you need to make sure a pod that runs with spring-cloud-kubernetes has access to the Kubernetes API.For any service accounts you assign to a deployment or pod, you need to make sure they have the correct roles.

Depending on the requirements, you’ll need get, list and watch permission on the following resources:

For development purposes, you can add cluster-reader permissions to your default service account. On a production system you’ll likely want to provide more granular permissions.

The following Role and RoleBinding are an example for namespaced permissions for the default account:

Below is a sample deployment YAML you can use to deploy the Kubernetes Configuration Watcher to Kubernetes.

The Service Account and associated Role Binding is important for Spring Cloud Kubernetes Configuration to work properly.The controller needs access to read data about ConfigMaps, Pods, Services, Endpoints and Secrets in the Kubernetes cluster.

Spring Cloud Kubernetes Configuration Watcher will react to changes in ConfigMaps with a label of spring.cloud.kubernetes.config with the value trueor any Secret with a label of spring.cloud.kubernetes.secret with the value true. If the ConfigMap or Secret does not have either of those labelsor the values of those labels is not true then any changes will be ignored.

The labels Spring Cloud Kubernetes Configuration Watcher looks for on ConfigMaps and Secrets can be changed by settingspring.cloud.kubernetes.configuration.watcher.configLabel and spring.cloud.kubernetes.configuration.watcher.secretLabel respectively.

If a change is made to a ConfigMap or Secret with valid labels then Spring Cloud Kubernetes Configuration Watcher will take the name of the ConfigMap or Secretand send a notification to the application with that name.

The HTTP implementation is what is used by default. When this implementation is used Spring Cloud Kubernetes Configuration Watcher and achange to a ConfigMap or Secret occurs then the HTTP implementation will use the Spring Cloud Kubernetes Discovery Client to fetch allinstances of the application which match the name of the ConfigMap or Secret and send an HTTP POST request to the application’s actuator/refresh endpoint. By default it will send the post request to /actuator/refresh using the port registered in the discovery client.

13.3.1. Non-Default Management Port and Actuator Path

apiVersion: v1
kind: Service
metadata:
  labels:
    app: config-map-demo
  name: config-map-demo
  annotations:
    boot.spring.io/actuator: http://:9090/myactuator/home
spec:
  ports:
    - name: http
      port: 8080
      targetPort: 8080
  selector:
    app: config-map-demo

The messaging implementation can be enabled by setting profile to either bus-amqp (RabbitMQ) or bus-kafka (Kafka) when the Spring Cloud Kubernetes Configuration Watcherapplication is deployed to Kubernetes.

When the bus-amqp profile is enabled you will need to configure Spring RabbitMQ to point it to the location of the RabbitMQinstance you would like to use as well as any credentials necessary to authenticate. This can be doneby setting the standard Spring RabbitMQ properties, for example

When the bus-kafka profile is enabled you will need to configure Spring Kafka to point it to the location of the Kafka Brokerinstance you would like to use. This can be done by setting the standard Spring Kafka properties, for example

To build the source you will need to install JDK 1.8.

Spring Cloud uses Maven for most build-related activities, and youshould be able to get off the ground quite quickly by cloning theproject you are interested in and typing

The projects that require middleware (i.e. Redis) for testing generallyrequire that a local instance of [Docker](www.docker.com/get-started) is installed and running.

The spring-cloud-build module has a "docs" profile, and if you switchthat on it will try to build asciidoc sources fromsrc/main/asciidoc. As part of that process it will look for aREADME.adoc and process it by loading all the includes, but notparsing or rendering it, just copying it to ${main.basedir}(defaults to ${basedir}, i.e. the root of the project). If there areany changes in the README it will then show up after a Maven build asa modified file in the correct place. Just commit it and push the change.

If you don’t have an IDE preference we would recommend that you useSpring Tools Suite orEclipse when working with the code. We use them2eclipse eclipse plugin for maven support. Other IDEs and toolsshould also work without issue as long as they use Maven 3.3.3 or better.

17.3.1. Activate the Spring Maven profile

17.3.2. Importing into eclipse with m2eclipse

17.3.3. Importing into eclipse without m2eclipse

$ ./mvnw eclipse:eclipse

Before we accept a non-trivial patch or pull request we will need you to sign theContributor License Agreement.Signing the contributor’s agreement does not grant anyone commit rights to the mainrepository, but it does mean that we can accept your contributions, and you will get anauthor credit if we do. Active contributors might be asked to join the core team, andgiven the ability to merge pull requests.

This project adheres to the Contributor Covenant code ofconduct. By participating, you are expected to uphold this code. Please reportunacceptable behavior to spring-code-of-conduct@pivotal.io.

None of these is essential for a pull request, but they will all help. They can also beadded after the original pull request but before a merge.

• Use the Spring Framework code format conventions. If you use Eclipseyou can import formatter settings using theeclipse-code-formatter.xml file from theSpringCloud Build project. If using IntelliJ, you can use theEclipse Code FormatterPlugin to import the same file.

• Make sure all new .java files to have a simple Javadoc class comment with at least an@author tag identifying you, and preferably at least a paragraph on what the class isfor.

• Add the ASF license header comment to all new .java files (copy from existing filesin the project)

• Add yourself as an @author to the .java files that you modify substantially (morethan cosmetic changes).

• Add some Javadocs and, if you change the namespace, some XSD doc elements.

• A few unit tests would help a lot as well — someone has to do it.

• If no-one else is using your branch, please rebase it against the current master (orother target branch in the main project).

• When writing a commit message please follow these conventions,if you are fixing an existing issue please add Fixes gh-XXXX at the end of the commitmessage (where XXXX is the issue number).

Spring Cloud Build comes with a set of checkstyle rules. You can find them in the spring-cloud-build-tools module. The most notable files under the module are:

1. Default Checkstyle rules

2. File header setup

3. Default suppression rules

18.4.1. Checkstyle configuration

<properties>
<maven-checkstyle-plugin.failsOnError>true</maven-checkstyle-plugin.failsOnError> (1)
        <maven-checkstyle-plugin.failsOnViolation>true
        </maven-checkstyle-plugin.failsOnViolation> (2)
        <maven-checkstyle-plugin.includeTestSourceDirectory>true
        </maven-checkstyle-plugin.includeTestSourceDirectory> (3)
</properties>

<build>
        <plugins>
            <plugin> (4)
                <groupId>io.spring.javaformat</groupId>
                <artifactId>spring-javaformat-maven-plugin</artifactId>
            </plugin>
            <plugin> (5)
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
            </plugin>
        </plugins>

    <reporting>
        <plugins>
            <plugin> (5)
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
            </plugin>
        </plugins>
    </reporting>
</build>

<?xml version="1.0"?>
<!DOCTYPE suppressions PUBLIC
        "-//Puppy Crawl//DTD Suppressions 1.1//EN"
        "https://www.puppycrawl.com/dtds/suppressions_1_1.dtd">
<suppressions>
    <suppress files=".*ConfigServerApplication\.java" checks="HideUtilityClassConstructor"/>
    <suppress files=".*ConfigClientWatch\.java" checks="LineLengthCheck"/>
</suppressions>

$ curl https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/master/.editorconfig -o .editorconfig
$ touch .springformat

18.5.1. Intellij IDEA

└── src
    ├── checkstyle
    │   └── checkstyle-suppressions.xml (3)
    └── main
        └── resources
            ├── checkstyle-header.txt (2)
            ├── checkstyle.xml (1)
            └── intellij
                ├── Intellij_Project_Defaults.xml (4)
                └── Intellij_Spring_Boot_Java_Conventions.xml (5)

Figure 1. Code style

Figure 2. Inspection profiles