Spring Cloud Services for PCF Documentation...RabbitMQ 1.5.0-1.6.x Product Snapshot Current Spring...
89
Spring Cloud Services for PCF Documentation Version 1.1 Published: 5 Nov 2018 Rev: 01 © 2018 Pivotal Software, Inc.
Transcript of Spring Cloud Services for PCF Documentation...RabbitMQ 1.5.0-1.6.x Product Snapshot Current Spring...
SpringCloudServices
forPCF
Documentation
Version1.1
Published:5Nov2018
Rev:01
©2018PivotalSoftware,Inc.
SpringCloud®ServicesforPivotalCloudFoundry
WhatIsSpringCloudServices?Theriseinpopularityofcloud-nativearchitecturesandtheshifttoimplementingapplicationsasseriesoffocusedmicroservicesdevelopedaroundboundedcontextshasledtothediscoveryandrediscoveryofpatternsusefulindesigningdistributedsystems.Techniquessuchasservicediscovery,centralizedconfigurationaccessedthroughanapplication’sdeploymentenvironment,andgracefuldegradationofbehaviorthroughcircuitbreakersarecommonsolutionsforthisstyleofarchitectureandcanbebuiltintotoolsforapplyingthesetechniquesacrossapplications.
Netflix,apioneerinthemicroservicesspace,hasbuiltmanysuchtools.Eurekaisaserviceregistry,whichregistersallofamicroservice’sinstancesandsupplieseachmicroservicewithinstanceinformationtouseindiscoveringothers.Hystrix,theHystrixDashboard,andTurbineprovidefaulttoleranceusingcircuitbreakersandenablemonitoringofcircuitsacrossmicroservicesandinstances.Thesecomponentshavebeenbattle-testedinaproductionenvironmentfacingsomeofthemostdemandingtrafficrequirementsintheworld,andareavailableasopen-sourcesoftware.
TheSpringCloud familyofprojectsarebasedonSpringBoot andprovidetoolsincludingNetflix’sEurekaandHystrixaslibrarieseasilyconsumablebySpringapplications,followingidiomaticSpringconventions.SpringCloudNetflix makestheuseofEurekaandHystrixassimpleasincludingstartersdependenciesinanapplicationandaddinganannotationtoaconfigurationclass.SpringCloudConfig includesaconfigurationserverandclientlibrarythatenableSpringapplicationstoconsumecentralizedconfigurationasseriesofpropertysources.
SpringCloudServicesforPivotalCloudFoundry (PCF)packagesserver-sidecomponentsofSpringCloudprojects,includingSpringCloudNetflixandSpringCloudConfig,andmakesthemavailableasservicesinthePCFMarketplace.Thisfreesyoufromhavingtoimplementandmaintainyourownmanagedservicesinordertousetheincludedprojects.YoucancreateaConfigServer,ServiceRegistry,orCircuitBreakerDashboardserviceinstanceon-demand,bindtoitandconsumeitsfunctionality,andreturntofocusingonthevalueaddedbyyourownmicroservices.
ServicesSpringCloudServicescurrentlyprovidesthefollowingservices.
ServiceType CurrentVersion
ConfigServer 3
ServiceRegistry 3
CircuitBreakerDashboard 3
SeebelowfortheSpringCloudServicesreleasesthatincludeeachserviceversion.
ServiceVersion TileVersion
1 1.0.0-1.0.3
2 >=1.0.4&<1.1.0
3 1.1.x
DependenciesSpringCloudServicesreliesonthefollowingotherPivotalCloudFoundryproducts.
Service SupportedVersions
MySQL 1.6.1-1.7.x
RabbitMQ 1.5.0-1.6.x
ProductSnapshotCurrentSpringCloudServicesforPCFDetails
Version:1.1.34ReleaseDate:27June2018Softwarecomponentversion:SpringCloudOSSBrixton.SR1CompatibleOpsManagerVersion(s):1.8.x,1.7.x,1.6.xCompatibleElasticRuntimeVersion(s):1.8.x,1.7.x,1.6.xvSpheresupport?YesAWSsupport?Yes
©CopyrightPivotalSoftwareInc,2013-2018 2 1.1
PrerequisitestoInstallingSpringCloud®ServicesforPivotalCloudFoundryPagelastupdated:
PleaseensurethatyourPivotalCloudFoundry (PCF)installationmeetsthebelowrequirementsbeforeinstallingSpringCloudServices.
PlatformandProductRequirements
SpringCloudServicesiscompatiblewiththeJavabuildpackattheversionshippedwithPivotalCloudFoundry®ElasticRuntimeorlater.Atminimum,SpringCloudServicesrequiresversion2.5orlateroftheJavabuildpack;itisrecommendedthatyouusethelatestbuildpackversionpossible.YoucanusetheCloudFoundryCommandLineInterfacetool(cfCLI)toseetheversionoftheJavabuildpackthatiscurrentlyinstalled.
$cfbuildpacksGettingbuildpacks...
buildpackpositionenabledlockedfilenamejava_buildpack_offline1truefalsejava-buildpack-offline-v3.5.1.zipruby_buildpack2truefalseruby_buildpack-cached-v1.6.8.zipnodejs_buildpack3truefalsenodejs_buildpack-cached-v1.5.2.zipgo_buildpack4truefalsego_buildpack-cached-v1.6.3.zip
IfthedefaultJavabuildpackisolderthanversion2.5,youcandownloadanewerversionfromPivotalNetwork andupdatePivotalCloudFoundrybyfollowingtheinstructionsintheAddingBuildpackstoCloudFoundry topic.ToensurethatthenewerbuildpackisthedefaultJavabuildpack,youmaydeleteordisabletheolderbuildpackormakesurethatthenewerbuildpackisinalowerposition.
IfthedefaultJavabuildpackonthePivotalCloudFoundryplatformisnotatversion2.5orlater,youmustspecifyanalternatebuildpackthatisatversion2.5orlaterwheninstallingtheSpringCloudServicesproduct;seestep4oftheInstallation topic.
SpringCloudServicesalsorequiresthefollowingPivotalCloudFoundryproducts:
MySQL
RabbitMQ
Iftheyarenotalreadyinstalled,youcanfollowthestepslistedintheInstallation topictoinstallthemalongwithSpringCloudServices.
SecurityRequirementsYouwillneedtoupdateyourElasticRuntimeSSLcertificateasdescribedinthePivotalCloudFoundrydocumentation .Generateonesinglecertificatethatincludesallofthedomainslistedbelow,replacing SYSTEM_DOMAIN.TLD withyoursystemdomainand APPLICATION_DOMAIN.TLD withyourapplicationdomain:
*.SYSTEM_DOMAIN.TLD
*.APPLICATION_DOMAIN.TLD
*.login.SYSTEM_DOMAIN.TLD
*.uaa.SYSTEM_DOMAIN.TLD
IfanyofthesedomainsarenotattributedtoyourElasticRuntimeSSLcertificate,theinstallationofSpringCloudServiceswillfail,andtheinstallationlogswillcontainanerrormessagethatliststhemissingdomainentries:
Missingcerts:*.uaa.example.com-exitinginstall.PleaserefertotheSecurityRequirementssectionoftheSpringCloudServicesprerequisitesdocumentation.
Self-SignedCertificatesandInternalCAsIfyourPivotalCloudFoundryinstallationisusingitsownself-signedSSLcertificate,youmustenablethe“IgnoreSSLcertificateverification”or“DisableSSLcertificateverificationforthisenvironment”optionintheNetworkingsectionofthePivotalElasticRuntimetileSettingstab.See“ConfiguringElasticRuntimeforvSphereandvCloud”inthePivotalCloudFoundrydocumentation(PCF1.6 ,PCF1.7 ).
IfyouareusinganSSLcertificatesignedbyaninternalrootCertificateAuthority(CA),youmustuseacustomJavabuildpackwhosekeystorecontainstheinternalrootCA.Followthebelowstepstocreateandaddthecustombuildpack.
1. CreateaforkoftheCloudFoundryJavabuildpack .
2. Addyour cacerts fileto resources/open_jdk_jre/lib/security/cacerts .
3. Followingtheinstructionsinthe“AddingBuildpackstoCloudFoundry”topic(PCF1.6 ,PCF1.7 ),addyourcustombuildpacktoPivotalCloudFoundry.
4. UsingthecfCLIasdiscussedinthePlatformandProductRequirements sectionabove,verifythatthecustombuildpackisnowthedefaultJavabuildpack.
Important:SpringCloudServicesiscurrentlysupportedonPCFversions1.6and1.7,butdoesnotsupportnetworksconfiguredwithmultiplesubnets.ToinstallSpringCloudServices,youmustconfigurePCFnetworkstohaveonlyonesubnet.
Important:IfyouenabletheRabbitMQ®forPivotalCloudFoundryproduct’sSSLsupportbyprovidingitwithSSLkeysandcertificates,youmustenabletheRabbitMQproduct’sTLS1.0support;otherwise,theSpringCloudServicesservicebrokerwillfailtocreateorupdateserviceinstances.SeetheConfiguringtheRabbitMQService topicintheRabbitMQforPivotalCloudFoundrydocumentation .
©CopyrightPivotalSoftwareInc,2013-2018 3 1.1
©CopyrightPivotalSoftwareInc,2013-2018 4 1.1
InstallingSpringCloud®ServicesforPivotalCloudFoundryPagelastupdated:
MakesurethatyouhaveorhavecompletedallproductsandrequirementslistedinthePrerequisites topic.ThenfollowthebelowstepstoinstallSpringCloudServices.
InstallationSteps1. DownloadSpringCloudServicesfromPivotalNetwork .
2. IntheInstallationDashboardofPivotalCloudFoundry (PCF)OperationsManager,clickImportaProductontheleftsidebartouploadtheSpringCloudServices .pivotal file.
3. HoveroverSpringCloudServicesintheAvailableProductslistandclicktheAdd»button.
4. WhentheSpringCloudServicestileappearsintheInstallationDashboard,clickit.IntheSettingstab,clickSpringCloudServicestoconfiguresettingsforSpringCloudServices.
©CopyrightPivotalSoftwareInc,2013-2018 5 1.1
TheServiceInstanceLimitsettingsetsthemaximumnumberofserviceinstancesthattheSpringCloudServicesservicebrokerwillallowtobeprovisioned(thedefaultvalueis100).Thissetting’svalueisalsousedtodeterminethememoryquotafortheorginwhichserviceinstancesaredeployed;thatorg’squotawillbeequalto1.5Gtimestheconfiguredserviceinstancelimit.TheBuildpacksettingisthenameoftheJavabuildpackthattheSpringCloudServicesservicebrokerwillusetoprovisionserviceinstances(ifthissettingisleftempty,thebrokerwillusethedefaultJavabuildpacktoprovisionserviceinstances).
5. IftheStemcelltabishighlightedinorange,clickit.DownloadthecorrectstemcellfromPivotalNetwork andclickImportStemcelltoimportit.
6. ReturntotheInstallationDashboardandstarttheinstallationprocessbyclickingApplychangesontherightsidebar.
7. Theinstallationprocessmaytake20to30minutes.
©CopyrightPivotalSoftwareInc,2013-2018 6 1.1
8. Whentheinstallationprocessiscomplete,youwillseethedialogshownbelow.ClickReturntoInstallationDashboard.
9. Congratulations!YouhavesuccessfullyinstalledSpringCloudServices.
©CopyrightPivotalSoftwareInc,2013-2018 7 1.1
UpgradingSpringCloud®ServicesforPivotalCloudFoundryPagelastupdated:
ProductUpgradeabilityPleaseseetherelevantsectionbelowforimportantinformationregardingupgradesoftheSpringCloudServicesproductonyourversionofPivotalCloudFoundry.
UpgradesonPivotalCloudFoundry1.6WhenupgradingtoapatchversionoftheSpringCloudServices(SCS)productonPivotalCloudFoundry1.6,youmustconsecutivelyapplyallpatchversionsbetweenyourcurrently-installedSCSversionandtheversiontowhichyouwishtoupgrade,andyoumaynotskipapatchversion.Forexample,youmaynotupgradeSCS1.0.6directlytoSCS1.0.8;instead,toupgradeSCS1.0.6toSCS1.0.8,youmustupgradeSCS1.0.6toSCS1.0.7,thenupgradeSCS1.0.7toSCS1.0.8.
UpgradesonPivotalCloudFoundry1.7OnPivotalCloudFoundry1.7,youmaynotupgradeanyversionoftheSpringCloudServicesproductbetween1.0.0and1.0.8toanyversionolderthan1.0.9(e.g.,youmaynotupgradeSCS1.0.1toSCS1.0.2);however,youmayupgradeanyoftheseversionsdirectlyto1.0.9orlater.YoumayupgradeanypatchversionofSCSafter1.0.9directlytoanylaterpatchversionandneednotapplyanyinterveningpatchversions.
ProductUpgradeStepsFollowthebelowstepstoupgradetheSpringCloudServicesproduct.
1. DownloadthelatestversionofSpringCloudServicesfromPivotalNetwork .
2. IntheInstallationDashboardofPivotalCloudFoundry (PCF)OperationsManager,clickImportaProductontheleftsidebartouploadthe p-spring-cloud-services-<version>.pivotal file.
3. Afteruploadingthefile,hoveroverSpringCloudServicesintheAvailableProductslistandclicktheUpgrade»button.
©CopyrightPivotalSoftwareInc,2013-2018 8 1.1
4. ClicktheSpringCloudServicestile.IntheErrandstab,ensurethatalloftheSpringCloudServiceserrandsareenabled.
5. IftheStemcelltabishighlightedinorange,clickit.ThenclickImportStemcelltoimportthecorrectstemcell.
6. IntheInstallationDashboard,clickApplychangesontherightsidebar.
©CopyrightPivotalSoftwareInc,2013-2018 9 1.1
7. Theupgradeprocessmaytake20to30minutes.
8. Whentheupgradeprocessiscomplete,youwillseethedialogshownbelow.ClickReturntoInstallationDashboard.
9. Congratulations!YouhavesuccessfullyupgradedSpringCloudServices.
©CopyrightPivotalSoftwareInc,2013-2018 10 1.1
ServiceInstanceUpgradeStepsAfterupgradingtheSpringCloudServicesproduct,youcanfollowthebelowstepstoupgradeanindividualserviceinstanceortoupgradeallserviceinstances.YoucanalsousetheCloudFoundryCommandLineInterfacetool(cfCLI)toupgradeanindividualserviceinstance;seetheServiceInstanceUpgrades topicformoreinformation.
1. Toseethecurrentversionofaserviceinstance,visittheServiceInstancesdashboard.(SeetheServiceInstancesDashboard sectionoftheOperatorInformation topic.)
2. ClickUpgradeinthelistingfortheserviceinstance.Toupgradeallserviceinstanceswhicharenotattheversionsincludedinthecurrently-installedSpringCloudServicesproduct,youmayalsoclickUpgradeServiceInstances.
Important:IfyouhaveclientapplicationswhichworkwithSpringCloudServices1.0.xserviceinstancesandareupgradingtheseserviceinstancesto1.1.x,youmustupdateyourclientapplicationstousethecurrentversionoftheSpringCloudServicesclientdependencies.SeetheClientApplicationChangesin1.1.0 sectionoftheServiceInstanceUpgrades topic.
Important:AfterupgradingaCircuitBreakerDashboardserviceinstancefrom1.0.xto1.1.x,youmustunbind,rebind,andrestartanyclientapplicationswhichwereboundtotheinstance.Thisisduetoachangeinhowserviceinstancecredentialsaremanaged.
©CopyrightPivotalSoftwareInc,2013-2018 11 1.1
3. Waitwhileanybackingapplicationsbelongingtotheserviceinstanceorinstancesareupgraded.Thedashboardwillshowthe UPDATING statusforaninstancewhileitisbeingupgraded.
4. Whentheserviceinstanceshavebeenupgraded,thedashboardwillshowthenewversions.
©CopyrightPivotalSoftwareInc,2013-2018 12 1.1
TroubleshootingSpringCloud®ServicesforPivotalCloudFoundrySeebelowforinformationaboutproblemsrelatedtoyourPivotalCloudFoundry (PCF)platformconfigurationorSpringCloudServicesorotherproductinstallation.
“NosubjectalternativeDNSnamematchingp-spring-cloud-services.uaa.example.comfound”Ifyouencounteranexceptionmessagesimilartothefollowing:
org.springframework.web.client.ResourceAccessException:I/OerroronPOSTrequestfor"https://p-spring-cloud-services.uaa.example.com/oauth/token":java.security.cert.CertificateException:NosubjectalternativeDNSnamematchingp-spring-cloud-services.uaa.example.comfound.;nestedexceptionisjavax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:NosubjectalternativeDNSnamematchingp-spring-cloud-services.uaa.example.comfound.
EnsurethatyourPCFinstallationmeetstherequirementsdescribedintheSecurityRequirements sectionofthePrerequisites topic.BesurethatyourElasticRuntimeSSLcertificateincludesallwildcardslistedinthatsectionandhasaseparatewildcardforeachsubdomain.
“javax.net.ssl.SSLException:Receivedfatalalert:protocol_version”TheCloudFoundryCommandLineInterfacetool(cfCLI) create-service commandmayreturnanerrorsimilartothefollowing:
Servererror,statuscode:502,errorcode:10001,message:Servicebrokererror:javax.net.ssl.SSLException:Receivedfatalalert:protocol_version
SpringCloudServicesrequirestheRabbitMQforPCF product.IfyouhaveprovidedSSLcertificatesandkeystoRabbitMQforPCF,youmustalsoenableitsTLS1.0supportinordertouseitwithSpringCloudServices.SeethenoteattheendofthePlatformandProductRequirements sectionofthePrerequisites topic.
“com.rabbitmq.client.AuthenticationFailureException:ACCESS_REFUSED-LoginwasrefusedusingauthenticationmechanismPLAIN”IfyouencounterthefollowingexceptionmessageinSpringCloudServicesbrokerlogs:
org.springframework.amqp.AmqpAuthenticationException:com.rabbitmq.client.AuthenticationFailureException:ACCESS_REFUSED-LoginwasrefusedusingauthenticationmechanismPLAIN.Fordetailsseethebrokerlogfile.
ThecredentialsusedbytheSpringCloudServicesbrokertoaccessitsRabbitMQforPCFserviceinstancemaybeinvalid.ThiscanhappenafterrestoringabackupofPivotalCloudFoundry®ElasticRuntime,asarestoredRabbitMQforPCFserviceinstancemaynotaccepttherestoredcredentialsusedbytheSpringCloudServicesbroker.YoucanupdatetheSpringCloudServicesbroker’scredentialsbyunbindingtheRabbitMQserviceinstancefromthebrokerapplications(the spring-cloud-broker and spring-cloud-broker-worker applications)andthenrebinding.
TounbindtheRabbitMQserviceinstancefromtheSpringCloudServicesbrokerapplicationsandrebindit,runthefollowingcfCLIcommands:
$cftarget-osystem-sp-spring-cloud-services$cfunbind-servicespring-cloud-brokerspring-cloud-broker-rmq$cfunbind-servicespring-cloud-broker-workerspring-cloud-broker-rmq$cfbind-servicespring-cloud-brokerspring-cloud-broker-rmq$cfrestagespring-cloud-broker$cfbind-servicespring-cloud-broker-workerspring-cloud-broker-rmq$cfrestagespring-cloud-broker-worker
IfthePCFenvironmentisnewlyrestoredandtheRabbitMQserviceinstance’squeuesareempty,youmayalsounbindtheRabbitMQserviceinstancefromthebrokerapplications,deleteit,createanewinstance,andthenbindthatinstancetotheSpringCloudServicesbrokerapplications.
TodeleteandreplacetheRabbitMQserviceinstanceusedbytheSpringCloudServicesbrokerapplications,runthefollowingcfCLIcommands:
$cftarget-osystem-sp-spring-cloud-services$cfunbind-servicespring-cloud-brokerspring-cloud-broker-rmq$cfunbind-servicespring-cloud-broker-workerspring-cloud-broker-rmq$cfdelete-service-fspring-cloud-broker-rmq$cfcreate-servicep-rabbitmqstandardspring-cloud-broker-rmq$cfbind-servicespring-cloud-brokerspring-cloud-broker-rmq$cfrestagespring-cloud-broker$cfbind-servicespring-cloud-broker-workerspring-cloud-broker-rmq$cfrestagespring-cloud-broker-worker
WARNING:DeletingandreplacingtheRabbitMQserviceinstancewilldestroytheoriginalinstance’svirtualhostandanydataintheinstance’squeues.IftheRabbitMQserviceinstancecontainsmessagesandisonaproductionsystem,unbindandrebinditinstead.
©CopyrightPivotalSoftwareInc,2013-2018 13 1.1
OperatorInformationPagelastupdated:
SeebelowforinformationaboutSpringCloud®Services’deploymentmodelandotherinformationwhichmaybeusefulinoperatingitsservicesorclientapplications.
ServiceOrchestrationSpringCloudServicesprovidesaseriesofManagedServices onPivotalCloudFoundry (PCF).ItusesCloudFoundry’sServiceBrokerAPI tomanagethethreeservices—ConfigServer,ServiceRegistry,andCircuitBreakerDashboard—thatitmakesavailable.SeebelowforinformationaboutSpringCloudServices’sbrokerimplementation.
TheServiceBrokerTheservicebroker’sfunctionalityisdividedbetweenthefollowingtwoSpringBootapplications,whicharedeployedinthe“system”orgtothe“p-spring-cloud-services”space.
spring-cloud-broker(“theSB”):ImplementstheServiceBrokerAPI.
spring-cloud-broker-worker(“theWorker”):Actsonprovision,deprovision,bind,andunbindrequests.
ThebrokerreliesontwootherPivotalCloudFoundryproducts,MySQLforPivotalCloudFoundry andRabbitMQ®forPivotalCloudFoundry ,forthefollowingserviceinstances.
spring-cloud-broker-db:AMySQLdatabaseusedbytheSB.
spring-cloud-broker-rmq:ARabbitMQqueueusedforcommunicationbetweentheSBandtheWorker.
YoucanobtainthebrokerusernameandpasswordfromtheSpringCloudServicestileinPivotalCloudFoundry®OperationsManager.ClicktheSpringCloudServicestile,andintheCredentialstab,copytheBrokerCredentials.
©CopyrightPivotalSoftwareInc,2013-2018 14 1.1
BrokerUpgrades
TheSpringCloudServicesproductupgradeprocesschecksbeforeredeployingtheservicebrokertoseewhetherthebrokerapplications’versionhaschanged.Iftheversionhasnotchanged,theupgradeprocesswillcontinuewithoutredeployingeithertheSBortheWorker.
TheSBapplicationandtheWorkerapplicationaredeployedusingablue-greendeploymentstrategy .Duringanupgradeoftheservicebroker,thebrokerwillcontinueprocessingrequeststoprovision,deprovision,bind,andunbindserviceinstances,withoutdowntime.
AccessBrokerApplicationsinAppsManager
ToviewthebrokerapplicationsinPivotalCloudFoundry®AppsManager,logintoAppsManagerasanadminuserandselectthe“system”org.
Theapplicationsaredeployedinthe“p-spring-cloud-services”space.
ServiceInstanceManagementAserviceinstanceisbackedbyoneormoreSpringBootapplicationsdeployedbytheWorkerinthe“p-spring-cloud-services”orgtothe“instances”space.
AserviceinstanceisassignedaGUIDatprovisiontime.BackingapplicationsforservicesincludetheGUIDintheirnames:
ConfigServer
©CopyrightPivotalSoftwareInc,2013-2018 15 1.1
config-[GUID]:ASpringCloudConfig serverapplication.
ServiceRegistry
eureka-[GUID]:ASpringCloudNetflix Eurekaserverapplication.
CircuitBreakerDashboard
hystrix-[GUID]:ASpringCloudNetflix Hystrixserverapplication.
turbine-[GUID]:ASpringCloudNetflix Turbineapplication.
rabbitmq-[GUID]:ARabbitMQforPCF serviceinstance.
AccessServiceInstanceBackingApplicationsinAppsManagerToviewabackingapplicationforaserviceinstanceinPivotalCloudFoundry®AppsManager,gettheserviceinstance’sGUIDandlookforthecorrespondingapplicationinthe“instances”space.
Targettheorgandspaceoftheserviceinstance.
$cftarget-omyorg-sdevelopment
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:adminOrg:myorgSpace:development
$cfservicesGettingservicesinorgmyorg/spacedevelopmentasadmin...OK
nameserviceplanboundappslastoperationconfig-serverp-config-serverstandardcookupdatesucceeded
Run cfservice withthe CF_TRACE environmentvariablesetto true .Copythevalueof resources.metadata.guid ,whichistheserviceinstanceGUID.
$CF_TRACE=truecfserviceconfig-server
REQUEST:[2016-06-27T20:45:24-05:00][...]
RESPONSE:[2016-06-27T20:45:25-05:00][...]
{"total_results":1,"total_pages":1,"prev_url":null,"next_url":null,"resources":[{"metadata":{"guid":"51711835-4626-4823-b5a1-e5d91012f3f2",
LogintoAppsManagerasanadminuserandselectthe“p-spring-cloud-services”org.
Theapplicationsaredeployedinthe“instances”space.Lookforthebackingapplicationnamedasdescribedabove,withtheprefixspecifictotheservicetypeandtheserviceinstanceGUID.
©CopyrightPivotalSoftwareInc,2013-2018 16 1.1
SetBuildpackforServiceInstancesBydefault,theSBstagesserviceinstancebackingapplicationsusingthebuildpackchosenbytheplatform’sbuildpackdetection;normally,thiswillbethehighest-priorityJavabuildpack.TocausetheSBtouseaparticularJavabuildpackregardlessofpriority,youcansetthenameofthebuildpacktouseintheSpringCloudServicestilesettings.
IntheInstallationDashboardofOpsManager,clicktheSpringCloudServicestile.NavigatetotheSettingstab.
ClicktheSpringCloudServicestabandenterthenameofthedesiredJavabuildpackintheBuildpackfield.ClickSave,returntotheInstallationDashboard,andapplyyourchanges.TheSBwillnowusetheselectedbuildpacktostageserviceinstancebackingapplications.
UAAIdentityZonesandClientsSpringCloudServicesusesthemulti-tenancycapabilitiesoftheCloudFoundryUserAccountandAuthenticationserver(UAA).ItcreatesanewIdentityZone(“theSpringCloudServicesIdentityZone”)forallauthorizationfromConfigServerandServiceRegistryserviceinstancestoclientapplicationswhichhavebindingstotheseserviceinstances.
WithintheplatformIdentityZone(“theUAAIdentityZone”),SpringCloudServicescreatesa p-spring-cloud-services UAAclientfortheSBandap-spring-cloud-services-worker UAAclientfortheWorker.IntheSpringCloudServicesIdentityZone,itcreatesa p-spring-cloud-services-worker UAAclientforthe
Worker.
IntheUAAIdentityZone,italsocreatesthefollowingclients,where [GUID] istheserviceinstance’sGUID:
A eureka-[GUID] UAAclientperServiceRegistryserviceinstance.
A hystrix-[GUID] UAAclientperCircuitBreakerDashboardserviceinstance.
©CopyrightPivotalSoftwareInc,2013-2018 17 1.1
IntheSpringCloudServicesIdentityZone,italsocreatesthefollowingclients,where [GUID] istheserviceinstance’sGUID:
A config-server-[GUID] UAAclientperConfigServerserviceinstance.
A eureka-[GUID] UAAclientperServiceRegistryserviceinstance.
GetAccessTokenforDirectRequeststoaServiceInstanceTomakerequestsdirectlyagainstaConfigServerserviceinstance’sSpringCloudConfigServerbackingapplicationoraServiceRegistryserviceinstance’sSpringCloudNetflixEurekabackingapplication,youcangetanaccesstokenusingthebindingcredentialsofanapplicationthatisboundtotheserviceinstance.
Run cfenv ,givingthenameofanapplicationthatisboundtotheserviceinstance:
$cfservicesGettingservicesinorgmyorg/spacedevelopmentasadmin...OK
nameserviceplanboundappslastoperationconfig-serverp-config-serverstandardcookcreatesucceeded
$cfenvcookGettingenvvariablesforappcookinorgmyorg/spacedevelopmentasadmin...OK
System-Provided:{"VCAP_SERVICES":{"p-config-server":[{"credentials":{"access_token_uri":"https://p-spring-cloud-services.uaa.cf.wise.com/oauth/token","client_id":"p-config-server-876cd13b-1564-4a9a-9d44-c7c8a6257b73","client_secret":"rU7dMUw6bQjR","uri":"https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com"},[...]
ThenrunthefollowingBashscript,whichfetchesatokenandusesthetokentoaccessanendpointonaserviceinstancebackingapplication:
TOKEN=$(curl-kACCESS_TOKEN_URI-uCLIENT_ID:CLIENT_SECRET-dgrant_type=client_credentials|jq-r.access_token);curl-k-H"Authorization:bearer$TOKEN"-H"Accept:application/json"URI/ENDPOINT|jq
Inthisscript,replacethefollowingplaceholdersusingvaluesfromthe cfenv commandabove:
ACCESS_TOKEN_URI withthevalueof credentials.access_token_uri
CLIENT_ID withthevalueof credentials.client_id
CLIENT_SECRET withthevalueof credentials.client_secret
URI withthevalueof credentials.uri
Replace ENDPOINT withtherelevantendpoint:
application/profile toretrieveconfigurationfromaConfigServerserviceinstance
eureka/apps toretrievetheregistryfromaServiceRegistryserviceinstance
TheServiceInstancesDashboardToviewthestatusofindividualserviceinstances,visittheServiceInstancesdashboard.YoucanaccessitatthefollowingURL,whereSCS_BROKER_URListheURLoftheSB(spring-cloud-broker):
SCS_BROKER_URL/admin/serviceInstances
LocatetheSBasdescribedintheAccessBrokerApplicationsinAppsManagersection.TheServiceInstancesdashboardisalsolinkedtoonthemainpageoftheSB.
Thedashboardshowstheversionandstatusofeachserviceinstance,aswellasotherinformationincludingthenumberofapplicationsthatareboundtotheinstance.ItalsoprovidesanUpgradebuttonforeachserviceinstanceandanUpgradeServiceInstancesbutton;thesebuttonsmaybeenabledifanyserviceinstancesshowninthedashboardarenotattheversionincludedwiththecurrently-installedSpringCloudServicesproduct.Formoreinformationaboutupgradingserviceinstances,seetheServiceInstanceUpgradeSteps sectionoftheUpgrades topic.
Note:Thefollowingprocedureusesthejq command-lineJSONprocessingtool.
©CopyrightPivotalSoftwareInc,2013-2018 18 1.1
YoucanclicktheInstanceNameofalistedserviceinstancetoviewtheinstance’sdashboard.Clickthe+iconbesidethecountofaninstance’sBoundAppsorServiceKeystoviewthenamesoftheapplicationsorservicekeysthatareboundtothatinstance.
ApplicationHealthandStatusFormorevisibilityintohowSpringCloudServicesserviceinstancesandthebrokerapplicationsarebehaving,orfortroubleshootingpurposes,youmaywishtoaccessthoseapplicationsdirectly.Seebelowforinformationaboutaccessingtheiroutput.
ReadBrokerApplicationLogsToaccesslogsfortheSBandWorkerapplications,targetthe“system”organdits“p-spring-cloud-services”space:
$cftarget-osystem-sp-spring-cloud-services
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:adminOrg:systemSpace:p-spring-cloud-servicesBen-Kleins-MacBook-Pro:Workbklein$cfappsGettingappsinorgsystem/spacep-spring-cloud-servicesasadmin...OK
namerequestedstateinstancesmemorydiskurlsspring-cloud-brokerstarted1/11G1Gspring-cloud-broker.apps.wise.comspring-cloud-broker-workerstarted1/11G1Gspring-cloud-broker-worker.apps.wise.com
Thenyoucanuse cflogs totaillogsforeithertheSB:
$cflogsspring-cloud-brokerConnected,tailinglogsforappspring-cloud-brokerinorgsystem/spacep-spring-cloud-servicesasadmin...
ortheWorker:
$cflogsspring-cloud-broker-workerConnected,tailinglogsforappspring-cloud-broker-workerinorgsystem/spacep-spring-cloud-servicesasadmin...
ReadBackingApplicationLogsToaccesslogsforserviceinstancebackingapplications,targetthe“p-spring-cloud-services”organdits“instances”space:
$cftarget-op-spring-cloud-services-sinstances
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:adminOrg:p-spring-cloud-servicesSpace:instances$cfappsGettingappsinorgp-spring-cloud-services/spaceinstancesasadmin...OK
namerequestedstateinstancesmemorydiskurlsconfig-86b38ce0-eed8-4c01-adb4-1a651a6178e2started1/11G1Gconfig-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.comeureka-493b6b17-512a-4961-8f85-6178251fe2fastarted1/11G1Geureka-493b6b17-512a-4961-8f85-6178251fe2fa.apps.wise.comhystrix-ff835bde-5b3a-4623-a57f-8d88028b6376started1/11G1Ghystrix-ff835bde-5b3a-4623-a57f-8d88028b6376.apps.wise.comturbine-ff835bde-5b3a-4623-a57f-8d88028b6376started1/11G1Gturbine-ff835bde-5b3a-4623-a57f-8d88028b6376.apps.wise.com
Thenyoucanuse cflogs totaillogsforabackingapplication.
Note:TheServiceInstancesdashboardisupdatedfrequently(closetoreal-time).IfusingtheCloudFoundryCommandLineInterfacetool(cfCLI),youmaynoticeadiscrepancybetweenthestatusgivenforaserviceinstancebythecfCLI(e.g.,bythe cfservice command)versusthatgivenbytheServiceInstancesdashboard.ThestatusretrievedbythecfCLIisnotupdatedasfrequentlyandmaytaketimetomatchthatshownontheServiceInstancesdashboard.
©CopyrightPivotalSoftwareInc,2013-2018 19 1.1
$cflogsconfig-86b38ce0-eed8-4c01-adb4-1a651a6178e2Connected,tailinglogsforappconfig-86b38ce0-eed8-4c01-adb4-1a651a6178e2inorgp-spring-cloud-services/spaceinstancesasadmin...
AccessActuatorEndpointsTheSBandWorkerapplications,aswellasbackingapplicationsforserviceinstances,useSpringBootActuator .Actuatoraddsanumberofendpointstotheseapplications;someoftheaddedendpointsaresummarizedbelow.
ID Function
env Displaysprofiles,properties,andpropertysourcesfromtheapplicationenvironment
health Displaysinformationaboutthehealthandstatusoftheapplication
metrics Displaysmetricsinformationfromtheapplication
mappings
Displayslistof @RequestMapping pathsintheapplication
shutdown
Allowsforgracefulshutdownoftheapplication.Disabledbydefault;notenabledinSpringCloudServicesbrokerorinstance-backingapplications
SeetheEndpoints sectionoftheActuatordocumentationforthefulllistofendpoints.
EndpointsonSB,Worker,ServiceRegistry,orCircuitBreakerDashboard
TheSBapplication,theWorkerapplication,theServiceRegistry’sEurekabackingapplication,andtheCircuitBreakerDashboard’sHystrixbackingapplicationuseDashboardSSO .ToaccessActuatorendpointsononeoftheseapplications,youmustbeauthenticatedasaSpaceDeveloperintheapplication’sspaceandhaveacurrentsessionwiththeapplication.
1. LogintoAppsManagerasanadminuserandnavigatetotherelevantapplication:fortheSBorWorker,accesstheSBapplicationorWorkerapplicationasdescribedintheTheServiceBrokersection;foraServiceRegistryorCircuitBreakerDashboardserviceinstance,accessthebackingapplicationasdescribedintheServiceInstancessection.
2. Visittheapplication’sURL,appendingtheendpointIDtothatURL;e.g.,forthe health endpointonaCircuitBreakerDashboardserviceinstance’sHystrixbackingapplication,thiswouldbesomethinglike https://hystrix-ff835bde-5b3a-4623-a57f-8d88028b6376.apps.wise.com/health .
EndpointsonConfigServer
TheConfigServer’sSpringCloudConfigServerbackingapplicationusesHTTPBasicauthentication.ToaccessActuatorendpointsonthisapplication,youmustauthenticatewiththecredentialsstoredintheapplication’senvironmentvariables.
1. LogintoAppsManagerasanadminuserandnavigatetotherelevantapplication,asdescribedintheServiceInstancessection.
©CopyrightPivotalSoftwareInc,2013-2018 20 1.1
2. FromtheEnvVariablestab,copythevaluesofthe SECURITY_USER_NAME and SECURITY_USER_PASSWORD environmentvariables.
3. Visittheapplication’sURL,appendingtheendpointIDtothatURL;e.g.,forthe health endpoint,thiswouldbesomethinglike config-86b38ce0-eed8-
4c01-adb4-1a651a6178e2.apps.wise.com/health .Whenchallenged,providethevaluesof SECURITY_USER_NAME and SECURITY_USER_PASSWORD fromStep2.
InvokeConfigServerEndpointsToviewtheconfigurationpropertiesthataConfigServerserviceinstanceisreturningforanapplication,youcanaccesstheconfigurationendpointsontheserviceinstance’sSpringCloudConfigServerbackingapplicationdirectly.
1. Obtainanaccesstokenforinteractingwiththeserviceinstance,asdescribedintheGetAccessTokenforDirectRequeststoaServiceInstancesection.InStep1ofthatsection,copytheURLin credentials.uri fromtheserviceinstance’sentryinthe VCAP_SERVICES environmentvariable.
2. MakearequestoftheConfigServerserviceinstancebackingapplicationintheformat http://SERVER/APPLICATION_NAME/PROFILE ,where SERVER
istheURLfrom credentials.uri asmentionedinStep1, APPLICATION_NAME istheapplicationnameassetinthe spring.application.name property,andPROFILE isthenameofaprofilethathasaconfigurationfileintherepository.
AnexamplerequestURLmightlooklikethis:
https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com/cook/production
Or,forthe default profile:
https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com/cook/default
Youcanmaketherequestusingcurl,providingthetoken— TOKEN inthebelowexample—inaheaderwiththe -H or --header option:
$curl-H'Authorization:bearerTOKEN_STRING'https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com/cook/default{"name":"cook","profiles":["default"],"label":null,"version":"7b5da0d68d9237f2852f7ac6c5e7474fd433c3f3","propertySources":[{"name":"https://github.com/spring-cloud-services-samples/cook-config/cook.properties","source":{"cook.special":"PickledCactus"}}]}
©CopyrightPivotalSoftwareInc,2013-2018 21 1.1
ForalistofpathformatsthattheConfigServeraccepts,seetheRequestPaths sectionoftheTheConfigServer topicintheConfigServerdocumentation .
CapacityRequirementsBelowareusagerequirementsoftheapplicationsbackingasingleserviceinstance(SI)ofeachSpringCloudServicesservicetype.
ServiceType MemoryLimit/SI DiskLimit/SI
ConfigServer 1GB 1GB
ServiceRegistry 1GB 1GB
CircuitBreakerDashboard 2GB 2GB
SpringCloudServicesservicetypesmayalsobebackedbynon-SCSserviceinstances.Forexample,aCircuitBreakerDashboardserviceinstanceusesaRabbitMQforPivotalCloudFoundry serviceinstanceforcommunicationbetweenitstwobackingapplications.
©CopyrightPivotalSoftwareInc,2013-2018 22 1.1
SecurityOverviewforSpringCloudServicesPagelastupdated:
GlossaryThefollowingabbreviations,examplevalues,andtermsareusedinthistopicasdefinedbelow.
CC:TheCloudFoundryCloudController .
CCDB:TheCloudControllerdatabase.
DashboardSSO:CloudFoundry’sDashboardSingleSign-On .
domain.com:ThevalueconfiguredbyanadministratorfortheCloudFoundrysystemdomain.
Operator:AuserofPivotalCloudFoundry®OperationsManager.
SB:TheSpringCloudServicesServiceBroker.
SCS:SpringCloudServices.
UAA:TheCloudFoundryUserAccountandAuthenticationServer .
ANoteonHTTPSAllcomponentsinSCSforceHTTPSforallinboundrequests.BecauseSSLterminatesattheloadbalancer,requestsaredeemedtooriginateoverHTTPSbyinspectingthe X-Forwarded-For , X-Forwarded-Proto ,and X-Forwarded-Port headers.MoreonhowthisisimplementedcanbefoundintheSpringBootdocumentation .
AlloutboundHTTPrequestsmadebySCScomponentsarealsomadeoverHTTPS.Theserequestsnearlyalwayscontaincredentials,andaremadetoothercomponentswithintheCloudFoundryenvironment.Inanenvironmentthatusesself-signedcertificatesintheHAproxyconfiguration,outboundHTTPSrequeststoothercomponentswouldfailbecausetheself-signedcertificatewouldnotbetrustedbytheJVM’sdefaulttruststore(e.g. cacerts ).Togetaroundthis,allcomponentsusethecloudfoundry-certificate-truster toaddtheCFenvironment’sSSLcertificatetotheJVM’struststoreonapplicationstartup.
TheSSLcertificateusedbytheCFenvironmentmustalsoincludeSubjectAlternativeNames(SANs)fordomainwildcards *.login.domain.com and*.uaa.domain.com .ThisisneededforthecorrectoperationofMulti-tenantUAA ,whichreliesonsubdomainsofUAA.
ANoteonMulti-TenantUAASCSusesthemulti-tenancyfeaturesofUAAtoimplement“theprincipleofleastprivilege” .ThisisrequiredbecauseSCScreatesanddeletesOAuthclientswhenapplicationsbindandunbindtoserviceinstances.Theseclientsmustalsohavenon-emptyauthorities.Inordertocreatecreateclientswitharbitraryauthorities,theactormusthavethescopes uaa.admin and clients.write ;essentiallytheymustbetheadmin.
Makingadmin-levelcredentials(e.g.theUAAadminclient)accessibletoanapplicationisdangerousandshouldbeavoided.Forexample,ifoneweretobreakintothatapplicationandgetthosecredentials,thecredentialscouldbeusedtoaffecttheentireCFenvironment.ThisiswhySCSoperatesintwoUAAdomains(alsocalledIdentityZones).
TheplatformIdentityZone(e.g. uaa.domain.com )containstheusersofSCS(e.g.SpaceDevelopers)andtheDashboardSSO clientsusedbyeachServiceInstance.Anadmin-levelclientisnotrequiredforcreatinganddeletingSSOclientsbecausetheSSOclient’sscopevaluesarefixedandonlythemostbasic uaa.resource authorityisneededbytheSSOclient.
TheotherIdentityZoneisspecifictoSCS(e.g. p-spring-cloud-services.uaa.domain.com ).ThisIdentityZonecontainsnousers,butitcontainstheclientsusedbyboundapplicationstoaccessprotectedresourcesonSCSserviceinstances.Theseclientsrequiredynamicauthorityvalues,whichcanonlybecreatedbyanadmin-levelactor.Thisadmin-levelactor(thep-spring-cloud-services-workerclient)alsoexistsintheSpringCloudServicesIdentityZone,butbecauseitexistsinthisIdentityZone,itcannotaffectanythingintheplatformIdentityZone.Ifthesecredentialswereleaked,thedamagewouldbelimitedtoSCS.
ThefollowingdiagramillustratestheOAuthclientsusedbySCSandtheIdentityZonesinwhichtheyexist.
©CopyrightPivotalSoftwareInc,2013-2018 23 1.1
SpringCloudServicesComponentsBeforecontinuing,youshouldfamiliarizeyourselfwiththefollowingdiagram,whichshowsthedirectlinesofcommunicationbetweenapplicationcomponents.
CoreComponents
TheInstallationFile
Theinstallationfileisthe .pivotal filethatcontainstheSpringCloudServicesproduct.
Theinstallationfileisgeneratedfromsourcecoderepositorieshostedon github.com .Therepositoriesarecanonlybeaccessedbyauthorizedpersonsandcannotbeaccessedoveranon-encryptedchannel.NocredentialsarestoredinanysourcerepositoryusedbySpringCloudServices.
©CopyrightPivotalSoftwareInc,2013-2018 24 1.1
Concourse isusedasthebuildpipelinetogeneratetheinstallationfile.TheinfrastructurethathostsConcoursecanonlybeaccessedfromwithinthePivotalnetwork,usingausernameandpasswordstoredinternallybyConcourse.ThebuildpipelineconfigurationcontainscredentialstotheS3bucketwhichhoststheinstallationfileandintermediateartifacts,aswellastheGitHubAPIkeyprovidingread/writeaccesstothesourcecoderepositories.TheresultinginstallationfilebuiltbytheConcoursepipelinedoesnotcontainanycredentials.
Theinstallationfileisdownloadedfromhttps://network.pivotal.io ,canonlybeaccessedbyauthorizedpersons,andcannotbeaccessedoveranon-encryptedchannel.
ToinstallSpringCloudServices,theinstallationfilemustbeuploadedtoPivotalCloudFoundry®OperationsManager.OpsManagercanonlybeaccessedoverHTTPSbypersonsknowingtheusernameandpasswordforOpsManager.
appspring-cloud-broker
Thespring-cloud-brokerapplication(theSB)isresponsibleforreceivingServiceBrokerAPIrequestsfromtheCloudController(CC),andhoststheprimarydashboardUIforallservicetypes.
EntryPoints
TheServiceBrokerAPI
ServiceBrokerAPI endpointsrequireHTTPSandBasicauthentication.ValidcredentialsforBasicauthenticationaremadeavailabletotheSBviaenvironmentvariables,andarethereforestoredintheCCdatabaseinencryptedform.TheCCalsomakesServiceBrokerAPIrequests,andthecredentialsusedtomaketheseAPIrequestsarestoredintheCCDBinencryptedformaswell.
ServiceBrokerDashboard
DashboardendpointsrequireHTTPSandanauthenticatedsession.UnauthenticatedrequestsareredirectedtoUAAtoinitiatetheOAuth2AuthorizationCodeflowasdocumentedhere ;fortheflowtocomplete,theusermustbeauthenticatedwithUAA.Oncethetokenisobtained,thesessionisauthenticated.ThetokenisthenusedtoaccesstheCCAPItocheckpermissionsontheserviceinstancebeingaccessed,asdocumentedhere .ThisflowistypicalofDashboardSingleSign-OnforServiceInstances.
TheserviceinstanceIDusedinthepermissioncheckisthefirstGUIDthatispresentintheURL,andthisvalueisalsousedbytherestoftheSBapplicationtoidentifytheserviceinstancethattheuseristryingtoaccess.
GET/dashboard/instance/{serviceInstanceId}
Thisendpointreturnsserviceinstancedetailssuchasservicename,planID,org,andspace,aswellascredentialsthatneedtobepropagatedtoapplicationsboundtothisserviceinstance.Becausetheserviceinstancepermissioncheckisperformed,thisendpointisonlyaccessibletoSpaceDeveloperswhocanbindapplicationstothisserviceinstance.Onceanapplicationisboundtothisserviceinstance,aSpaceDevelopercanseethesamecredentialsreturnedbythisendpointintheboundapplication’sbindingcredentials(e.g.viaPivotalCloudFoundryApplicationsManager.)
GET|POST/dashboard/instance/{serviceInstanceId}/env
Thisendpointgetsormodifiesenvironmentvariablesfortheserviceinstance’sbackingapplication.Environmentvariablesthatcanbeviewedormodifiedwiththisendpointmustbewhitelisted;thiswhitelistingcanonlybemodifiedbytheOperatororthedevelopersofSpringCloudServices.Eachservicetypehasitsownwhitelist,andtheonlyservicetypewithwhitelistedenvironmentvariablesisConfigServer.TheConfigServer’swhitelistedenvironmentvariablesspecifytherepositorytype,theURIoftherepository,andtheusernameandpasswordusedtoaccesstherepository.AnyPOSTtothisendpointwillresultinarestartofthebackingapplication,regardlessofwhetheranyenvironmentvariableswereactuallymodified.
GET/dashboard/instance/{serviceInstanceId}/health
Thisendpointreturnstheresponseofthe /health endpointonthebackingapplication.The /health endpointisprovidedbySpringBootActuator andisaccessedanonymously.ThisisusedbytheConfigServerconfigurationpagetoindicateifthereareanyproblemswiththeConfigServer’sconfiguration.
CachingtheServiceInstancePermissionCheck
Theserviceinstancepermissioncheckiscachedinsession(ifavailable).ThecacheisusedonlyduringGET,HEAD,andOPTIONSrequests,withtheexceptionofthe /instances/{service_instance_guid}/env endpoint.Anyrequestforthisendpointdoesnotusethecache,becausethisendpointexposesapplicationenvironmentvariables—and,inthecaseofConfigServer,theusernameandpasswordusedtoaccesstheConfigServer’sbackingrepository.
CachingthepermissioncheckinthismanneravoidstheloadandextraroundtriptotheCCfordoingthepermissioncheck,whilestillcheckingpermissionsbeforeperforminganycriticaloperation.
ActuatorEndpoints
Actuatorendpoints areenabledandrequireHTTPSandanauthenticatedsession.ThetokenisobtainedfromUAAviatheOAuth2AuthorizationCodeflowasdocumentedhere ;thetokenisthenusedtomakearequesttotheCC /v2/apps/:guid/env endpoint ,whichcanonlybeaccessedbySpaceDevelopersinthespacethathoststheSB.TheGUIDusedintherequestisextractedfromthe VCAP_APPLICATION environmentvariable,whosevalueisgivenbytheCC.TheonlyuserthatcanaccesstheseendpointsistheOperator.
ThisActuatorSSOflowisusedbyothercomponentsthatalreadyuseDashboardSSO,asnoadditionaldependenciesarerequiredtoenablethis.
ExternalDependencies
p-mysql
TheSBusesap-mysql serviceinstancetostoreinformationaboutSCSserviceinstances.Themostsensitiveinformationstoredhereiscredentialsforthep-rabbitmq instancesusedfortheCircuitBreakerserviceinstances,whichcouldbeusedtodisabletheHystrixdashboardasdescribedinappturbine-{guid}>ExternalDependencies>p-rabbitmq.Theonlywaytoaccessthedatainthisp-mysqlserviceinstanceisthroughtheSB’sbindingcredentialsordirectlyfromthefilesystem,andthesewouldonlybeaccessibletotheOperator.
p-rabbitmq
©CopyrightPivotalSoftwareInc,2013-2018 25 1.1
TheSBusesap-rabbitmq serviceinstancetocommunicatewithspring-cloud-broker-worker(Worker).Themessagespassedpropagatetheprovision,deprovision,bind,andunbindrequestsreceivedbytheSBAPI totheWorker,aswellasgettingandsettingapplicationenvironmentvariablesforserviceinstancebackingapplicationsinthe“instances”space.Thecredentialsforaccessingthep-rabbitmqserviceinstanceareprovidedthroughtheSB’s VCAP_SERVICES environmentvariableasaresultofbindingtotheserviceinstance.ThecredentialswouldonlybevisibletoaSpaceDeveloperinthe“p-spring-cloud-services”space,andonlytheOperatorwouldhavethisaccess.
TheCloudController
TheSBcommunicatestotheCCviaHTTPStoperformpermissionchecksusingthecurrentuser’stokenasdescribedintheServiceBrokerDashboardsection,andtoderiveURIsforUAA.TheURItotheCCissetatinstallationtimeintheSB’senvironmentvariables,underthename CF_TARGET .Theenvironmentvariablecouldbemodifiedsothattheuser’stokenissenttoanotherparty.TheenvironmentvariablecanonlybemodifiedbyaSpaceDeveloperinthe“p-spring-cloud-services”space,andonlytheOperatorwouldhavethisaccess.
UAA
TheSBcommunicateswithUAAviaHTTPStoenableDashboardSSO.AllrequeststoUAAareauthenticatedaspertheOAuth2specification,usingthep-spring-cloud-servicesclientcredentials.TheURItoUAAisderivedfromtheCCAPI /v2/info endpoint ,whosethreatmitigationsaredescribedintheprevioussection.
OAuthClients
p-spring-cloud-services
IdentityZone:UAAGrantType:AuthorizationCodeRedirectURI:https://spring-cloud-broker.domain.com/dashboard/loginScopes: cloud_controller.read , cloud_controller.write , cloud_controller_service_permissions.read , openidAuthorities: uaa.resourceTokenexpiry:default(12hours)
ThisclientisusedforSSOwithUAA.ThescopesallowtheSBtoaccesstheCloudControllerAPIontheuser’sbehalf,andareauto-approved.Theuaa.resource authorityallowstheSBtoaccessthetokenverificationendpointsonUAA.TheclientIDandclientsecretaremadeavailabletotheSBvia
environmentvariables,whicharesetatinstallationtimeandarestoredinencryptedformintheCCDB.
appspring-cloud-broker-worker
Thespring-cloud-broker-workerapplication(theWorker)isresponsibleformanagingserviceinstancebackingapps.Someofthisworkisdoneasynchronouslyfromtherequeststhatinitiateit.
EntryPoints
TheRabbitMQMessageListener
TheWorkerlistensformessagespostedtothep-rabbitmqserviceinstance.TheSBpoststhesemessagesasdescribedinappspring-cloud-broker>ExternalDependencies>p-rabbitmq.OnlytheOperator,theSB,andtheWorkercanaccessthisinstanceofp-rabbitmq.
ActuatorEndpoints
Actuatorendpoints areenabledandrequireHTTPSandBasicauthentication.CredentialsthatprovidethisaccessaresetatinstallationtimeintheWorker’senvironmentvariables.TheseenvironmentvariablesareonlyaccessibletotheOperator.
ExternalDependencies
p-rabbitmq
TheWorkerusesap-rabbitmqserviceinstancetoreceivemessagesfromtheSB.Themessagesreceivedoriginatefromtheprovision,deprovision,bind,andunbindrequestsreceivedbytheSBAPI ,aswellasfromthe /dashboard/instance/{serviceInstanceId}/env endpoint.Thecredentialsforaccessingthep-rabbitmqserviceinstanceareprovidedthroughtheWorker’s VCAP_SERVICES environmentvariableasaresultofbindingtotheserviceinstance.ThecredentialswouldonlybevisibletoaSpaceDeveloperinthe“p-spring-cloud-services”space,andonlytheOperatorwouldhavethisaccess.
TheCloudController
TheWorkercommunicatestotheCCviaHTTPStocarryoutmanagementtasksforserviceinstancebackingapps.Allbackingapplicationsresideinthe“p-spring-cloud-services”org,“instances”space.TheWorkerusesitsownusercredentialstoobtainatokenforaccessingtheCCAPIandactsasaSpaceDeveloperinthe“instances”space.
TheURItotheCCissetatinstallationtimeintheWorker’senvironmentvariables,underthename CF_TARGET ,whichissetatinstallationtimeandcanonlybemodifiedbytheOperator.
UAA
TheWorkerusestheclientmanagementAPIsofUAAtocreateanddeleteclientsinboththeplatformandSpringCloudServicesIdentityZones.AllrequestsareauthenticatedbyincludingtheOAuth2bearertokenintherequest,andaremadeoverHTTPS.ThecredentialsusedintheserequestsaredetailedintheOAuthClientssection.TheURItoUAAisderivedfromtheCCAPI /v2/info endpoint .
OAuthClients
p-spring-cloud-services-worker
IdentityZone:UAA
©CopyrightPivotalSoftwareInc,2013-2018 26 1.1
GrantType:ClientCredentialsRedirectURI:https://spring-cloud-broker.domain.com/dashboard/loginScopes: cloud_controller.read , cloud_controller_service_permissions.read , openidAuthorities: clients.writeTokenexpiry:default(12hours)
ThisclientisusedtocreateanddeleteSSOclientsforeachServiceRegistryandCircuitBreakerDashboardserviceinstance,whichuseDashboardSSOfortheirowndashboards.ThegranttypeisClientCredentials,whichallowstheWorkertoactonitsown.The clients.write authorityallowstheWorkertocreateanddeleteclients,butthisclientislimitedinthekindsofclientswhichitcancreate.Thescopesthatareregisteredallowthisclienttocreateotherclientswiththesamescopes,buttheseclientscannothaveanyauthorities.Inotherwords,clientscreatedviathisclientcannotactontheirown,andcanonlyactonbehalfofauserwithinthescopesthatareregisteredforthisclient.Thislimitationpreventsprivilegeescalation.
Whilearbitraryclientscannotbecreatedviathisclient,thisclientisabletodeleteanyclientintheUAAIdentityZoneduetothe clients.write authority.
TheclientIDandclientsecretaremadeavailabletotheSBviaenvironmentvariables,whicharesetatinstallationtimeandarestoredinencryptedformintheCCDB.ThecredentialsareonlyvisibletotheOperator.
p-spring-cloud-services-worker
IdentityZone:SpringCloudServicesGrantType:ClientCredentialsAuthorities: clients.read , clients.write , uaa.adminTokenexpiry:default(12hours)
ThisclientisusedtocreateanddeleteclientsintheSpringCloudServicesIdentityZoneforeachConfigServerandServiceRegistryserviceinstance.ThegranttypeisClientCredentials,whichallowstheWorkertoactonitsown.The uaa.admin authorityallowstheWorkertocreateanddeleteclientsintheSpringCloudServicesIdentityZonewithoutanylimitations,unlikethecorrespondingclientintheUAAIdentityZone.However,theseprivilegesdonotextendintotheUAAIdentityZone.
TheclientIDandclientsecretarethesameasthecorrespondingclientintheUAAIdentityZone.
Users
p-spring-cloud-services
ThisuserisaSpaceDeveloperinthe“p-spring-cloud-services”org,“instances”space.Theuserhasnootherroles.TheusernameandpasswordaremadeavailabletotheWorkerviaenvironmentvariables,whicharesetatinstallationtimeandarestoredinencryptedformintheCCDB.ThecredentialsareonlyvisibletotheOperator.
ConfigServerServiceInstances
appconfig-server-{guid}
Theconfig-serverapplicationisabackingapplicationforConfigServerserviceinstances.TheGUIDintheapplicationnameistheserviceinstanceID.Thisapplicationisresponsibleforhandlingrequestsforconfigurationvaluesfromboundapplications.
EntryPoints
ConfigServerRESTendpoints
ThefollowingentrypointsaredefinedbySpringCloudConfigServer .
GET/{application}/{profile}[/{label}]
Thisreturnsconfigurationvaluesforarequestingapplication.TherequestmustbeauthenticatedwithanOAuth2BearertokenissuedbytheSpringCloudServicesIdentityZone.Thefollowingclaimsarechecked:
aud :mustequal config-server-[guid]
iss :mustequal https://p-spring-cloud-services.uaa.domain.com/oauth/token
scope :mustequal config-server-[guid].read
TheGUIDinthe aud and scope valuesmustmatchthe SERVICE_INSTANCE_ID environmentvariablethatissetintheConfigServerapplicationatprovisiontime.
GET/health
ThisisusedbytheDashboardUIforcheckingiftheConfigServerisconfiguredproperly.Thisendpointcanbeaccessedanonymously,andonlyreturns{"status":"UP"} or {"status":"DOWN"} .
OAuth2ClientsforBoundApplications
Toprovideaccesstoboundapplications,eachSBbindrequestcreatesthefollowingOAuth2client:
ClientID:p-config-server-[bindingId]IdentityZone:SpringCloudServicesGrantType:ClientCredentialsScopes: uaa.noneAuthorities: p-config-server-[guid].readTokenexpiry:default(12hours)
©CopyrightPivotalSoftwareInc,2013-2018 27 1.1
TheclientIDandclientsecretforthisclientareprovidedtotheboundapplicationviathebindingcredentialsintheVCAP_SERVICES environmentvariable.OnlyaSpaceDeveloperinthespacethatcontainstheboundapplicationwouldhaveaccesstothis.
NoApplication-LevelAccessControl
Otherthancheckingfortheclaimsmentionedintheprevioussection,nootherattributesareconsideredwhenmakinganaccesscontroldecision.Becauseofthis,anyapplicationboundtotheserviceinstancewillbeabletoaccessanyconfigurationservedbythisConfigServer.
ActuatorEndpoints
Actuatorendpoints areenabledandrequireHTTPSandBasicauthentication,withtheexceptionof /health asdescribedabove.Credentialsthatprovidethisaccessaresetatprovisiontimeintheconfig-serverapplication’senvironmentvariables.TheseenvironmentvariablesareonlyaccessibletotheOperator.
ExternalDependencies
Gitrepository
TheactualconfigurationsarestoredinaGitrepositoryandretrievaloftheseconfigurationsbytheConfigServerissubjecttotheGitrepository’ssecurityrequirements.TheURIandtheusernameandpassword(ifapplicable)aresetbytheSpaceDeveloperthatconfigurestheserviceinstance.TheUIgetsandsetsthesecredentialsthroughtheServiceBroker’s /dashboard/instances/{guid}/env endpoint,sothatthecredentialsaremadeavailabletotheConfigServerviaenvironmentvariables(andhencestoredencryptedintheCCDB).
UAA
TheConfigServeraccessesthe /token_key endpointonUAAtoretrievethetokenverificationkey.ThiskeymaterialisusedtoverifytheJWTsignatureofthetokeninordertoauthenticatetherequest.
OAuthClients
config-server-{guid}
IdentityZone:SpringCloudServicesGrantType:ClientCredentialsScopes: uaa.noneAuthorities: uaa.resourceTokenexpiry:default(12hours)
The uaa.resource authorityallowstheconfig-serverapplicationtoaccessthetokenverificationendpointsonUAA.Theclientiscreatedbythep-spring-cloud-services-workerclientatprovisiontime.TheclientIDandclientsecretaremadeavailabletotheconfig-serverapplicationviaenvironmentvariablessetatprovisiontime,andareonlyvisibletotheOperator.
ServiceRegistryServiceInstances
appeureka-{guid}
TheEurekaapplicationisabackingapplicationforServiceRegistryserviceinstances.TheGUIDintheapplicationnameistheserviceinstanceID.ThisapplicationhostsaRESTAPIfortheServiceRegistryandadashboardUIforviewingthestatusoftheRegistry.
EntryPoints
EurekaRESTendpoints
TheseentrypointsaredefinedbyNetflixEureka .Insteadofenumeratingeveryendpoint,wewillexplainthedifferencesinsecuringtheHTTPverbs.
GET
AllGETendpointsmustbeauthenticatedwithanOAuth2BearertokenissuedbytheSpringCloudServicesIdentityZone.Thefollowingclaimsarechecked:
aud :mustequal p-service-registry-[guid]
iss :mustequal https://p-spring-cloud-services.uaa.domain.com/oauth/token
scope :mustequal p-service-registry-[guid].read
TheGUIDinthe aud and scope valuesmustmatchthe SERVICE_INSTANCE_ID environmentvariablethatissetintheEurekaapplicationatprovisiontime.
POST|PUT|DELETE
AllPOST,PUT,andDELETEendpointsmustbeauthenticatedwithanOAuth2BearertokenissuedbytheSpringCloudServicesIdentityZone.Thefollowingclaimsarechecked:
aud :mustequal p-service-registry-[guid]
iss :mustequal https://p-spring-cloud-services.uaa.domain.com/oauth/token
scope : must equal p-service-registry-[guid].write
TheGUIDinthe aud and scope valuesmustmatchthe SERVICE_INSTANCE_ID environmentvariablethatissetintheEurekaapplicationatprovisiontime.
©CopyrightPivotalSoftwareInc,2013-2018 28 1.1
RecordLevelAccessControl
Inadditiontocheckingtokenclaims,furtherchecksaredoneonPOST,PUT,andDELETErequeststoensurethataEurekaApplicationcanonlybecreatedormodifiedbyasingleCFApplication.Beforecontinuing,weshoulddefinethefollowingEurekadomainobjects:
Application:ThisisidentifiedbyappID.CFApplicationsthatregisterwithEurekawillusetheir spring.application.name forthisvalue.Whenlookingupaservice,CFApplicationswilllookupInstancesviatheirappID.
Instance:ApplicationshaveoneormoreInstances.CFapplicationsthatregisterwithEurekaareactuallyregisteringthemselvesasInstancesofanApplication.AnApplicationdoesnotexistwithoutInstances;inotherwords,anApplicationexistsonlybecauseanInstancereferstoonebyappID.
ToensurethataEurekaApplicationcanonlyberegisteredbyasingleCFApplication,theEurekaserverwasmodifiedtorecordtheCFApplication’sidentity,whichisconveyedbythe sub claimoftheOAuth2Bearertoken.ThisvalueissavedintheInstancemetadataunderthekey registrant_principal .WhenanInstanceisregistered(orforanyothermodificationrequest),ifthereareotherInstancesforthesameApplication,the registrant_principal valuesoftheotherInstancesarecheckedandmustequaltheprincipaloftheincomingrequest;otherwise,therequestisrejected.
ThisschemecouldallowmultipleCFApplicationstoregisterthemselvesunderthesameApplicationID,ifatfirsttherearenootherInstancesforthatApplication.Inthiscase,eachregistrationrequestwouldbereceivedandhandledasiftheyarethefirstInstancesforthatApplication.Duetohowtheregistrant_principal valuesarelookedup(nolocksareplacedforperformancereasons),thisraceconditionispossible.However,oncethisstateissaved,
resultinginmultiple registrant_principal valuesforthesameApplication,anyfurthermodificationrequestsmadeforthatapplicationwillfail,regardlessofwhomakestherequest.TheEurekaserverwillalsologthisspecificerror.Becausenostatemodificationrequests,includingheartbeatrequests,wouldbeaccepted,theseInstanceswouldeventuallyexpire.
OAuth2ClientsforBoundApplications
ToprovideaccesstotheEurekaRESTAPIforboundapplications,eachSBbindrequestcreatesthefollowingOAuth2client:
ClientID:p-service-registry-[bindingId]IdentityZone:SpringCloudServicesGrantType:ClientCredentialsScopes: uaa.noneAuthorities: p-service-registry-[guid].read , p-service-registry-[guid].writeTokenexpiry:default(12hours)
TheclientIDandclientsecretforthisclientisprovidedtotheboundapplicationviathebindingcredentialsintheVCAP_SERVICES environmentvariable.OnlyaSpaceDeveloperinthespacethatcontainstheboundapplicationwouldhaveaccesstothis.
EurekaDashboard
TheEurekaDashboardrequiresthetypicalDashboardSSOflow.TheserviceinstanceIDusedinthepermissioncheckissuppliedbyanenvironmentvariablesetatprovisiontimebytheWorker.Theserviceinstancepermissioncheckiscachedinthesamemannerasthechecksdonebytheservicebroker.
ActuatorEndpoints
ActuatorendpointsrequirethesameActuatorSSOflowusedbytheServiceBroker.
ExternalDependencies
UAA
TheEurekaServeraccessesthe /token_key endpointonUAAtoretrievethetokenverificationkey.ThiskeymaterialisusedtoverifytheJWTsignatureofthetokeninordertoauthenticatetherequest.
TheCloudController
TheSBcommunicatestotheCCviaHTTPStoperformpermissionchecksusingthecurrentuser’stoken,asdescribedintheEntryPointssection,andtoderiveURIsforUAA.TheURItotheCCissetatinstallationtimeintheSB’senvironmentvariables,underthename CF_TARGET .Theenvironmentvariablecouldbemodifiedsothattheuser’stokenissenttoanotherparty.TheenvironmentvariablecanonlybemodifiedbyaSpaceDeveloperinthe“p-spring-cloud-services”space,andonlytheOperatorwouldhavethisaccess.
OAuthClients
eureka-{guid}
IdentityZone:UAAGrantType:AuthorizationCodeRedirectURI:https://eureka-{guid}.domain.com/dashboard/loginScopes: openid , cloud_controller.read , cloud_controller_service_permissions.readAuthorities: uaa.resourceTokenexpiry:default(12hours)
ThisclientisusedforDashboardSSOwithUAA.ThescopesallowtheEurekaapplicationtoaccesstheCloudControllerAPIontheuser’sbehalf,andareauto-approved.The uaa.resource authorityallowstheEurekaapplicationtoaccessthetokenverificationendpointsonUAA.Theclientiscreatedbythep-spring-cloud-services-workerclientatprovisiontime.TheclientIDandclientsecretaremadeavailabletotheEurekaapplicationviaenvironmentvariablessetatprovisiontime.
eureka-{guid}
IdentityZone:SpringCloudServicesGrantType:ClientCredentialsScopes: uaa.noneAuthorities: uaa.resourceTokenexpiry:default(12hours)
©CopyrightPivotalSoftwareInc,2013-2018 29 1.1
The uaa.resource authorityallowstheEurekaapplicationtoaccessthetokenverificationendpointsonUAA.Theclientiscreatedbythep-spring-cloud-services-workerclientatprovisiontime.TheclientIDandclientsecretaremadeavailabletotheEurekaapplicationviaenvironmentvariablessetatprovisiontime.ThecredentialsarethesameasthecorrespondingclientintheUAAIdentityZone.
CircuitBreakerDashboardServiceInstances
apphystrix-{guid}
TheHystrixapplicationisoneofthetwobackingapplicationsforCircuitBreakerDashboardserviceinstances.TheGUIDintheapplicationnameistheserviceinstanceID.ThisapplicationisderivedfromtheNetflixHystrixDashboard .
EntryPoints
HystrixDashboard
TheHystrixDashboardrequiresthetypicalDashboardSSOflow.TheserviceinstanceIDusedinthepermissioncheckissuppliedbyanenvironmentvariablesetatprovisiontimebytheWorker.Theserviceinstancepermissioncheckiscachedinthesamemannerasthechecksdonebytheservicebroker.
ActuatorEndpoints
ActuatorendpointsrequirethesameActuatorSSOflowusedbytheServiceBroker.
ExternalDependencies
TheTurbineApp
TheHystrixDashboardUIusesanEventSourceinthebrowsertolistentoServerSentEvents emittedbytheTurbineapplication.BecausetheTurbineapplication’sorigindiffersfromtheHystrixapplication,andEventSourcesdonotsupportCORS,theHystrixapplicationmusthandletheEventSourcerequestandproxythisrequesttotheTurbineapplication.
TheTurbineapplicationmustauthenticatethisrequest,sotheHystrixapplicationincludesthetokenintheproxyrequest.TheproxyrequestishandledonHystrixviatheendpoint /proxy.stream?origin=[turbineurl] .Thisendpointonopen-sourceHystrixcanbeusedasanopenproxy,sotoprotectthetokenfrombeingleaked,theTurbineURLintheoriginqueryparametermustmatchthe TURBINE_URL environmentvariableoftheHystrixapplication.Thisvariableissetatprovisiontime,alwaysbeginswith https:// ,andcanonlybemodifiedbytheOperator.
UAA
TheHystrixapplicationaccessesthe /token_key endpointonUAAtoretrievethetokenverificationkey.ThiskeymaterialisusedtoverifytheJWTsignatureofthetokeninordertoauthenticatetherequest.
TheCloudController
TheHystrixapplicationcommunicatestotheCCviaHTTPStoperformpermissionchecksusingthecurrentuser’stoken,asdescribedintheEntryPointssection,andtoderiveURIsforUAA.TheURItotheCCissetbytheWorkeratprovisiontimeintheapplication’senvironmentvariables,underthenameCF_TARGET .TheenvironmentvariablecanonlybemodifiedbytheOperator.
OAuthClients
hystrix-{guid}
IdentityZone:UAAGrantType:AuthorizationCodeScopes: openid , cloud_controller.read , cloud_controller_service_permissions.readAuthorities: uaa.resourceTokenexpiry:default(12hours)
ThisclientisusedforSSOwithUAA.ThescopesallowtheHystrixapplicationtoaccesstheCloudControllerAPIontheuser’sbehalf,andareauto-approved.The uaa.resource authorityallowstheHystrixapplicationtoaccessthetokenverificationendpointsonUAA.Theclientiscreatedbythep-spring-cloud-services-workerclientatprovisiontime.TheclientIDandclientsecretaremadeavailabletotheHystrixapplicationviaenvironmentvariablessetatprovisiontime.
appturbine-{guid}
TheTurbineapplicationistheotherbackingapplicationforCircuitBreakerDashboardserviceinstances.TheGUIDintheapplicationnameistheserviceinstanceID.ThisapplicationisderivedfromNetflixTurbine ,whichaggregatesHystrixAMQPmessagesandemitsthemasaServerSentEventstream.
EntryPoints
GET/turbine.stream
ThisemitstheServerSentEventstreamandistheonlyHTTP-basedentrypoint.Toauthenticatetherequest,theTurbineapplicationusestheAuthorizationheaderoftheincomingrequest(containingtheOAuth2Bearertoken)tomakearequesttotheCCAPItocheckpermissionsontheserviceinstancebeingaccessed,asdocumentedhere .TheserviceinstanceIDusedinthepermissioncheckissuppliedbyanenvironmentvariablesetatprovisiontimebytheWorker.ThischeckisdoneonceperSSErequest,andbecausethereisnosessioninvolved,itisnotcached.However,SSErequestsarekeptaliveuntilthebrowserwindowisclosed,sothepermissioncheckwillhappeninfrequently.
©CopyrightPivotalSoftwareInc,2013-2018 30 1.1
HystrixAMQPmessages
TheTurbineapplicationlistensforAMQPmessagespostedbyapplicationsboundtotheCircuitBreakerDashboardserviceinstance.ApplicationsboundtotheCircuitBreakerDashboardreceivecredentialstothep-rabbitmq serviceinstanceinordertopostthesemessages.Allboundapplicationsreceivethesamecredentials.
ExternalDependencies
p-rabbitmq
Asdescribedearlier,boundapplicationsuseaninstanceofp-rabbitmq topostcircuitbreakermetrics.TheTurbineapplicationlistenstothesemessages,aggregatesthemetrics,andemitsaServerSentEventstream.Thecredentialsforthep-rabbitmqserviceinstanceareprovidedtotheTurbineapplicationthoughserviceinstancebinding.ThesesamecredentialsareprovidedtoapplicationsboundtotheCircuitBreakerDashboardserviceinstance,andwouldbevisibletoanyuserthatisabletobindtotheserviceinstance.ThesecredentialscanbeusedforadminaccesstotheRabbitMQ.
SincethisRabbitMQisonlyusedforcollectinganddisseminating @HystrixCommand metricsfromboundapplications,oneriskhereisbreakingtheabilityformetricstobegatheredandreportedintheHystrixdashboard.Doingthiswouldnotaffecttheoperationofanyapplicationboundtotheserviceinstance.
TheCloudController
TheTurbineapplicationcommunicatestotheCCviaHTTPStoperformpermissionchecksusingthecurrentuser’stoken,asdescribedinthesectionontheServerSentEventstream.TheURItotheCCissetbytheWorkeratprovisiontimeintheapplication’senvironmentvariables,underthenameCF_TARGET .TheenvironmentvariablecanonlybemodifiedbytheOperator.
©CopyrightPivotalSoftwareInc,2013-2018 31 1.1
ServiceInstanceUpgrades
ServiceInstanceUpgradeStepsAfteranupgradeoftheSpringCloudServicesproduct,followthebelowstepstoupgradeanindividualserviceinstance.
Run cfupdate-service-c'{"upgrade":true}'SERVICE_NAME
,where SERVICE_NAME isthenameofaserviceinstance:
$cfupdate-service-c'{"upgrade":true}'config-serverUpdatingserviceinstanceconfig-serverasadmin...OK
Updateinprogress.Use'cfservices'or'cfserviceconfig-server'tocheckoperationstatus.
Astheoutputfromthecommandsuggests,youcanusethe cfservices or cfservice commandstocheckthestatusoftheupgrade.
$cfserviceconfig-server
Serviceinstance:config-serverService:p-config-serverBoundapps:cookTags:Plan:standardDescription:ConfigServerforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-config-server/690f426b-9563-4d98-aa74-05ef3dea32c1
LastOperationStatus:updateinprogressMessage:Started:2016-06-22T16:13:27ZUpdated:2016-06-22T16:13:27Z
Whentheupgradeiscomplete, cfserviceSERVICE_NAME willreporta Status of updatesucceeded
:
$cfserviceconfig-server
Serviceinstance:config-serverService:p-config-serverBoundapps:cookTags:Plan:standardDescription:ConfigServerforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-config-server/690f426b-9563-4d98-aa74-05ef3dea32c1
LastOperationStatus:updatesucceededMessage:Started:2016-06-22T16:13:27ZUpdated:2016-06-22T16:15:28Z
ClientApplicationChangesin1.1.0TheclientdependenciesforSpringCloudServiceswererestructuredinSpringCloudServicesversion1.1.0.Inparticular,thespring-cloud-services-starter-parent hasbeenreplacedwitha spring-cloud-services-dependencies MavenBOM(BillofMaterials ),whichdoesnotincludetheSpring
CloudorSpringBootdependencyBOMs.
Ifyourclientapplicationsareusingdependenciescorrespondingtoa1.0.xversionofSpringCloudServices,youmustupdatethemtousethe1.1.xBOMandincludetheotherrequisitedependencies.SeetheClientDependencies topicfordetailsonthecurrentclientdependencies.
Important:IfyouhaveclientapplicationswhichworkwithSpringCloudServices1.0.xserviceinstancesandareupgradingtheseserviceinstancesto1.1.x,youmustupdateyourclientapplicationstousethecurrentversionoftheSpringCloudServicesclientdependencies.SeeClientApplicationChangesin1.1.0below.
Important:AfterupgradingaCircuitBreakerDashboardserviceinstancefrom1.0.xto1.1.x,youmustunbind,rebind,andrestartanyclientapplicationswhichwereboundtotheinstance.Thisisduetoachangeinhowserviceinstancecredentialsaremanaged.
©CopyrightPivotalSoftwareInc,2013-2018 32 1.1
ClientDependenciesPagelastupdated:
SeebelowforinformationaboutthedependenciesrequiredforclientapplicationsusingSpringCloudServicesserviceinstances.
IncludeSpringCloudServicesDependencies
ToworkwithSpringCloudServicesserviceinstances,yourclientapplicationmustincludethe spring-cloud-services-dependencies and spring-cloud-dependencies
BOMs.Unlessyouareusingthe spring-boot-starter-parent orSpringBootGradleplugin,youmustalsospecifythe spring-boot-dependencies BOMasadependency.
IfusingMaven,includein pom.xml :
<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.3.5.RELEASE</version><relativePath/><!--lookupparentfromrepository--></parent>
<dependencyManagement><dependencies><dependency><groupId>io.pivotal.spring.cloud</groupId><artifactId>spring-cloud-services-dependencies</artifactId><version>1.1.2.RELEASE</version><type>pom</type><scope>import</scope></dependency><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-dependencies</artifactId><version>Brixton.SR1</version><type>pom</type><scope>import</scope></dependency></dependencies></dependencyManagement>
Ifnotusingthe spring-boot-starter-parent ,includeinthe <dependencyManagement> blockof pom.xml :
<dependencyManagement><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-dependencies</artifactId><version>1.3.5.RELEASE</version><type>pom</type><scope>import</scope></dependency>
<!--...-->
</dependencies></dependencyManagement>
IfusingGradle,youwillalsoneedtousetheGradledependencymanagementplugin .
Includein build.gradle :
buildscript{repositories{mavenCentral()}dependencies{classpath("io.spring.gradle:dependency-management-plugin:0.5.6.RELEASE")classpath("org.springframework.boot:spring-boot-gradle-plugin:1.3.5.RELEASE")}}
applyplugin:"java"applyplugin:"spring-boot"applyplugin:"io.spring.dependency-management"
dependencyManagement{imports{mavenBom"org.springframework.cloud:spring-cloud-dependencies:Brixton.SR1"mavenBom"io.pivotal.spring.cloud:spring-cloud-services-dependencies:1.1.2.RELEASE"}}
repositories{maven{url"https://repo.spring.io/plugins-release"}}
IfnotusingtheSpringBootGradleplugin,includeinthe dependencyManagement blockof build.gradle :
Important:EnsurethattheorderingoftheMavenBOMdependencieslistedbelowispreservedinyourapplication’sbuildfile.DependencyresolutionisaffectedinbothMavenandGradlebytheorderinwhichdependenciesaredeclared.
©CopyrightPivotalSoftwareInc,2013-2018 33 1.1
dependencyManagement{imports{mavenBom"org.springframework.boot:spring-boot-dependencies:1.3.5.RELEASE"}}
ConfigServerYourapplicationmustdeclare spring-cloud-services-starter-config-client asadependency.
IfusingMaven,includein pom.xml :
<dependencies><dependency><groupId>io.pivotal.spring.cloud</groupId><artifactId>spring-cloud-services-starter-config-client</artifactId></dependency></dependencies>
IfusingGradle,includein build.gradle :
dependencies{compile("io.pivotal.spring.cloud:spring-cloud-services-starter-config-client")}
ServiceRegistryYourapplicationmustdeclare spring-cloud-services-starter-service-registry asadependency.
IfusingMaven,includein pom.xml :
<dependencies><dependency><groupId>io.pivotal.spring.cloud</groupId><artifactId>spring-cloud-services-starter-service-registry</artifactId></dependency></dependencies>
IfusingGradle,includein build.gradle :
dependencies{compile("io.pivotal.spring.cloud:spring-cloud-services-starter-service-registry")}
CircuitBreakerDashboardYourapplicationmustdeclare spring-cloud-services-starter-circuit-breaker asadependency.
IfusingMaven,includein pom.xml :
<dependencies><dependency><groupId>io.pivotal.spring.cloud</groupId><artifactId>spring-cloud-services-starter-circuit-breaker</artifactId></dependency></dependencies>
IfusingGradle,includein build.gradle :
dependencies{compile("io.pivotal.spring.cloud:spring-cloud-services-starter-circuit-breaker")}
©CopyrightPivotalSoftwareInc,2013-2018 34 1.1
TroubleshootingClientApplicationsSeebelowforinformationabouttroubleshootingproblemsinclientapplicationswhichareboundtoSpringCloudServicesserviceinstances.
“Can’tcontactanyeurekanodes-possiblyasecuritygroupissue?”AclientapplicationboundtoaServiceRegistryserviceinstancemayloganerrorsuchasthefollowing:
2015-10-01T11:33:38.43-0500[App/0]OUT2015-10-0116:33:38.433WARN29---[main]com.netflix.discovery.DiscoveryClient:Action:Refresh=>returnedstatusof401fromhttps://eureka-aa9d8079f0f3.example.com/eureka/apps/2015-10-01T11:33:38.43-0500[App/0]OUT2015-10-0116:33:38.438ERROR29---[main]com.netflix.discovery.DiscoveryClient:Can'tgetaresponsefromhttps://eureka-aa9d8079f0f3.example.com/eureka/apps/2015-10-01T11:33:38.43-0500[App/0]OUTCan'tcontactanyeurekanodes-possiblyasecuritygroupissue?2015-10-01T11:33:38.43-0500[App/0]OUTjava.lang.RuntimeException:Badstatus:4012015-10-01T11:33:38.43-0500[App/0]OUTatcom.netflix.discovery.DiscoveryClient.makeRemoteCall(DiscoveryClient.java:1155)
IfyourPCFenvironmentisusingaself-signedcertificate(suchasacertificategeneratedinElasticRuntime),youmustsettheCF_TARGET environmentvariableonyourapplicationtotheAPIendpointofElasticRuntime.SeetheAddSelf-SignedSSLCertificatetoJVMTruststore sectionoftheWritingClientApplications topicintheServiceRegistrydocumentation .
“sun.security.validator.ValidatorException:PKIXpathbuildingfailed”Ifyouencounterthefollowingexception:
sun.security.validator.ValidatorException:PKIXpathbuildingfailed:sun.security.provider.certpath.SunCertPathBuilderException:unabletofindvalidcertificationpathtorequestedtarget
IfyourPCFenvironmentisusingself-signedcertificates,makesurethatyouhavesetthe CF_TARGET environmentvariableontheapplicationtotheElasticRuntimeAPIendpointasdescribedintheAddSelf-SignedSSLCertificatetoJVMTruststore sectionoftheWritingClientApplications topicintheServiceRegistrydocumentation .
©CopyrightPivotalSoftwareInc,2013-2018 35 1.1
ReleaseNotesforSpringCloud®ServicesonPivotalCloudFoundryReleasenotesforSpringCloudServicesforPivotalCloudFoundry
Migratingfrom1.0.xForeachclientapplication,youmust:
UpdatethebuildfiletousethenewversionsoftheSpringCloudServicesclientdependencies(seeClientDependencies)
UpdatethebuildfiletousetheMavenBOMdependenciesforSpringBootandSpringCloud(seeClientDependencies)
1.1.34ReleaseDate:27thJune2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3468.51.Thisresolvesthefollowingissues:
[USN-3658-1] :procps-ngvulnerabilities[USN-3675-1] :GnuPGvulnerabilities[USN-3676-2] :Linuxkernel(XenialHWE)vulnerabilities[USN-3686-1] :filevulnerabilities[USN-3684-1] :Perlvulnerability
1.1.33ReleaseDate:4thJune2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3468.46.Thisresolvesthefollowingissues:
[USN-3643-1] :Wgetvulnerability[USN-3648-1] :curlvulnerabilities[USN-3654-2] :Linuxkernel(XenialHWE)vulnerabilities
1.1.32ReleaseDate:10thMay2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3468.42.Thisresolvesthefollowingissues:
[USN-3641-1] :Linuxkernelvulnerabilities[USN-3631-2] :Linuxkernel(XenialHWE)vulnerabilities[USN-3628-1] :OpenSSLvulnerability[USN-3624-1] :Patchvulnerabilities[USN-3625-1] :Perlvulnerabilities
1.1.31ReleaseDate:17thApril2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3468.30.Thisresolvesthefollowingissues:
[USN-3619-2] :Linuxkernel(XenialHWE)[USN-3611-1] :OpenSSL[USN-3610-1] :ICU
1.1.30ReleaseDate:28thMarch2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3468.28.Thisresolvesthefollowingissues:
[USN-3586-1] :DHCP[USN-3584-1] :sensible-utils[USN-3598-1] :curl
©CopyrightPivotalSoftwareInc,2013-2018 36 1.1
1.1.29ReleaseDate:26thFebruary2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3468.25.Thisresolvesthefollowingissues:
[USN-3554-1] :curlvulnerabilities[USN-3543-1] :rsyncvulnerabilities[USN-3547-1] :Libtasn1vulnerabilities[USN-3582-2] :Linuxkernel(XenialHWE)vulnerabilities
1.1.28ReleaseDate:24thJanuary2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3445.24.Thisresolvesthefollowingissues:
[USN-3540-2] :Linuxkernel(XenialHWE)vulnerabilities
1.1.27ReleaseDate:19thJanuary2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3445.23.Thisresolvesthefollowingissues:
[USN-3534-1] :GNUCLibraryvulnerabilities
1.1.26ReleaseDate:11thJanuary2018
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3445.22.Thisresolvesthefollowingissues:
[USN-3522-2] :Linux(XenialHWE)vulnerability[USN-3522-4] :Linuxkernel(XenialHWE)regression
1.1.25ReleaseDate:11thDecember2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3445.19.Thisresolvesthefollowingissues:
[USN-3505-1] :Linuxfirmwarevulnerabilities
1.1.24ReleaseDate:30thNovember2017
Enhancementsincludedinthisrelease:
Thepreviousreleaseusedanincorrectversionofthestemcell.Thisreleasecorrectsthat.Thestemcellhasbeenupdatedto3445.17.
1.1.23ReleaseDate:2ndNovember2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3445.16.
1.1.21ReleaseDate:18thAugust2017
©CopyrightPivotalSoftwareInc,2013-2018 37 1.1
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.31.Thisresolvesthefollowingissues:
[USN-3392-2] :Linuxkernel(XenialHWE)regression
1.1.20ReleaseDate:15thAugust2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.30.Thisresolvesthefollowingissues:
[USN-3385-2] :Linuxkernel(XenialHWE)vulnerabilities
1.1.19ReleaseDate:6thAugust2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.29.Thisresolvesthefollowingissues:
[USN-3378-2] :Linuxkernel(XenialHWE)vulnerabilities
1.1.18ReleaseDate:21stJune2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.26.Thisresolvesthefollowingissues:
[USN-3334-1] :Linuxkernel(XenialHWE)vulnerabilities
1.1.17ReleaseDate:5thJune2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.25.Thisresolvesthefollowingissues:
[USN-3304-1] :Sudovulnerability
1.1.16ReleaseDate:25thMay2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.24.Thisresolvesthefollowingissues:
[USN-3291-3] :Linuxkernel(XenialHWE)vulnerabilities
1.1.15ReleaseDate:27thApril2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.20.Thisresolvesthefollowingissues:
[USN-3265-2] :Linuxkernel(XenialHWE)vulnerabilities
1.1.14ReleaseDate:31stMarch2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3363.14.Thisresolvesthefollowingissues:
[USN-3249-2] :Linuxkernel(XenialHWE)vulnerability
©CopyrightPivotalSoftwareInc,2013-2018 38 1.1
1.1.13ReleaseDate:10thMarch2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3263.21.Thisresolvesthefollowingissues:
[USN-3220-2] :Linuxkernel(XenialHWE)vulnerability
1.1.12ReleaseDate:28thFebruary2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3263.20.Thisresolvesthefollowingissues:
[USN-3208-2] :Linuxkernel(XenialHWE)vulnerabilities
1.1.11ReleaseDate:30thJanuary2017
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3263.17.Thisresolvesthefollowingissues:
[USN-3161-2] :Linuxkernel(XenialHWE)vulnerabilities[USN-3169-2] :Linuxkernel(XenialHWE)vulnerabilities[USN-3172-1] :Bindvulnerabilities
1.1.10ReleaseDate:14thDecember2016
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3263.13.Thisresolvesthefollowingissues:
[USN-3156-1] :APTvulnerability
1.1.9ReleaseDate:7thDecember2016
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3263.12.Thisresolvesthefollowingissues:
[USN-3151-2] :Linuxkernel(XenialHWE)vulnerability
1.1.8ReleaseDate:21stOctober2016
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3233.3.Thisresolvesthefollowingissues:
[USN-3106-2] :Linuxkernel(XenialHWE)vulnerability
1.1.7ReleaseDate:12thOctober2016
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3233.2forstabilityandbugfixes.
1.1.6ReleaseDate:6thOctober2016
Enhancementsincludedinthisrelease:
©CopyrightPivotalSoftwareInc,2013-2018 39 1.1
Thestemcellhasbeenupdatedto3233.1asanupgradetoLinuxversion4.4kernelandtoenablefutureupgrades.
1.1.4ReleaseDate:28thSeptember2016
Enhancementsincludedinthisrelease:
Thestemcellhasbeenupdatedto3232.21.Thisresolvesthefollowingissues:
[USN-3087-2] :OpenSSLregression
1.1.3ReleaseDate:8thSeptember2016
ThisreleaseincludesaCloudFoundrycomponentupdate.
Featuresincludedinthisrelease:
TheCloudFoundryCommandLineInterfacetool(cfCLI)usedinerrandshasbeenupgradedtoversion6.21.1andisnowconfiguredtoallowforlongDNSresolutiontimes.
1.1.2ReleaseDate:24thAugust2016
ThisreleaseupdatesthestemcellandaddsenhancementstotheConfigServerandCircuitBreakerDashboardservices.Italsocontainsbugfixes.
Featuresincludedinthisrelease:
Thestemcellhasbeenupdatedto3232.17.Thisresolvesthefollowingissues:
[USN-3064-1] :GnuPGvulnerability
Enhancementsincludedinthisrelease:
ConfigServersupportforplaceholdersinrepositoryURIshasbeenimproved.
ConfigServercannowbeconfiguredtocloneconfigurationsourcerepositoriesonstartup(asopposedtothedefaultbehaviorofcloningarepositorywhenconfigurationisfirstrequestedfromtheassociatedconfigurationsource).SeethetableofgeneralconfigurationparametersintheCreatinganInstancetopicoftheConfigServerdocumentation formoreinformation.
CircuitBreakerDashboard’sSpringCloudStreamconfigurationnowusesallURIsprovidedfortheassociatedRabbitMQforPivotalCloudFoundry
serviceinstance.
Thetileinstallanduninstallprocessesarenowmoreresilienttoerrorsencounteredduringtherelevanterrands.
Fixesincludedinthisrelease:
Iftheservicebrokerworkerfailstoupdateaserviceinstancewhentheservicebrokerreceivesaprovisionorupdaterequest,therequesttotheservicebrokerwillnowtimeoutandtheserviceinstancestatuswillbechangedfromPENDINGtoFAILED.
ApplicationsunboundfromaServiceRegistryserviceinstancewillnolongerremainintheserviceinstance’sregistryandwillberemovedfromthatregistryshortlyafterbeingunboundfromtheserviceinstance.
Fixedaproblemwheretheservicebroker’sauthenticationtotheCloudControllerwouldexpireifthebrokerremainedinactiveforalongperiodoftime.
1.1.1ReleaseDate:1stJuly2016
Featuresincludedinthisrelease:
Thestemcellhasbeenupdatedto3232.12.Thisresolvesthefollowingissues:
[USN-3020-1] :Linuxkernel(VividHWE)vulnerabilities
1.1.0ReleaseDate:28thJune2016
Featuresincludedinthisrelease:
SpringCloudServicesnowsupportsPivotalCloudFoundryversions1.6andlater.
Important:YourclientapplicationswhichworkwithSpringCloudServices1.0.xserviceinstancesmustbeupdatedinordertoworkwith1.1.0serviceinstances.SeeMigratingfrom1.0.x.
©CopyrightPivotalSoftwareInc,2013-2018 40 1.1
ServiceinstancesarenowbasedonSpringCloudBrixton.SR1,andclientapplicationscanuseSpringBoot1.3.xandSpringCloudBrixton.SR1.Formoreinformationaboutclientapplicationdependencies,seeClientDependencies.
Theservicebrokernowsupportsasynchronousserviceoperations.Formoreinformation,seetheTheServiceBrokersectionoftheOperatorInformation.
OperatorscannowexplicitlychoosetheJavabuildpackthatwillbeusedtodeployserviceinstances.Formoreinformation,seetheSetBuildpackforServiceInstancessectionoftheOperatorInformation.
Operatorscannowupgradeeitherindividualserviceinstancesorallnon-upgradedserviceinstancesdirectlyfromtheServiceInstancesdashboard.Formoreinformation,seetheTheServiceInstancesDashboardsectionoftheOperatorInformation.
Upgradesofserviceinstancesnowresultinzerodowntimefortheserviceinstances.Formoreinformationaboutupgradingserviceinstances,seeServiceInstanceUpgrades.
UpdatestoConfigServersettingsnowresultinzerodowntimefortheConfigServerserviceinstance.FormoreinformationaboutupdatingaConfigServerinstance’ssettings,seeUpdatinganInstanceintheConfigServerdocumentation .
ConfigServercannowaccessaGitrepositorythatusesself-signedSSLcertificateswithHTTPS.Formoreinformationaboutsupportedconfigurationsources,seeTheConfigServerintheConfigServerdocumentation .
ConfigServercannowaccessaGitrepositoryviaaproxyserverwhenusingHTTPorHTTPS.
ConfigServercannowaccessaGitrepositoryusingtheGitorSSHprotocolsinadditiontoHTTPandHTTPS.
ConfigServercannowbecreatedwithorupdatedtousemultipleGitrepositoriesasconfigurationsources.
ConfigServerandServiceRegistrycannowoperateinhigh-availabilitymode,withasetcountofinstancestoprovisionbeingspecifiedwhencreatingorupdatingaserviceinstance.Formoreinformation,seeCreatinganInstanceandUpdatinganInstanceintheConfigServerdocumentation andCreatinganInstanceandUpdatinganInstanceintheServiceRegistrydocumentation .
Enhancementsincludedinthisrelease:
TheoperatorServiceInstancesdashboardnowdisplaystheservicekeysboundtoaserviceinstance,inadditiontoitsboundapplications.FormoreinformationabouttheServiceInstancesdashboard,seetheTheServiceInstancesDashboardsectionoftheOperatorInformation.
Dashboardsforindividualserviceinstancesnowdisplaytheusernameofthelogged-inuserandprovidealinktologout.
ConfigServerserviceinstancesarenowexclusivelyconfiguredusingprovisionandupdateparametersgiventotheCloudFoundryCommandLineInterfacetool(cfCLI),andtheConfigServer’sdashboardnowdisplaystheserviceinstance’sconfiguration.Formoreinformation,seeCreatinganInstance,UpdatinganInstance,andUsingtheDashboardintheConfigServerdocumentation .
WhencreatingaCircuitBreakerDashboardserviceinstance,theservicebrokernowperformstasksinparallelforfasterprovisioning.
Knownissues:
ConfigServercurrentlydoesnotsupportuseofaprivateGitrepositoryaccessedviaanauthenticatedproxyserverasaconfigurationsource.Formoreinformation,seeCreatinganInstanceorUpdatinganInstanceintheConfigServerdocumentation .
WhenupgradingaCircuitBreakerDashboardinstancefrom1.0.xto1.1.0,runningapplicationsmustbeunbound,rebound,andrestarted,duetoachangeinhowcredentialsaremanaged.
©CopyrightPivotalSoftwareInc,2013-2018 41 1.1
ConfigServerforPivotalCloudFoundry
OverviewConfigServerforPivotalCloudFoundry (PCF)isanexternalizedapplicationconfigurationservice,whichgivesyouacentralplacetomanageanapplication’sexternalpropertiesacrossallenvironments.Asanapplicationmovesthroughthedeploymentpipelinefromdevelopmenttotestandintoproduction,youcanuseConfigServertomanagetheconfigurationbetweenenvironmentsandbecertainthattheapplicationhaseverythingitneedstorunwhenyoumigrateit.ConfigServereasilysupportslabelledversionsofenvironment-specificconfigurationsandisaccessibletoawiderangeoftoolingformanagingthecontent.
TheconceptsonbothclientandservermapidenticallytotheSpring Environment and PropertySource abstractions.TheyworkverywellwithSpringapplications,butcanbeappliedtoapplicationswritteninanylanguage.ThedefaultimplementationoftheserverstoragebackendusesGit.
ConfigServerforPivotalCloudFoundryisbasedonSpringCloudConfigServer .FormoreinformationaboutSpringCloudConfigandaboutSpringconfiguration,seeAdditionalResources .
Refertothe“Cook”sampleapplication tofollowalongwithcodeinthissection.
©CopyrightPivotalSoftwareInc,2013-2018 42 1.1
CreatinganInstancePagelastupdated:
YoucancreateaConfigServerserviceinstanceusingeithertheCloudFoundryCommandLineInterfacetool(cfCLI)orPivotalCloudFoundry (PCF)AppsManager(youcannotconfigureaserviceinstanceusingAppsManager).
UsingthecfCLIBeginbytargetingthecorrectorgandspace.
$cftarget-omyorg-sdevelopment
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:userOrg:myorgSpace:development
YoucanviewplandetailsfortheConfigServerproductusing cfmarketplace-s
.
$cfmarketplaceGettingservicesfrommarketplaceinorgmyorg/spacedevelopmentasuser...OK
serviceplansdescriptionp-circuit-breaker-dashboardstandardCircuitBreakerDashboardforSpringCloudApplicationsp-config-serverstandardConfigServerforSpringCloudApplicationsp-mysql100mb-devMySQLserviceforapplicationdevelopmentandtestingp-rabbitmqstandardRabbitMQisarobustandscalablehigh-performancemulti-protocolmessagingbroker.p-service-registrystandardServiceRegistryforSpringCloudApplications
TIP:Use'cfmarketplace-sSERVICE'toviewdescriptionsofindividualplansofagivenservice.
$cfmarketplace-sp-config-serverGettingserviceplaninformationforservicep-config-serverasuser...OK
serviceplandescriptionfreeorpaidstandardStandardPlanfree
Createtheserviceinstanceusing cfcreate-service
,usingthe -c flagtoprovideaJSONobjectthatspecifiestheconfigurationparameters.Parametersused
toconfigureconfigurationsourcesarepartofaJSONobjectcalled git ,asin {"git":{"uri":"http://example.com/config"}} .Formoreinformationonthepurposesofthesefields,seetheTheConfigServer topic.
GeneralparametersusedtoconfiguretheConfigServer’sdefaultconfigurationsourcearelistedbelow.
Parameter Function
uri TheURI( http:// , https:// ,or ssh:// )ofarepositorythatcanbeusedasthedefaultconfigurationsource
labelThedefault“label”thatcanbeusedwiththedefaultrepositoryifarequestisreceivedwithoutalabel(e.g.,ifthespring.cloud.config.label propertyisnotsetinaclientapplication)
searchPaths
Apatternusedtosearchforconfiguration-containingsubdirectoriesinthedefaultrepository
cloneOnStart
WhethertheConfigServershouldclonethedefaultrepositorywhenitstartsup(bydefault,theConfigServerwillonlyclonetherepositorywhenconfigurationisfirstrequestedfromtherepository).Validvaluesare true and false
username Theusernameusedtoaccessthedefaultrepository(ifprotectedbyHTTPBasicauthentication)
password
Thepasswordusedtoaccessthedefaultrepository(ifprotectedbyHTTPBasicauthentication)
The uri settingisrequired;youcannotdefineaConfigServerconfigurationsourcewithoutincludinga uri .
Thedefaultvalueofthe label settingis master .Youcanset label toabranchname,atagname,oraspecificGitcommithash.
Toset label topointtothe develop branchofarepository,youmightconfiguresettingsasshowninthefollowingJSON:
'{"git":{"uri":"https://github.com/myorg/config-repo","label":"develop"}}'
Toset label topointtothe v1.1 taginarepository,youmightconfiguresettingsasshowninthefollowingJSON:
'{"git":{"uri":"https://github.com/myorg/config-repo","label":"v1.1"}}'
Withinaclientapplication,youcanoverridetheConfigServer’s label settingbysettingthe spring.cloud.config.label property(forexample,in bootstrap.yml ).
Important:Ifyouset cloneOnStart to true foraserviceinstancethatusesarepositorywhichissecuredwithHTTPBasicauthentication,youmustsetthe username and password atthesametimeasyouset cloneOnStart .Otherwise,theConfigServerwillbeunabletoaccesstherepositoryandtheserviceinstancemayfailtoinitialize.
©CopyrightPivotalSoftwareInc,2013-2018 43 1.1
spring:cloud:config:label:v1.2
OtherparametersacceptedfortheConfigServerarelistedbelow.
Parameter Function Example
count Thenumberofnodestoprovision:1bydefault,moreforrunninginhigh-availabilitymode '{"count": 3}'
upgrade Whethertoupgradetheinstance '{"upgrade": true}'
Tocreateaninstance,specifyingsettingsfortheconfigurationsources,thatthedefaultconfigurationsourceGitrepositoryshouldbeclonedwhentheConfigServerstartsup,andthatthreenodesshouldbeprovisioned:
$cfcreate-service-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/config-repo","cloneOnStart":"true","repos":{"cook":{"pattern":"cook*","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}},"count":3}'p-config-serverstandardconfig-serverCreatingserviceinstanceconfig-serverinorgmyorg/spacedevelopmentasuser...OK
Createinprogress.Use'cfservices'or'cfserviceconfig-server'tocheckoperationstatus.
Asthecommandoutputsuggests,youcanusethe cfservices or cfservice commandstocheckthestatusoftheserviceinstance.Whentheserviceinstanceisready,the cfservice commandwillgiveastatusof create
succeeded:
$cfserviceconfig-server
Serviceinstance:config-serverService:p-config-serverBoundapps:Tags:Plan:standardDescription:ConfigServerforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-config-server/9281c950-9b07-495e-9af4-f9fbd277037d
LastOperationStatus:createsucceededMessage:Started:2016-06-24T21:57:21ZUpdated:2016-06-24T21:59:24Z
SSHRepositoryAccessYoucanconfigureaConfigServerconfigurationsourcesothattheConfigServeraccessesitusingtheSecureShell(SSH)protocol.Todoso,youmustspecifyaURIusingthe ssh:// URIschemeortheSecureCopyProtocol(SCP)styleURIformat,andyoumustsupplyaprivatekey.Youmayalsosupplyahostkeywithwhichtheserverwillbeidentified.Ifyoudonotprovideahostkey,theConfigServerwillnotverifythehostkeyoftheconfigurationsource’sserver.
ASSHURImustincludeausername,host,andrepositorypath.ThismightbespecifiedasshowninthefollowingJSON:
'{"git":{"uri":"ssh://[email protected]/spring-cloud-services-samples/cook.git"}}'
AnequivalentSCP-styleURImightbespecifiedasshowninthefollowingJSON:
'{"git":{"uri":"[email protected]:spring-cloud-services-samples/cook-config.git"}}'
TheparametersusedtoconfigureSSHforaConfigServerconfigurationsource’sURIarelistedbelow.
Parameter Function
hostKeyThehostkeyoftheGitserver.Ifyouhaveconnectedtotheserverviagitonthecommandline,thisisinyour.ssh/known_hosts .Donotincludethealgorithmprefix;thisisspecifiedin hostKeyAlgorithm .(Optional.)
hostKeyAlgorithm
Thealgorithmof hostKey :oneof“ssh-dss”,“ssh-rsa”,“ecdsa-sha2-nistp256”,“ecdsa-sha2-nistp384”,and“ecdsa-sha2-nistp521”.(Requiredifsupplying hostKey .)
privateKey
TheprivatekeythatidentifiestheGituser,withallnewlinecharactersreplacedby \n .Passphrase-encryptedprivatekeysarenotsupported.
TocreateaConfigServerserviceinstancethatusesSSHtoaccessaconfigurationsource,allowingforhostkeyverification,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"ssh://[email protected]/spring-cloud-services-samples/cook.git","hostKey":"AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+...","hostKeyAlgorithm":"ssh-rsa","privateKey":"-----BEGINRSAPRIVATEKEY-----\nMIIJKQIB..."}}'
Important:The cfservice and cfservices commandsmayreporta createsucceeded
statuseveniftheConfigServercannotinitializeusingthe
providedsettings.Forexample,givenaninvalidURIforaconfigurationsource,theserviceinstancemaystillbecreatedandhavea createsucceeded
status.
Iftheserviceinstancedoesnotappeartobefunctioningcorrectly,youcanvisititsdashboardtodouble-checkthattheprovidedsettingsarevalidandaccurate.SeetheUsingtheDashboard topic.
Note:YoumaynoticeadiscrepancybetweenthestatusgivenforaserviceinstancebythecfCLI(e.g.,bythe cfservice command)versusthatshownontheServiceInstancesdashboard .Thedashboardisupdatedfrequently(closetoreal-time);thestatusretrievedbythecfCLIisnotupdatedasfrequentlyandmaytaketimetomatchthedashboard.
©CopyrightPivotalSoftwareInc,2013-2018 44 1.1
TocreateaConfigServerserviceinstancethatusesSSHtoaccessaconfigurationsource,withouthostkeyverification,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"ssh://[email protected]/spring-cloud-services-samples/cook.git","privateKey":"-----BEGINRSAPRIVATEKEY-----\nMIIJKQIB..."}}'
MultipleRepositoriesYoucanconfigureaConfigServerserviceinstancetousemultipleconfigurationsources,whichwillbeusedonlyforspecificapplicationsorforapplicationswhichareusingspecificprofiles.Todoso,youmustprovideparametersinrepositoryobjectswithinthe git.repos JSONobject.Mostparameterssetinthe git objectforthedefaultconfigurationsourcearealsoavailableforspecificconfigurationsourcesandcanbesetinrepositoryobjectswithinthe git.repos object.
Eachrepositoryobjectinthe git.repos objecthasaname.IntherepositoryspecifiedinthefollowingJSON,thenameis“cookie”:
'{"git":{"repos":{"cookie":{"uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
Eachrepositoryobjectalsohasa pattern ,whichisacomma-separatedlistofapplicationandprofilenamesseparatedwithforwardslashes( / ,asinapp/profile )andpotentiallyincludingwildcards( * ,asin app*/profile* ).Ifyoudonotsupplyapattern,therepositoryobject’snamewillbeusedasthe
pattern.IntherepositoryspecifiedinthefollowingJSON,thepatternis co*/dev* (matchinganyapplicationwhosenamebeginswith co andwhichisusingaprofilewhosenamebeginswith dev ),andthedefaultpatternwouldbe cookie :
'{"git":{"repos":{"cookie":{"pattern":"co*/dev*","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
Formoreinformationaboutthepatternformat,see“PatternMatchingandMultipleRepositories” intheSpringCloudConfigdocumentation .
TheparametersusedtoconfigurespecificconfigurationsourcesfortheConfigServerarelistedbelow.
Parameter Function
repos."name" Arepositoryobject,containingrepositoryfields
repos."name".pattern
Apatternforthenamesofapplicationsthatstoreconfigurationfromthisrepository(ifnotsupplied,willbe "name" )
repos."name".uri
TheURI( http:// , https:// ,or ssh:// )ofthisrepository
repos."name".label
Thedefault“label”tousewiththisrepositoryifarequestisreceivedwithoutalabel(e.g.,ifthe spring.cloud.config.labelpropertyisnotsetinaclientapplication)
repos."name".searchPaths
Apatternusedtosearchforconfiguration-containingsubdirectoriesinthisrepository
repos."name".cloneOnStart
WhethertheConfigServershouldclonethisrepositorywhenitstartsup(bydefault,theConfigServerwillonlyclonetherepositorywhenconfigurationisfirstrequestedfromtherepository).Validvaluesare true and false
repos."name".username
Theusernameusedtoaccessthisrepository(ifprotectedbyHTTPBasicauthentication)
repos."name".password
Thepasswordusedtoaccessthisrepository(ifprotectedbyHTTPBasicauthentication)
repos."name".hostKey
ThehostkeyusedbytheConfigServertoaccessthisrepository(ifaccessingviaSSH).SeetheSSHRepositoryAccess sectionformoreinformation
repos."name".hostKeyAlgorithm
Thealgorithmof hostKey :oneof“ssh-dss”,“ssh-rsa”,“ecdsa-sha2-nistp256”,“ecdsa-sha2-nistp384”,and“ecdsa-sha2-nistp521”
repos."name".privateKey
Theprivatekeycorrespondingto hostKey ,withallnewlinecharactersreplacedby \n
The uri settingisrequired;youcannotdefineaConfigServerconfigurationsourcewithoutincludinga uri .
Thedefaultvalueofthe label settingis master .Youcanset label toabranchname,atagname,oraspecificGitcommithash.
Toset label topointtothe develop branchofarepository,youmightconfigurethesettingasshowninthefollowingJSON:
'{"git":{"repos":{"cookie":{"uri":"https://github.com/myorg/config-repo","label":"develop"}}}}'
Toset label topointtothe v1.1 taginarepository,youmightconfigurethesettingasshowninthefollowingJSON:
'{"git":{"repos":{"cookie":{"uri":"https://github.com/myorg/config-repo","label":"v1.1"}}}}'
Withinaclientapplication,youcanoverridethis label setting’svaluebysettingthe spring.cloud.config.label property(forexample,in bootstrap.yml ).
spring:cloud:config:label:v1.2
TocreateaConfigServerserviceinstancewithadefaultrepositoryandarepositoryspecifictoanapplicationnamed“cook”,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/fortune-teller","searchPaths":"configuration","repos":{"cookie":{"pattern":"cook","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
Important:Ifyouset cloneOnStart to true forarepositorywhichissecuredwithHTTPBasicauthentication,youmustsetthe username andpassword atthesametimeasyouset cloneOnStart .Otherwise,theConfigServerwillbeunabletoaccesstherepositoryandtheserviceinstance
mayfailtoinitialize.
©CopyrightPivotalSoftwareInc,2013-2018 45 1.1
TocreateaConfigServerserviceinstancewithadefaultrepositoryandarepositoryspecifictoapplicationsusingthe dev profile,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/fortune-teller","searchPaths":"configuration","repos":{"cookie":{"pattern":"*/dev","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
PlaceholdersinRepositoryURIsTheURIsforconfigurationsourceGitrepositoriescanincludeacoupleofspecialstringsasplaceholders:
{application} :thenamesetinthe spring.application.name propertyonanapplication
{profile} :aprofilelistedinthe spring.profiles.active propertyonanapplication
Youcanusetheseplaceholdersto(forexample)setasingleURIwhichmapsonerepositoryeachtomultipleapplicationsthatusethesameConfigServer,ortosetasingleURIwhichmapsonerepositoryeachtomultipleprofiles.
ArepositoryURIthatenablesuseofonerepositoryperapplicationmightbeexpressedasshowninthefollowingJSON.Foranapplicationnamed“cook”,thiswouldlocatetherepositorynamed cook-config :
'{"git":{"uri":"https://github.com/spring-cloud-services-samples/{application}-config"}}'
ArepositoryURIthatenablesuseofonerepositoryperprofilemightbeexpressedasshowninthefollowingJSON.Foranapplicationusingthe devprofile,thiswouldlocatearepositorynamed config-dev :
'{"git":{"uri":"https://github.com/spring-cloud-services-samples/config-{profile}"}}'
Formoreinformationaboutusingplaceholders,see“PlaceholdersinGitURI” intheSpringCloudConfigdocumentation .
TocreateaConfigServerserviceinstancewitharepositoryURIthatenablesonerepositoryperapplication,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/{application}-config"}}'
TocreateaConfigServerserviceinstancewitharepositoryURIthatenablesonerepositoryperprofile,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/config-{profile}"}}'
HTTP(S)ProxyRepositoryAccessYoucanconfigureaConfigServerserviceinstancetoaccessconfigurationsourcesusinganHTTPorHTTPSproxy.Todoso,youmustprovideproxysettingsineitherofthe git.proxy.http or git.proxy.https JSONobjects.Youcansettheproxyhostandport,theproxyusernameandpassword(ifapplicable),andalistofhostswhichtheConfigServershouldaccessoutsideoftheproxy.
SettingsforanHTTPproxyaresetinthe git.proxy.http object.ThesemightbesetasshowninthefollowingJSON:
'{"git":{"proxy":{"http":{"host":"proxy.wise.com","port":"80"}}}}'
SettingsforanHTTPSproxyaresetinthe git.proxy.https object.ThesemightbesetasshowninthefollowingJSON:
'{"git":{"proxy":{"https":{"host":"secure.wise.com","port":"443"}}}}'
TheparametersusedtoconfigureHTTPorHTTPSproxysettingsfortheConfigServerarelistedbelow.
Parameter Function
proxy.http Aproxyobject,containingHTTPproxyfields
proxy.http.host TheHTTPproxyhost
proxy.http.port TheHTTPproxyport
proxy.http.nonProxyHosts
ThehoststoaccessoutsidetheHTTPproxy
proxy.http.username
TheusernametousewithanauthenticatedHTTPproxy
proxy.http.password
ThepasswordtousewithanauthenticatedHTTPproxy
proxy.https Aproxyobject,containingHTTPSproxyfields
proxy.https.host TheHTTPSproxyhost
proxy.https.port TheHTTPSproxyport
proxy.https.nonProxyHosts
ThehoststoaccessoutsidetheHTTPSproxy(if proxy.http.nonProxyHosts isalsoprovided, http.nonProxyHosts willbeusedinsteadof https.nonProxyHosts )
Note:URIplaceholderscannotbeusedwitharepositorythathasthe cloneOnStart settingsetto true .Seethelistingfor cloneOnStart inthetableofgeneralconfigurationparameters.
Important:ConfigServerforPivotalCloudFoundry doesnotsupportuseofaprivateGitrepositoryaccessedviaanauthenticatedproxyserverasaconfigurationsourceatthistime.
©CopyrightPivotalSoftwareInc,2013-2018 46 1.1
proxy.https.username
TheusernametousewithanauthenticatedHTTPSproxy(if proxy.http.username isalsoprovided, http.username willbeusedinsteadof https.username )
proxy.https.password
ThepasswordtousewithanauthenticatedHTTPSproxy(if proxy.http.password isalsoprovided, http.password willbeusedinsteadof https.password )
Parameter Function
TocreateaConfigServerserviceinstancethatusesanHTTPproxytoaccessconfigurationsources,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/cook-config","proxy":{"http":{"host":"proxy.wise.com","port":"80"}}}}'
TocreateaConfigServerserviceinstancethatusesanauthenticatedHTTPSproxytoaccessconfigurationsources,specifyingthat example.com shouldbeaccessedoutsideoftheproxy,run:
$cfcreate-servicep-config-serverstandardconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/cook-config","proxy":{"https":{"host":"secure.wise.com","port":"443","username":"jim","password":"wright62","nonProxyHosts":"example.com"}}}}'
UsingAppsManager
LogintoAppsManagerasaSpaceDeveloper.IntheMarketplace,selectConfigServer.
Selectthedesiredplanforthenewserviceinstance.
Provideanamefortheserviceinstance(forexample,“config-server”).ClicktheAddbutton.
Note:IfyoucreateaConfigServerserviceinstanceusingAppsManager,youwillneedtousethecfCLItoupdatetheserviceinstanceandprovidesettings(includingoneormoreconfigurationsources)beforetheinstancewillbeusable.ForinformationonupdatingaConfigServerserviceinstance,seetheUpdatinganInstance topic.
©CopyrightPivotalSoftwareInc,2013-2018 47 1.1
IntheServiceslist,clicktheManagelinkunderthelistingforthenewserviceinstance.
Itmaytakeafewminutestoprovisiontheserviceinstance;whileitisbeingprovisioned,youwillseea“Theserviceinstanceisinitializing”message.Whentheinstanceisready,itsdashboardwillloadautomatically.
ThedashboarddisplaysthecurrentsettingsfortheConfigServerserviceinstance.Beforeyoucanusethisserviceinstance,youmustupdateitusingthecfCLItosupplyitwithaconfigurationsource.Forinformationaboutupdatingaserviceinstancetoconfigureinstancesettings,seetheUpdatinganInstance topic.
©CopyrightPivotalSoftwareInc,2013-2018 48 1.1
©CopyrightPivotalSoftwareInc,2013-2018 49 1.1
UpdatinganInstancePagelastupdated:
YoucanupdatesettingsonaConfigServerserviceinstanceusingtheCloudFoundryCommandLineInterfacetool(cfCLI).The cfupdate-service commandcanbegivena -c flagwithaJSONobjectcontainingparametersusedtoconfiguretheserviceinstance.
ToupdateaConfigServerserviceinstance’ssettings,targettheorgandspaceoftheserviceinstance:
$cftarget-omyorg-sdevelopment
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:userOrg:myorgSpace:development
Thenrun cfupdate-serviceSERVICE_NAME-c'{"PARAMETER":"VALUE"}'
,where SERVICE_NAME isthenameoftheserviceinstance, PARAMETER isa
supportedparameter,and VALUE isthevaluefortheparameter.Forinformationaboutsupportedparameters,seethenextsection.
ConfigurationParametersParametersusedtoconfigureconfigurationsourcesarepartofaJSONobjectcalled git ,asin {"git":{"uri":"http://example.com/config"}} .Formoreinformationonthepurposesofthesefields,seetheTheConfigServer topic.
GeneralparametersusedtoconfiguretheConfigServer’sdefaultconfigurationsourcearelistedbelow.
Parameter Function
uri TheURI( http:// , https:// ,or ssh:// )ofarepositorythatcanbeusedasthedefaultconfigurationsource
labelThedefault“label”thatcanbeusedwiththedefaultrepositoryifarequestisreceivedwithoutalabel(e.g.,ifthespring.cloud.config.label propertyisnotsetinaclientapplication)
searchPaths
Apatternusedtosearchforconfiguration-containingsubdirectoriesinthedefaultrepository
cloneOnStart
WhethertheConfigServershouldclonethedefaultrepositorywhenitstartsup(bydefault,theConfigServerwillonlyclonetherepositorywhenconfigurationisfirstrequestedfromtherepository).Validvaluesare true and false
username
Theusernameusedtoaccessthedefaultrepository(ifprotectedbyHTTPBasicauthentication)
password
Thepasswordusedtoaccessthedefaultrepository(ifprotectedbyHTTPBasicauthentication)
The uri settingisrequired;youcannotdefineaConfigServerconfigurationsourcewithoutincludinga uri .
Thedefaultvalueofthe label settingis master .Youcanset label toabranchname,atagname,oraspecificGitcommithash.
Toset label topointtothe develop branchofarepository,youmightconfiguresettingsasshowninthefollowingJSON:
'{"git":{"uri":"https://github.com/myorg/config-repo","label":"develop"}}'
Toset label topointtothe v1.1 taginarepository,youmightconfiguresettingsasshowninthefollowingJSON:
'{"git":{"uri":"https://github.com/myorg/config-repo","label":"v1.1"}}'
Withinaclientapplication,youcanoverridetheConfigServer’s label settingbysettingthe spring.cloud.config.label property(forexample,in bootstrap.yml ).
spring:cloud:config:label:v1.2
OtherparametersacceptedfortheConfigServerarelistedbelow.
Parameter Function Example
count Thenumberofnodestoprovision:1bydefault,moreforrunninginhigh-availabilitymode '{"count": 3}'
upgrade Whethertoupgradetheinstance '{"upgrade": true}'
Toupdateaserviceinstance,settingtheconfigurationsourcesandspecifyingthatthedefaultconfigurationsourceGitrepositoryshouldbeclonedwhentheConfigServerstartsup,run:
Important:Ifyouset cloneOnStart to true foraserviceinstancethatusesarepositorywhichissecuredwithHTTPBasicauthentication,youmustsetthe username and password atthesametimeasyouset cloneOnStart .Otherwise,theConfigServerwillbeunabletoaccesstherepositoryandtheserviceinstancemayfailtoinitialize.
©CopyrightPivotalSoftwareInc,2013-2018 50 1.1
$cfupdate-serviceconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/config-repo","cloneOnStart":"true","repos":{"cook":{"pattern":"cook*","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'Updatingserviceinstanceconfig-serverasadmin...OK
Updateinprogress.Use'cfservices'or'cfserviceconfig-server'tocheckoperationstatus.
Toupdateaserviceinstanceandsetthecountofinstancesforrunninginhigh-availabilitymode,run:
$cfupdate-serviceconfig-server-c'{"count":3}'Updatingserviceinstanceconfig-serverasadmin...OK
Updateinprogress.Use'cfservices'or'cfserviceconfig-server'tocheckoperationstatus.
Asthecommandoutputsuggests,youcanusethe cfservices or cfservice commandstocheckthestatusoftheserviceinstance.Whentheupdateiscomplete,the cfservice commandwillgiveastatusof update
succeeded:
$cfserviceconfig-server
Serviceinstance:config-serverService:p-config-serverBoundapps:Tags:Plan:standardDescription:ConfigServerforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-config-server/e2615a44-66f5-4fda-9ddc-079af1db9ae4
LastOperationStatus:updatesucceededMessage:Started:2016-06-24T21:11:53ZUpdated:2016-06-24T21:13:59Z
Theserviceinstanceisnowupdatedandreadytobeused.ForinformationaboutusinganapplicationtoaccessconfigurationvaluesservedbyaConfigServerserviceinstance,seetheWritingClientApplications topic.
SSHRepositoryAccessYoucanconfigureaConfigServerconfigurationsourcesothattheConfigServeraccessesitusingtheSecureShell(SSH)protocol.Todoso,youmustspecifyaURIusingthe ssh:// URIschemeortheSecureCopyProtocol(SCP)styleURIformat,andyoumustsupplyaprivatekey.Youmayalsosupplyahostkeywithwhichtheserverwillbeidentified.Ifyoudonotprovideahostkey,theConfigServerwillnotverifythehostkeyoftheconfigurationsource’sserver.
ASSHURImustincludeausername,host,andrepositorypath.ThismightbespecifiedasshowninthefollowingJSON:
'{"git":{"uri":"ssh://[email protected]/spring-cloud-services-samples/cook.git"}}'
AnequivalentSCP-styleURImightbespecifiedasshowninthefollowingJSON:
'{"git":{"uri":"[email protected]:spring-cloud-services-samples/cook-config.git"}}'
TheparametersusedtoconfigureSSHforaConfigServerconfigurationsource’sURIarelistedbelow.
Parameter Function
hostKeyThehostkeyoftheGitserver.Ifyouhaveconnectedtotheserverviagitonthecommandline,thisisinyour.ssh/known_hosts .Donotincludethealgorithmprefix;thisisspecifiedin hostKeyAlgorithm .(Optional.)
hostKeyAlgorithm
Thealgorithmof hostKey :oneof“ssh-dss”,“ssh-rsa”,“ecdsa-sha2-nistp256”,“ecdsa-sha2-nistp384”,and“ecdsa-sha2-nistp521”.(Requiredifsupplying hostKey .)
privateKey
TheprivatekeythatidentifiestheGituser,withallnewlinecharactersreplacedby \n .Passphrase-encryptedprivatekeysarenotsupported.
ToupdateaConfigServerserviceinstancetouseSSHtoaccessaconfigurationsource,allowingforhostkeyverification,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"ssh://[email protected]/spring-cloud-services-samples/cook.git","hostKey":"AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+...","hostKeyAlgorithm":"ssh-rsa","privateKey":"-----BEGINRSAPRIVATEKEY-----\nMIIJKQIB..."}}'
ToupdateaConfigServerserviceinstancetouseSSHtoaccessaconfigurationsource,withouthostkeyverification,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"ssh://[email protected]/spring-cloud-services-samples/cook.git","privateKey":"-----BEGINRSAPRIVATEKEY-----\nMIIJKQIB..."}}'
MultipleRepositories
Important:The cfservice and cfservices commandsmayreportan updatesucceeded
statuseveniftheConfigServercannotinitializeusingthe
providedsettings.Forexample,givenaninvalidURIforaconfigurationsource,theserviceinstancemaystillberestartedandhaveanupdatesucceeded
status.
Iftheserviceinstancedoesnotappeartobefunctioningcorrectlyafteranupdate,youcanvisititsdashboardtodouble-checkthattheprovidedsettingsarevalidandaccurate.SeetheUsingtheDashboard topic.
©CopyrightPivotalSoftwareInc,2013-2018 51 1.1
YoucanconfigureaConfigServerserviceinstancetousemultipleconfigurationsources,whichwillbeusedonlyforspecificapplicationsorforapplicationswhichareusingspecificprofiles.Todoso,youmustprovideparametersinrepositoryobjectswithinthe git.repos JSONobject.Mostparameterssetinthe git objectforthedefaultconfigurationsourcearealsoavailableforspecificconfigurationsourcesandcanbesetinrepositoryobjectswithinthe git.repos object.
Eachrepositoryobjectinthe git.repos objecthasaname.IntherepositoryspecifiedinthefollowingJSON,thenameis“cookie”:
'{"git":{"repos":{"cookie":{"uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
Eachrepositoryobjectalsohasa pattern ,whichisacomma-separatedlistofapplicationandprofilenamesseparatedwithforwardslashes( / ,asinapp/profile )andpotentiallyincludingwildcards( * ,asin app*/profile* ).Ifyoudonotsupplyapattern,therepositoryobject’snamewillbeusedasthe
pattern.IntherepositoryspecifiedinthefollowingJSON,thepatternis co*/dev* (matchinganyapplicationwhosenamebeginswith co andwhichisusingaprofilewhosenamebeginswith dev ),andthedefaultpatternwouldbe cookie :
'{"git":{"repos":{"cookie":{"pattern":"co*/dev*","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
Formoreinformationaboutthepatternformat,see“PatternMatchingandMultipleRepositories” intheSpringCloudConfigdocumentation .
TheparametersusedtoconfigurespecificconfigurationsourcesfortheConfigServerarelistedbelow.
Parameter Function
repos."name" Arepositoryobject,containingrepositoryfields
repos."name".pattern
Apatternforthenamesofapplicationsthatstoreconfigurationfromthisrepository(ifnotsupplied,willbe "name" )
repos."name".uri
TheURI( http:// , https:// ,or ssh:// )ofthisrepository
repos."name".label
Thedefault“label”tousewiththisrepositoryifarequestisreceivedwithoutalabel(e.g.,ifthe spring.cloud.config.labelpropertyisnotsetinaclientapplication)
repos."name".searchPaths
Apatternusedtosearchforconfiguration-containingsubdirectoriesinthisrepository
repos."name".cloneOnStart
WhethertheConfigServershouldclonethisrepositorywhenitstartsup(bydefault,theConfigServerwillonlyclonetherepositorywhenconfigurationisfirstrequestedfromtherepository).Validvaluesare true and false
repos."name".username
Theusernameusedtoaccessthisrepository(ifprotectedbyHTTPBasicauthentication)
repos."name".password
Thepasswordusedtoaccessthisrepository(ifprotectedbyHTTPBasicauthentication)
repos."name".hostKey
ThehostkeyusedbytheConfigServertoaccessthisrepository(ifaccessingviaSSH).SeetheSSHRepositoryAccess sectionformoreinformation
repos."name".hostKeyAlgorithm
Thealgorithmof hostKey :oneof“ssh-dss”,“ssh-rsa”,“ecdsa-sha2-nistp256”,“ecdsa-sha2-nistp384”,and“ecdsa-sha2-nistp521”
repos."name".privateKey
Theprivatekeycorrespondingto hostKey ,withallnewlinecharactersreplacedby \n
The uri settingisrequired;youcannotdefineaConfigServerconfigurationsourcewithoutincludinga uri .
Thedefaultvalueofthe label settingis master .Youcanset label toabranchname,atagname,oraspecificGitcommithash.
Toset label topointtothe develop branchofarepository,youmightconfigurethesettingasshowninthefollowingJSON:
'{"git":{"repos":{"cookie":{"uri":"https://github.com/myorg/config-repo","label":"develop"}}}}'
Toset label topointtothe v1.1 taginarepository,youmightconfigurethesettingasshowninthefollowingJSON:
'{"git":{"repos":{"cookie":{"uri":"https://github.com/myorg/config-repo","label":"v1.1"}}}}'
Withinaclientapplication,youcanoverridethis label setting’svaluebysettingthe spring.cloud.config.label property(forexample,in bootstrap.yml ).
spring:cloud:config:label:v1.2
ToupdateaConfigServerserviceinstancetohaveadefaultrepositoryandarepositoryspecifictoanapplicationnamed“cook”,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/fortune-teller","searchPaths":"configuration","repos":{"cookie":{"pattern":"cook","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
ToupdateaConfigServerserviceinstancetohaveadefaultrepositoryandarepositoryspecifictoapplicationsusingthe dev profile,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/fortune-teller","searchPaths":"configuration","repos":{"cookie":{"pattern":"*/dev","uri":"https://github.com/spring-cloud-services-samples/cook-config"}}}}'
PlaceholdersinRepositoryURIs
Important:Ifyouset cloneOnStart to true forarepositorywhichissecuredwithHTTPBasicauthentication,youmustsetthe username andpassword atthesametimeasyouset cloneOnStart .Otherwise,theConfigServerwillbeunabletoaccesstherepositoryandtheserviceinstance
mayfailtoinitialize.
©CopyrightPivotalSoftwareInc,2013-2018 52 1.1
TheURIsforconfigurationsourceGitrepositoriescanincludeacoupleofspecialstringsasplaceholders:
{application} :thenamesetinthe spring.application.name propertyonanapplication
{profile} :aprofilelistedinthe spring.profiles.active propertyonanapplication
Youcanusetheseplaceholdersto(forexample)setasingleURIwhichmapsonerepositoryeachtomultipleapplicationsthatusethesameConfigServer,ortosetasingleURIwhichmapsonerepositoryeachtomultipleprofiles.
ArepositoryURIthatenablesuseofonerepositoryperapplicationmightbeexpressedasshowninthefollowingJSON.Foranapplicationnamed“cook”,thiswouldlocatetherepositorynamed cook-config :
'{"git":{"uri":"https://github.com/spring-cloud-services-samples/{application}-config"}}'
ArepositoryURIthatenablesuseofonerepositoryperprofilemightbeexpressedasshowninthefollowingJSON.Foranapplicationusingthe devprofile,thiswouldlocatearepositorynamed config-dev :
'{"git":{"uri":"https://github.com/spring-cloud-services-samples/config-{profile}"}}'
Formoreinformationaboutusingplaceholders,see“PlaceholdersinGitURI” intheSpringCloudConfigdocumentation .
ToupdateaConfigServerserviceinstancetohavearepositoryURIthatenablesonerepositoryperapplication,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/{application}-config"}}'
ToupdateaConfigServerserviceinstancetohavearepositoryURIthatenablesonerepositoryperprofile,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/config-{profile}"}}'
HTTP(S)ProxyRepositoryAccessYoucanconfigureaConfigServerserviceinstancetoaccessconfigurationsourcesusinganHTTPorHTTPSproxy.Todoso,youmustprovideproxysettingsineitherofthe git.proxy.http or git.proxy.https JSONobjects.Youcansettheproxyhostandport,theproxyusernameandpassword(ifapplicable),andalistofhostswhichtheConfigServershouldaccessoutsideoftheproxy.
SettingsforanHTTPproxyaresetinthe git.proxy.http object.ThesemightbesetasshowninthefollowingJSON:
'{"git":{"proxy":{"http":{"host":"proxy.wise.com","port":"80"}}}}'
SettingsforanHTTPSproxyaresetinthe git.proxy.https object.ThesemightbesetasshowninthefollowingJSON:
'{"git":{"proxy":{"https":{"host":"secure.wise.com","port":"443"}}}}'
TheparametersusedtoconfigureHTTPorHTTPSproxysettingsfortheConfigServerarelistedbelow.
Parameter Function
proxy.http Aproxyobject,containingHTTPproxyfields
proxy.http.host TheHTTPproxyhost
proxy.http.port TheHTTPproxyport
proxy.http.nonProxyHosts
ThehoststoaccessoutsidetheHTTPproxy
proxy.http.username
TheusernametousewithanauthenticatedHTTPproxy
proxy.http.password
ThepasswordtousewithanauthenticatedHTTPproxy
proxy.https Aproxyobject,containingHTTPSproxyfields
proxy.https.host TheHTTPSproxyhost
proxy.https.port TheHTTPSproxyport
proxy.https.nonProxyHosts
ThehoststoaccessoutsidetheHTTPSproxy(if proxy.http.nonProxyHosts isalsoprovided, http.nonProxyHosts willbeusedinsteadof https.nonProxyHosts )
proxy.https.username
TheusernametousewithanauthenticatedHTTPSproxy(if proxy.http.username isalsoprovided, http.username willbeusedinsteadof https.username )
proxy.https.password
ThepasswordtousewithanauthenticatedHTTPSproxy(if proxy.http.password isalsoprovided, http.password willbeusedinsteadof https.password )
ToupdateaConfigServerserviceinstancetouseanHTTPproxytoaccessconfigurationsources,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/cook-config","proxy":{"http":{"host":"proxy.wise.com","port":"80"}}}}'
Note:URIplaceholderscannotbeusedwitharepositorythathasthe cloneOnStart settingsetto true .Seethelistingfor cloneOnStart inthetableofgeneralconfigurationparameters.
Important:ConfigServerforPivotalCloudFoundry doesnotsupportuseofaprivateGitrepositoryaccessedviaanauthenticatedproxyserverasaconfigurationsourceatthistime.
©CopyrightPivotalSoftwareInc,2013-2018 53 1.1
ToupdateaConfigServerserviceinstancetouseanauthenticatedHTTPSproxytoaccessconfigurationsources,specifyingthat example.com shouldbeaccessedoutsideoftheproxy,run:
$cfupdate-serviceconfig-server-c'{"git":{"uri":"https://github.com/spring-cloud-services-samples/cook-config","proxy":{"https":{"host":"secure.wise.com","port":"443","username":"jim","password":"wright62","nonProxyHosts":"example.com"}}}}'
©CopyrightPivotalSoftwareInc,2013-2018 54 1.1
TheConfigServerPagelastupdated:
TheConfigServerservesconfigurationsstoredaseitherJavaPropertiesfilesorYAMLfiles.ItreadsfilesfromaGitrepository(aconfigurationsource).GiventheURIofaconfigurationsource,theserverwillclonetherepositoryandmakeitsconfigurationsavailabletoclientapplicationsinJSONasaseriesof propertySources .
ConfigurationSourcesAconfigurationsourcecontainsoneormoreconfigurationfilesusedbyoneormoreapplications.Eachfileappliestoanapplicationandcanoptionallyapplytoaspecificprofileand/orlabel.
ThefollowingisthestructureofaGitrepositorywhichcouldbeusedasaconfigurationsource.
master------https://github.com/myorg/configurations|-myapp.yml|-myapp-development.yml|-myapp-production.yml
tagv1.0.0----------https://github.com/myorg/configurations|-myapp.yml|-myapp-development.yml|-myapp-production.yml
Inthisexample,theconfigurationsourcedefinesconfigurationsforthe myapp application.TheServerwillservedifferentpropertiesfor myapp
dependingonthevaluesof {profile} and {label} intherequestpath.Ifthe {profile} isneither development nor production ,theserverwillreturnthepropertiesin myapp.yml ,orifthe {profile} is production ,theserverwillreturnthepropertiesinboth myapp-production.yml and myapp.yml .
{label} canbeaGitcommithashaswellasatagorbranchname.Iftherequestcontainsa {label} of(e.g.) v1.0.0 ,theServerwillservepropertiesfromthe v1.0.0 tag.Iftherequestdoesnotcontaina {label} ,theServerwillservepropertiesfromthedefaultlabel.ForGitrepositories,thedefaultlabelismaster.Youcanreconfigurethedefaultlabel(seetheCreatinganInstance topic).
RequestPathsConfigurationrequestsuseoneofthefollowingpathformats:
/{application}/{profile}[/{label}]/{application}-{profile}.yml/{label}/{application}-{profile}.yml/{application}-{profile}.properties/{label}/{application}-{profile}.properties
Apathincludesanapplication,aprofile,andoptionallyalabel.
Application:Thenameoftheapplication.InaSpringapplication,thiswillbederivedfrom spring.application.name or spring.cloud.config.name .
Profile:Thenameofaprofile,oracomma-separatedlistofprofilenames.TheConfigServer’sconceptofa“profile”correspondsdirectlytothatoftheSpringProfile .
Label:Thenameofaversionmarkerintheconfigurationsource(therepository).Thismightbeabranchname,atagname,oraGitcommithash.ThevaluegiventotheConfigServerasadefaultlabel(thesettingof git.label ;seethetableoftheConfigServer’sgeneralconfigurationparameters )canbeoverriddeninaclientapplicationbysettingthe spring.cloud.config.label property.
ForinformationaboutusingaCloudFoundryapplicationasaConfigServerclient,seetheConfigurationClients topic.
©CopyrightPivotalSoftwareInc,2013-2018 55 1.1
WritingClientApplicationsPagelastupdated:
Refertothe“Cook”sampleapplication tofollowalongwiththecodeinthistopic.
TouseaSpringBootapplicationasaclientforaConfigServerinstance,youmustaddthedependencieslistedintheClientDependencies topictoyourapplication’sbuildfile.BesuretoincludethedependenciesforConfigServer aswell.
AddSelf-SignedSSLCertificatetoJVMTruststoreSpringCloudServicesusesHTTPSforallclient-to-servicecommunication.IfyourPivotalCloudFoundry installationisusingaself-signedSSLcertificate,thecertificatewillneedtobeaddedtotheJVMtruststorebeforeyourclientapplicationcanconsumepropertiesfromaConfigServerserviceinstance.
SpringCloudServicescanaddthecertificateforyouautomatically.Forthistowork,youmustsetthe CF_TARGET environmentvariableonyourclientapplicationtotheAPIendpointofyourElasticRuntimeinstance:
$cfset-envcookCF_TARGEThttps://api.cf.wise.comSettingenvvariable'CF_TARGET'to'https://api.cf.wise.com'forappcookinorgmyorg/spacedevelopmentasuser...OKTIP:Use'cfrestage'toensureyourenvvariablechangestakeeffect
$cfrestagecook
Astheoutputfromthe cfset-env commandsuggests,restagetheapplicationaftersettingtheenvironmentvariable.
UseConfigurationValuesWhentheapplicationrequestsaconfigurationfromtheConfigServer,itwilluseapathcontainingtheapplicationname(asdescribedintheConfigurationClients topic).Youcandeclaretheapplicationnamein bootstrap.properties , bootstrap.yml , application.properties ,or application.yml .
In bootstrap.yml :
spring:application:name:cook
Thisapplicationwilluseapathwiththeapplicationname cook ,sotheConfigServerwilllookinitsconfigurationsourceforfileswhosenamesbeginwithcook ,andreturnconfigurationpropertiesfromthosefiles.
Nowyoucan(forexample)injectaconfigurationpropertyvalueusingthe @Value annotation.TheMenuclass readsthevalueof special fromthecook.special configurationproperty.
@RefreshScope@ComponentpublicclassMenu{
@Value("${cook.special}")Stringspecial;
//...
publicStringgetSpecial(){returnspecial;}
//...
}
The Application class isa @RestController .Ithasaninjected menu andreturnsthe special (thevalueofwhichwillbesuppliedbytheConfigServer)inits restaurant() method,whichitmapsto /restaurant .
@RestController@SpringBootApplicationpublicclassApplication{
@AutowiredprivateMenumenu;
@RequestMapping("/restaurant")publicStringrestaurant(){returnString.format("Today'sspecialis:%s",menu.getSpecial());}//...
VaryConfigurationsBasedonProfiles
Important:BecauseofadependencyonSpringSecurity ,theSpringCloud®ConfigClientstarterwillbydefaultcauseallapplicationendpointstobeprotectedbyHTTPBasicauthentication.Ifyouwishtodisablethis,pleaseseeDisableHTTPBasicAuthenticationbelow.
©CopyrightPivotalSoftwareInc,2013-2018 56 1.1
Youcanprovideconfigurationsformultipleprofilesbyincludingappropriately-named .yml or .properties filesintheConfigServerinstance’sconfigurationsource(theGitrepository).Filenamesfollowtheformat {application}-{profile}.{extension} ,asin cook-production.yml .(SeetheTheConfigServertopic.)
Theapplicationwillrequestconfigurationsforanyactiveprofiles.Tosetprofilesasactive,youcanusethe SPRING_PROFILES_ACTIVE environmentvariable,setforexamplein manifest.yml .
applications:-name:cookhost:cookieservices:-config-serverenv:SPRING_PROFILES_ACTIVE:production
Thesampleconfigurationsourcecook-config containsthefiles cook.properties and cook-production.properties .Withtheactiveprofilesetto production asinmanifest.yml above,theapplicationwillmakearequestoftheConfigServerusingthepath /cook/production ,andtheConfigServerwillreturnproperties
fromboth cook-production.properties (theprofile-specificconfiguration)and cook.properties (thedefaultconfiguration);forexample:
{"name":"cook","profiles":["production"],"label":"master","propertySources":[{"name":"https://github.com/spring-cloud-services-samples/cook-config/cook-production.properties","source":{"cook.special":"Cakealamode"}},{"name":"https://github.com/spring-cloud-services-samples/cook-config/cook.properties","source":{"cook.special":"PickledCactus"}}]}
AsnotedintheConfigurationClients topic,theapplicationmustdecidewhattodowhentheserverreturnsmultiplevaluesforaconfigurationproperty,butaSpringapplicationwilltakethefirstvalueforeachproperty.Intheexampleresponseabove,theconfigurationforthespecifiedprofile(production )isfirstinthelist,sotheBootsampleapplicationwillusevaluesfromthatconfiguration.
ViewClientApplicationConfigurationSpringBootActuator addsan env endpointtotheapplicationandmapsitto /env .Thisendpointdisplaystheapplication’sprofilesandpropertysourcesfromtheSpring ConfigurableEnvironment .(See“Endpoints” inthe“SpringBootActuator”sectionoftheSpringBootReferenceGuide.)InthecaseofanapplicationwhichisboundtoaConfigServerserviceinstance, env willdisplaypropertiesprovidedbytheinstance.
TouseActuator,youmustaddthe spring-boot-starter-actuator dependencytoyourproject.IfusingMaven,addto pom.xml :
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-actuator</artifactId></dependency>
IfusingGradle,addto build.gradle :
compile("org.springframework.boot:spring-boot-starter-actuator")
Youcannowvisit /env toseetheapplicationenvironment’sproperties(thefollowingshowsanexcerptofanexampleresponse):
$curlhttp://cookie.apps.wise.com/env{"profiles":["dev","cloud"],"configService:https://github.com/spring-cloud-services-samples/cook-config/cook.properties":{"cook.special":"PickledCactus"},"vcap":{"vcap.application.limits.mem":"512","vcap.application.application_uris":"cookie.apps.wise.com","vcap.services.config-server.name":"config-server","vcap.application.uris":"cookie.apps.wise.com","vcap.application.application_version":"179de3f9-38b6-4939-bff5-41a14ce4e700","vcap.services.config-server.tags[0]":"configuration","vcap.application.space_name":"development","vcap.services.config-server.plan":"standard",//...
RefreshClientApplicationConfigurationSpringBootActuatoralsoaddsa refresh endpointtotheapplication.Thisendpointismappedto /refresh ,andaPOSTrequesttothe refresh endpoint
©CopyrightPivotalSoftwareInc,2013-2018 57 1.1
refreshesanybeanswhichareannotatedwith @RefreshScope .Youcanthususe @RefreshScope torefreshpropertieswhichwereinitializedwithvaluesprovidedbytheConfigServer.
The Menu.java classismarkedasa @Component andalsoannotatedwith @RefreshScope .
importorg.springframework.cloud.context.config.annotation.RefreshScope;importorg.springframework.stereotype.Component;
@RefreshScope@ComponentpublicclassMenu{
@Value("${cook.special}")Stringspecial;//...
Thismeansthatafteryouchangevaluesintheconfigurationsourcerepository,youcanupdatethe special onthe Application class’s menu witharefresheventtriggeredontheapplication:
$curlhttp://cookie.apps.wise.com/restaurantToday'sspecialis:PickledCactus
$gitcommit-am"newspecial"[master3c9ff23]newspecial1filechanged,1insertion(+),1deletion(-)
$gitpush
$curl-XPOSThttp://cookie.apps.wise.com/refresh["cook.special"]
$curlhttp://cookie.apps.wise.com/restaurantToday'sspecialis:BirdfeatherTea
UseClient-SideDecryptionOntheConfigServer,thedecryptionfeaturesaredisabled,soencryptedpropertyvaluesfromaconfigurationsourcearedeliveredtoclientapplicationsunmodified.YoucanusethedecryptionfeaturesofSpringCloudConfigClienttoperformclient-sidedecryptionofencryptedvalues.
Tousethedecryptionfeaturesinaclientapplication,youmustuseaJavabuildpackwhichcontainstheJavaCryptographyExtension(JCE)UnlimitedStrengthpolicyfiles.ThesefilesarecontainedintheCloudFoundryJavabuildpackfromversion3.7.1.
YoumustalsoincludeSpringSecurityRSA asadependencyandspecifyversion1.0.5.RELEASEofSpringCloudContextinyourclientapplication’sbuildfile.
IfusingMaven,includein pom.xml :
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-rsa</artifactId></dependency>
<dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-context</artifactId><version>1.0.5.RELEASE</version></dependency>
IfusingGradle,includein build.gradle :
compile("org.springframework.security:spring-security-rsa")compile("org.springframework.cloud:spring-cloud-context:1.0.5.RELEASE")
Encryptedvaluesmustbeprefixedwiththestring {cipher} .IfusingYAML,enclosetheentirevalueinsinglequotes,asin '{cipher}vALuE' ;ifusingapropertiesfile,donotusequotes.TheconfigurationsourcefortheCookapplication hasa secretMenu property inits cook-encryption.properties :
secretMenu={cipher}AQA90Q3GIRAMu6ToMqwS++En2iFzMXIWX99G66yaZFRHrQNq64CntqOzWymd3xE7uJpZKQc9XBIkfyRz/HUGhXRdf3KZQ9bqclwmR5vkiLmN9DHlAxS+6biT+7f8ptKo3fzQ0gGOBaR4kTnWLBxmVaIkjq1Qze4aIgsgUWuhbEek+3znkH9+Mc+5zNPvwN8hhgDMDVzgZLB+4YnvWJAq3Au4wEevakAHHxVY0mXcxj1Ro+H+ZelIzfF8K2AvC3vmvlmxy9Y49Zjx0RhMzUx17eh3mAB8UMMRJZyUG2a2uGCXmz+UunTA5n/dWWOvR3VcZyzXPFSFkhNekw3db9XZ7goceJSPrRN+5s+GjLCPr+KSnhLmUt1XAScMeqTieNCHT5I=
Putthekeyontheclientapplicationclasspath.Youcaneitheraddthekeystoretothebuildpack’s resources/open_jdk_jre/lib/security directory(asdescribedabovefortheJCEpolicyfiles)orincludeitwiththesourcefortheapplication.IntheCookapplication,thekeyisplacedin src/main/resources .
Ifyoucannotuseversion3.7.1orlater,youcanaddtheJCEUnlimitedStrengthpolicyfilestoanearlierversionoftheCloudFoundryJavabuildpack.ForkthebuildpackonGitHub ,thendownloadthepolicyfilesfromOracleandplacetheminthebuildpack’sresources/open_jdk_jre/lib/security directory.FollowtheinstructionsintheAddingBuildpackstoCloudFoundry topictoaddthisbuildpackto
PivotalCloudFoundry.BesurethatithasthelowestpositionofallenabledJavabuildpacks.
©CopyrightPivotalSoftwareInc,2013-2018 58 1.1
cook└──src└──main└──resources├──application.yml├──bootstrap.yml└──server.jks
Specifythekeylocationandcredentialsin bootstrap.properties or bootstrap.yml usingthe encrypt.keyStore properties:
encrypt:keyStore:location:classpath:/server.jkspassword:letmeinalias:mytestkeysecret:changeme
TheMenuclasshasaStringproperty secretMenu .
@Value("${secretMenu}")StringsecretMenu;
//...
publicStringgetSecretMenu(){returnsecretMenu;}
Adefaultvaluefor secretMenu isin bootstrap.yml :
secretMenu:AnimalCrackers
IntheApplicationclass,themethod secretMenu() ismappedto /restaurant/secret-menu .Itreturnsthevalueofthe secretMenu property.
@RequestMapping("/restaurant/secret-menu")publicStringsecretMenu(){returnmenu.getSecretMenu();}
AftermakingthekeyavailabletotheapplicationandinstallingtheJCEpolicyfilesintheJavabuildpack,youcancausetheConfigServertoservepropertiesfromthe cook-encryption.properties filebyactivatingthe encryption profileontheapplication,e.g.byrunning cfset-env tosettheSPRING_PROFILES_ACTIVE environmentvariable:
$cfset-envcookSPRING_PROFILES_ACTIVEdev,encryptionSettingenvvariable'SPRING_PROFILES_ACTIVE'to'dev,encryption'forappcookinorgmyorg/spacedevelopmentasuser...OKTIP:Use'cfrestage'toensureyourenvvariablechangestakeeffect
$cfrestagecook
TheapplicationwilldecrypttheencryptedpropertyafterreceivingitfromtheConfigServer.Youcanviewthepropertyvaluebyvisiting/restaurant/secret-menu ontheapplication.
DisableHTTPBasicAuthenticationTheSpringCloudConfigClientstarterhasadependencyonSpringSecurity .Unlessyourapplicationhasothersecurityconfiguration,thiswillcauseallapplicationendpointstobeprotectedbyHTTPBasicauthentication.
Ifyoudonotyetwanttoaddressapplicationsecurity,youcanturnoffBasicauthenticationbysettingthe security.basic.enabled propertyto false .Inapplication.yml or bootstrap.yml :
security:basic:enabled:false
Youmightmakethissettingspecifictoaprofile(suchasthe dev profileifyouwantBasicauthenticationdisabledonlyfordevelopment):
---spring:profiles:dev
security:basic:enabled:false
Formoreinformation,see“Security”intheSpringBootReferenceGuide .
Important:Cookisanexampleapplication,andthekeyispackagedwiththeapplicationsourceforexamplepurposes.Ifatallpossible,usethebuildpackforkeystoredistribution.
Note:BecauseoftheSpringSecuritydependency,HTTPSBasicauthenticationwillalsobeenabledforSpringBootActuatorendpoints.Ifyouwishtodisablethataswell,youmustalsosetthe management.security.enabled propertyto false .See“Customizingthemanagementserverport”intheSpringBootReferenceGuide .
©CopyrightPivotalSoftwareInc,2013-2018 59 1.1
©CopyrightPivotalSoftwareInc,2013-2018 60 1.1
UsingtheDashboardPagelastupdated:
Tofindthedashboard,navigateinPivotalCloudFoundry®AppsManagertotheConfigServerserviceinstance’sspaceandclickManageinthelistingfortheserviceinstance.
Ifyouareusingversion6.8.0orlateroftheCloudFoundryCommandLineInterfacetool(cfCLI),youcanalsouse cfserviceSERVICE_NAME ,whereSERVICE_NAME isthenameoftheConfigServerserviceinstance:
$cfserviceconfig-server
Serviceinstance:config-serverService:p-config-serverBoundapps:Tags:Plan:standardDescription:ConfigServerforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-config-server/650fd967-4e8e-4590-81a0-a029866184a2
LastOperationStatus:updatesucceededMessage:Started:2016-06-27T14:30:23ZUpdated:2016-06-27T14:32:30Z
VisittheURLgivenfor“Dashboard”.
ThedashboardshowstheJSONobjectusedtoconfigureConfigServersettings.YoucanclicktheCopytoclipboardbuttontoobtainthisobjectinastringformatsuitableforuseincommandlines.
Forthesettingsshownintheabovefigure,thebuttoncopiesthefollowingtotheclipboard:
"{\"count\":1,\"git\":{\"repos\":{\"cook\":{\"pattern\":\"cook*\",\"uri\":\"https://github.com/spring-cloud-samples/cook-config\"}},\"uri\":\"https://github.com/spring-cloud-samples/config-repo\"}}"
©CopyrightPivotalSoftwareInc,2013-2018 61 1.1
AdditionalResourcesPagelastupdated:
SpringCloud®Services1.0.0onPivotalCloudFoundry -ConfigServer-YouTube(shortscreencastdemonstratingConfigServerforPivotalCloudFoundry)
SpringCloudConfig (documentationforSpringCloudConfig,theopen-sourceprojectthatunderliesConfigServerforPivotalCloudFoundry)
“ConfiguringItAllOut”or“12-FactorApp-StyleConfigurationwithSpring” (blogpostthatprovidesbackgroundonSpring’sconfigurationmechanismsandonSpringCloudConfig)
Environmentabstraction(SpringFrameworkReferenceDocumentation) (SpringFrameworkdocumentationonthe Environment andtheconceptsofprofilesandproperties)
©CopyrightPivotalSoftwareInc,2013-2018 62 1.1
ServiceRegistryforPivotalCloudFoundry
OverviewServiceRegistryforPivotalCloudFoundry (PCF)providesyourapplicationswithanimplementationoftheServiceDiscoverypattern,oneofthekeytenetsofamicroservice-basedarchitecture.Tryingtohand-configureeachclientofaserviceoradoptsomeformofaccessconventioncanbedifficultandprovetobebrittleinproduction.Instead,yourapplicationscanusetheServiceRegistrytodynamicallydiscoverandcallregisteredservices.
WhenaclientregisterswiththeServiceRegistry,itprovidesmetadataaboutitself,suchasitshostandport.TheRegistryexpectsaregularheartbeatmessagefromeachserviceinstance.Ifaninstancebeginstoconsistentlyfailtosendtheheartbeat,theServiceRegistrywillremovetheinstancefromitsregistry.
ServiceRegistryforPivotalCloudFoundryisbasedonEureka ,Netflix’sServiceDiscoveryserverandclient.FormoreinformationaboutEurekaandabouttheServiceDiscoverypattern,seeAdditionalResources .
Refertothesampleapplicationsinthe“greeting”repository tofollowalongwithcodeinthissection.
©CopyrightPivotalSoftwareInc,2013-2018 63 1.1
CreatinganInstancePagelastupdated:
YoucancreateaServiceRegistryserviceinstanceusingeithertheCloudFoundryCommandLineInterfacetool(cfCLI)orPivotalCloudFoundry (PCF)AppsManager.
UsingthecfCLITargetthecorrectorgandspace:
$cftarget-omyorg-sdevelopment
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:userOrg:myorgSpace:development
YoucanviewplandetailsfortheConfigServerproductbyrunning cfmarketplace-s
.
$cfmarketplaceGettingservicesfrommarketplaceinorgmyorg/spacedevelopmentasuser...OK
serviceplansdescriptionp-circuit-breaker-dashboardstandardCircuitBreakerDashboardforSpringCloudApplicationsp-config-serverstandardConfigServerforSpringCloudApplicationsp-service-registrystandardServiceRegistryforSpringCloudApplications
TIP:Use'cfmarketplace-sSERVICE'toviewdescriptionsofindividualplansofagivenservice.
$cfmarketplace-sp-service-registryGettingserviceplaninformationforservicep-service-registryasuser...OK
serviceplandescriptionfreeorpaidstandardStandardPlanfree
Run cfcreate-service
,specifyingtheservice,planname,andinstancename.Optionally,youmayaddthe -c flagandprovideaJSONobjectthatspecifies
thenumberofnodestoprovisionas count (bydefault,theinstancewillbeprovisionedwithonlyasinglenode).
Tocreateaninstancewithasinglenode,run:
$cfcreate-servicep-service-registrystandardservice-registryCreatingserviceinstanceservice-registryinorgmyorg/spacedevelopmentasadmin...OK
Createinprogress.Use'cfservices'or'cfserviceservice-registry'tocheckoperationstatus.
Tocreateaninstancewiththreenodes,run:
$cfcreate-servicep-service-registrystandardservice-registry-c'{"count":3}'Creatingserviceinstanceservice-registryinorgmyorg/spacedevelopmentasadmin...OK
Createinprogress.Use'cfservices'or'cfserviceservice-registry'tocheckoperationstatus.
Asthecommandoutputsuggests,youcanusethe cfservices or cfservice commandstocheckthestatusoftheserviceinstance.WhentheServiceRegistryinstanceisreadytobeused,the cfservice commandwillgiveastatusof create
succeeded:
$cfserviceservice-registry
Serviceinstance:service-registryService:p-service-registryBoundapps:Tags:Plan:standardDescription:ServiceRegistryforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-service-registry/50f247f4-fcb0-43c9-863c-94e21be2051c
LastOperationStatus:createsucceededMessage:Started:2016-06-27T23:14:44ZUpdated:
Note:ServiceRegistryserviceinstancescanruninahigh-availabilitymode,withanarbitrarynumberofreplicatednodes.ThiscurrentlycanonlybeconfiguredthroughuseofthecfCLI.(AftercreatingaserviceinstanceusingAppsManager,youcanusethecfCLItosetthenumberofnodes.SeetheUpdatinganInstance topic.)
Note:YoumaynoticeadiscrepancybetweenthestatusgivenforaserviceinstancebythecfCLI(e.g.,bythe cfservice command)versusthatshownontheServiceInstancesdashboard .Thedashboardisupdatedfrequently(closetoreal-time);thestatusretrievedbythecfCLIisnotupdatedasfrequentlyandmaytaketimetomatchthedashboard.
©CopyrightPivotalSoftwareInc,2013-2018 64 1.1
UsingAppsManagerLogintoAppsManagerasaSpaceDeveloper.IntheMarketplace,selectServiceRegistry.
Selectthedesiredplanforthenewserviceinstance.
Provideanamefortheserviceinstance(forexample,“service-registry”).ClicktheAddbutton.
©CopyrightPivotalSoftwareInc,2013-2018 65 1.1
IntheServiceslist,clicktheManagelinkunderthelistingforthenewserviceinstance.
Itmaytakeafewminutestoprovisiontheserviceinstance;whileitisbeingprovisioned,youwillseea“Theserviceinstanceisinitializing”message.Whentheinstanceisready,itsdashboardwillloadautomatically.
©CopyrightPivotalSoftwareInc,2013-2018 66 1.1
ForinformationaboutregisteringanapplicationwithaServiceRegistryserviceinstance,seetheWritingClientApplications topic.
©CopyrightPivotalSoftwareInc,2013-2018 67 1.1
UpdatinganInstancePagelastupdated:
YoucanupdatesettingsonaServiceRegistryserviceinstanceusingtheCloudFoundryCommandLineInterfacetool(cfCLI).The cfupdate-servicecommandcanbegivena -c flagwithaJSONobjectcontainingparametersusedtoconfiguretheserviceinstance.
ParametersacceptedfortheServiceRegistryarelistedbelow.
Parameter Function Example
count Thenumberofnodestoprovision '{"count": 3}'
upgrade Whethertoupgradetheinstance '{"upgrade": true}'
ToupdateaServiceRegistryserviceinstance’ssettings,targettheorgandspaceoftheserviceinstance:
$cftarget-omyorg-sdevelopment
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:userOrg:myorgSpace:development
Thenrun cfupdate-serviceSERVICE_NAME-c'{"PARAMETER":"VALUE"}'
,where SERVICE_NAME isthenameoftheserviceinstance, PARAMETER isa
supportedparameter,and VALUE isthevaluefortheparameter.Toupdateaserviceinstanceandsetthecountofnodesforrunninginhigh-availabilitymode,run:
$cfupdate-serviceservice-registry-c'{"count":3}'Updatingserviceinstanceservice-registryasadmin...OK
Updateinprogress.Use'cfservices'or'cfserviceservice-registry'tocheckoperationstatus.
Asthecommandoutputsuggests,youcanusethe cfservices or cfservice commandstocheckthestatusoftheserviceinstance.Whentheupdateiscomplete,the cfservice commandwillgiveastatusof update
succeeded:
$cfserviceservice-registry
Serviceinstance:service-registryService:p-service-registryBoundapps:Tags:Plan:standardDescription:ServiceRegistryforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-service-registry/57ce88c1-6bd9-4224-b855-b4600e8e0f39
LastOperationStatus:updatesucceededMessage:Started:2016-06-28T14:09:19ZUpdated:2016-06-28T14:12:25Z
Theserviceinstanceisnowupdatedandreadytobeused.ForinformationaboutregisteringanapplicationwithaServiceRegistryserviceinstanceorcallinganapplicationwhichhasbeenregisteredwithaServiceRegistryserviceinstance,seetheWritingClientApplications topic.
©CopyrightPivotalSoftwareInc,2013-2018 68 1.1
WritingClientApplicationsPagelastupdated:
Refertothesampleapplicationsinthe“greeting”repository tofollowalongwiththecodeinthistopic.
ToregisteryourapplicationwithaServiceRegistryserviceinstanceoruseittoconsumeaservicethatisregisteredwithaServiceRegistryserviceinstance,youmustaddthedependencieslistedintheClientDependencies topictoyourapplication’sbuildfile.BesuretoincludethedependenciesforServiceRegistry aswell.
AddSelf-SignedSSLCertificatetoJVMTruststoreSpringCloud®ServicesusesHTTPSforallclient-to-servicecommunication.IfyourPivotalCloudFoundry (PCF)installationisusingaself-signedSSLcertificate,thecertificatewillneedtobeaddedtotheJVMtruststorebeforeyourapplicationcanberegisteredwithaServiceRegistryserviceinstanceorconsumeaservicethatisregisteredwithaServiceRegistryserviceinstance.
SpringCloudServicescanaddthecertificateforyouautomatically.Forthistowork,youmustsetthe CF_TARGET environmentvariableonyourapplicationtotheAPIendpointofyourElasticRuntimeinstance:
$cfset-envmessage-generationCF_TARGEThttps://api.cf.wise.comSettingenvvariable'CF_TARGET'to'https://api.cf.wise.com'forappmessage-generationinorgmyorg/spacedevelopmentasuser...OKTIP:Use'cfrestagemessage-generation'toensureyourenvvariablechangestakeeffect$cfrestagemessage-generation
Astheoutputfromthe cfset-env commandsuggests,restagetheapplicationaftersettingtheenvironmentvariable.
RegisteraServiceFollowthebelowinstructionstoregisteranapplicationwithaServiceRegistryserviceinstance.
IdentifytheApplicationYourserviceapplicationmustincludethe @EnableDiscoveryClient annotationonaconfigurationclass .
@SpringBootApplication@EnableDiscoveryClient@RestControllerpublicclassMessageGenerationApplication{//...
The MessageGenerationApplication classalsohasa /greeting endpoint whichgivesaJSON Greeting object.
@RequestMapping("/greeting")publicGreetinggreeting(@RequestParam(value="salutation",defaultValue="Hello")Stringsalutation,@RequestParam(value="name",defaultValue="Bob")Stringname){//...returnnewGreeting(salutation,name);}
Theapplication’sEurekainstancename(thenamebywhichitwillberegisteredinEureka)willbederivedfromthevalueofthe spring.application.name
propertyontheapplication.Ifyoudonotprovideavalueforthisproperty,theapplication’sEurekainstancenamewillbederivedfromitsCloudFoundryapplicationname,assetin manifest.yml :
---instances:1memory:1Gapplications:-name:message-generation...
Setthe spring.application.name propertyin application.yml :
spring:application:name:message-generation
Important:BecauseofadependencyonSpringSecurity ,theSpringCloudServicesStartersforServiceRegistrywillbydefaultcauseallapplicationendpointstobeprotectedbyHTTPBasicauthentication.Ifyouwishtodisablethis,pleaseseeDisableHTTPBasicAuthenticationbelow.
Note:Iftheapplicationnamecontainscharacterswhichareinvalidinahostname,theapplicationwillberegisteredwiththeServiceRegistryserviceinstanceusingtheapplicationnamewitheachinvalidcharacterreplacedbyahyphen( - )character(forexample,givenanapplicationnameof“message_generation”,thevirtualhostnameusedtoregistertheapplicationwiththeServiceRegistryserviceinstancewillbemessage-generation ).SeetheEurekaVirtualHostnameConfiguration sectionoftheSpringCloudConnectors topicformoreinformation.
©CopyrightPivotalSoftwareInc,2013-2018 69 1.1
RegistertheApplicationOptionally,youmayalsospecifytheregistrationmethodthatyouwishtousefortheapplication,usingthe spring.cloud.services.registrationMethod property.Itcantakeeitheroftwovalues:
route :TheapplicationwillberegisteredusingitsCloudFoundryroute.
direct :TheapplicationwillberegisteredusingitshostIPandport.
Thedefaultvalueforthe registrationMethod propertyis route .Youmayalsoprovideconfigurationusingpropertiesunder eureka.instance ,suchaseureka.instance.hostname and eureka.instance.nonSecurePort (seetheSpringCloudNetflixdocumentation );ifyoudo,thosepropertieswilloverridethevalue
of registrationMethod .
Seebelowforinformationaboutthe route and direct registrationmethods.
RouteRegistration
AnapplicationdeployedtoPCFcanhaveoneormoreURLs,or“routes,”boundtoit.Ifyouspecifythe route registrationmethod,theapplicationwillberegisteredwiththeServiceRegistryinstanceusingthefirstoftheseroutesfromthe uris listintheapplication’s VCAP_APPLICATION environmentvariable.
{"VCAP_APPLICATION":{
"name":"message-generation","space_id":"0fa9f93a-d1fa-43c8-b11b-f95b7e36fd32","space_name":"development","uris":["message-generation.apps.wise.com"],
RequestsfromclientapplicationstothisregisteredapplicationgothroughthePivotalCloudFoundryRouter,andtheRouterprovidesloadbalancingbetweentheclientsandregisteredapplications.
ThisregistrationmethodiscompatiblewithalldeploymentsofPCF.
DirectRegistration
AnapplicationrunningonPivotalCloudFoundryisprovidedwithanexternally-accessibleIPaddressandport,whicharemadeavailableintwoenvironmentvariables: CF_INSTANCE_IP and CF_INSTANCE_PORT .Ifyouspecifythe direct registrationmethod,theapplicationwillberegisteredwiththeServiceRegistryinstanceusingthisIPaddressandport.
RequestsfromclientapplicationstothisregisteredapplicationwillnotgothroughthePivotalCloudFoundryRouter.Youcanprovideclient-sideloadbalancingusingSpringCloudandNetflixRibbon .
Toenabledirectregistration,youmustconfigurethePCFenvironmenttoallowtrafficacrosscontainersorcells.InPCF1.6,visitthePivotalCloudFoundry®OperationsManager,clickthePivotalElasticRuntimetile,andintheSecurityConfigtab,ensurethatthe“Enablecross-containertraffic”optionisenabled.InPCF1.7,applicationsecuritygroups mustbeconfiguredtoallowdirectcommunicationbetweenapplicationsacrosscells.Directcross-cellcommunicationisallowedbythedefaultsecuritygroupscreatedduringElasticRuntimeinstallation.
SpecifyaRegistrationMethod
Ifyoudowishtospecifyaregistrationmethod,setthe spring.cloud.services.registrationMethod property.In application.yml :
spring:application:name:message-generationcloud:services:registrationMethod:route
Asmentionedabove,the route methodisthedefault;itwillbeusedifyoudonotspecify registrationMethod .
Withthe spring.application.name propertyset,youcannowbindtheapplicationtoaServiceRegistryinstance.OnceithasbeenboundandrestagedandhassuccessfullyregisteredwiththeRegistry,youwillseeitlistedintheServiceRegistrydashboard(seetheUsingtheDashboard topic).
Important:OnPCF1.7,networkcommunicationbetweencontainersinthesamecellisnotallowed.Thismakesdirectregistrationunreliable,sinceapplicationsregisteringtotheserviceregistryandclientapplicationsdiscoveringtheregisteredapplicationsmaybedeployedtothesamecell.UseofthedirectregistrationmethodisthereforenotrecommendedorsupportedonPCF1.7.
©CopyrightPivotalSoftwareInc,2013-2018 70 1.1
ConsumeaServiceFollowthebelowinstructionstoconsumeaservicethatisregisteredwithaServiceRegistryserviceinstance.
DiscoverandConsumeaServiceUsingRestTemplateAconsumingapplicationmustincludethe @EnableDiscoveryClient annotationonaconfigurationclass .
@SpringBootApplication@EnableDiscoveryClient@RestControllerpublicclassGreeterApplication{
@Bean@LoadBalancedpublicRestTemplaterestTemplate(){returnnewRestTemplate();}
@AutowiredprivateRestTemplaterest;//...
Tocallaregisteredservice,aconsumingapplicationcanuseaURIwithahostnamematchingthenamewithwhichtheserviceisregisteredintheServiceRegistry.Thisway,theconsumingapplicationdoesnotneedtoknowtheserviceapplication’sactualURL;theRegistrywilltakecareoffindingandroutingtotheservice.
Bydefault,ServiceRegistryrequiresHTTPSforaccesstoregisteredservices.IfyourclientapplicationisconsumingaserviceapplicationwhichhasbeenregisteredwiththeServiceRegistryinstanceusingrouteregistration(seetheRegistertheApplication sectionabove),youhavetwooptions:
1. Usethe https:// URIschemetoaccesstheservice.
2. Inyourapplicationconfiguration,setthe ribbon.IsSecure propertyto false ,andusethe http:// URIschemetoaccesstheservice.
IfyouwishtouseHTTPratherthanHTTPS,set ribbon.IsSecure first.In application.yml :
ribbon:IsSecure:false
TheMessageGenerationapplicationisregisteredwiththeServiceRegistryinstanceas message-generation ,sointheGreeterapplication,the hello()
methodonthe GreeterApplication class usesthebaseURI http://message-generation togetagreetingmessagefromMessageGeneration.
Note:Ifthenameoftheregisteredapplicationcontainscharacterswhichareinvalidinahostname,thatapplicationwillberegisteredwiththeServiceRegistryserviceinstanceusingtheapplicationnamewitheachinvalidcharacterreplacedbyahyphen( - )character.Forexample,givenanapplicationnameof“message_generation”,thevirtualhostnameusedtoregistertheapplicationwiththeServiceRegistryserviceinstancewillbe message-generation .SeetheEurekaVirtualHostnameConfiguration sectionoftheSpringCloudConnectors topicformoreinformation.
Important:IfyourPCFinstallationisconfiguredtoonlyallowHTTPStraffic,youmustspecifythe https:// schemeinthebaseURIusedbyyourclientapplication.Forthebelowexample,thismeansthatyoumustchangethebaseURIfrom http://message-generation/greeting tohttps://message-generation/greeting .
©CopyrightPivotalSoftwareInc,2013-2018 71 1.1
@RequestMapping(value="/hello",method=RequestMethod.GET)publicStringhello(@RequestParam(value="salutation",defaultValue="Hello")Stringsalutation,@RequestParam(value="name",defaultValue="Bob")Stringname){URIuri=UriComponentsBuilder.fromUriString("http://message-generation/greeting").queryParam("salutation",salutation).queryParam("name",name).build().toUri();
Greetinggreeting=rest.getForObject(uri,Greeting.class);returngreeting.getMessage();}
Greeter’s Greeting class usesJackson’s @JsonCreator and @JsonProperty toreadintheJSONresponsefromMessageGeneration.
privatestaticclassGreeting{
privateStringmessage;
@JsonCreatorpublicGreeting(@JsonProperty("message")Stringmessage){this.message=message;}
publicStringgetMessage(){returnthis.message;}
}
TheGreeterapplicationnowrespondswithacustomizable Greeting whenyouaccessits /hello endpoint.
$curlhttp://greeter.apps.wise.com/helloHello,Bob!
$curlhttp://greeter.apps.wise.com/hello?name=JohnHello,John!
DiscoverandConsumeaServiceUsingFeignIfyouwishtouseFeign toconsumeaservicethatisregisteredwithaServiceRegistryinstance,yourapplicationmustdeclare spring-cloud-starter-feign asadependency.InordertohaveFeignclientinterfacesautomaticallyconfigured,itmustalsousethe @EnableFeignClients annotation.
Yourconsumingapplicationmustincludethe @EnableDiscoveryClient annotationonaconfigurationclass .IntheGreeterapplication,theGreeterApplication classcontainsa MessageGenerationClient interface,whichisaFeignclientfortheMessageGenerationapplication.
@SpringBootApplication@EnableDiscoveryClient@EnableFeignClients@RestControllerpublicclassGreeterApplication{
@AutowiredMessageGenerationClientmessageGeneration;//...
Tocallaregisteredservice,aconsumingapplicationcanuseaURIwithahostnamematchingthenamewithwhichtheserviceisregisteredintheServiceRegistry.Thisway,theconsumingapplicationdoesnotneedtoknowtheserviceapplication’sactualURL;theRegistrywilltakecareoffindingandroutingtotheservice.
Bydefault,ServiceRegistryrequiresHTTPSforaccesstoregisteredservices.IfyourclientapplicationisconsumingaserviceapplicationwhichhasbeenregisteredwiththeServiceRegistryinstanceusingrouteregistration(seetheRegistertheApplication sectionabove),youhavetwooptions:
1. Usethe https:// URIschemetoaccesstheservice.
2. Inyourapplicationconfiguration,setthe ribbon.IsSecure propertyto false ,andusethe http:// URIschemetoaccesstheservice.
IfyouwishtouseHTTPratherthanHTTPS,set ribbon.IsSecure first.In application.yml :
ribbon:IsSecure:false
TheMessageGenerationapplicationisregisteredwiththeServiceRegistryinstanceas message-generation ,sothe @FeignClient annotationontheMessageGenerationClient interface usesthebaseURI http://message-generation .Theinterfacedeclaresonemethod, greeting() ,whichaccessestheMessage
Generationapplication’s /greeting endpointandsendsalongoptional name and salutation parametersiftheyareprovided.
Note:Ifthenameoftheregisteredapplicationcontainscharacterswhichareinvalidinahostname,thatapplicationwillberegisteredwiththeServiceRegistryserviceinstanceusingtheapplicationnamewitheachinvalidcharacterreplacedbyahyphen( - )character.Forexample,givenanapplicationnameof“message_generation”,thevirtualhostnameusedtoregistertheapplicationwiththeServiceRegistryserviceinstancewillbe message-generation .SeetheEurekaVirtualHostnameConfiguration sectionoftheSpringCloudConnectors topicformoreinformation.
Important:IfyourPCFinstallationisconfiguredtoonlyallowHTTPStraffic,youmustspecifythe https:// schemeinthebaseURIusedbyyourclientapplication.Forthebelowexample,thismeansthatyoumustchangethebaseURIfrom http://message-generation/greeting tohttps://message-generation/greeting .
©CopyrightPivotalSoftwareInc,2013-2018 72 1.1
@FeignClient("http://message-generation")interfaceMessageGenerationClient{@RequestMapping(value="/greeting",method=GET)Greetinggreeting(@RequestParam("name")Stringname,@RequestParam("salutation")Stringsalutation);}
Greeter’s Greeting class usesJackson’s @JsonCreator and @JsonProperty toreadintheJSONresponsefromMessageGeneration.
privatestaticclassGreeting{
privateStringmessage;
@JsonCreatorpublicGreeting(@JsonProperty("message")Stringmessage){this.message=message;}
publicStringgetMessage(){returnthis.message;}
}
Its greeting() method ismappedtothe /hello endpointandcallsthe greeting() methodon MessageGenerationClient togetagreeting.
@RequestMapping(value="/hello",method=GET)publicStringgreeting(@RequestParam(value="salutation",defaultValue="Hello")Stringsalutation,@RequestParam(value="name",defaultValue="Bob")Stringname){Greetinggreeting=messageGeneration.greeting(name,salutation);returngreeting.getMessage();}
TheGreeterapplicationnowrespondswithacustomizable Greeting whenyouaccessits /hello endpoint.
$curlhttp://greeter.apps.wise.com/helloHello,Bob!
$curlhttp://greeter.apps.wise.com/hello?name=JohnHello,John!
DisableHTTPBasicAuthenticationTheSpringCloudServicesStarterforServiceRegistryhasadependencyonSpringSecurity .Unlessyourapplicationhasothersecurityconfiguration,thiswillcauseallapplicationendpointstobeprotectedbyHTTPBasicauthentication.
Ifyoudonotyetwanttoaddressapplicationsecurity,youmayturnoffBasicauthenticationbysettingthe security.basic.enabled propertyto false .Inapplication.yml or bootstrap.yml :
security:basic:enabled:false
Youmightmakethissettingspecifictoaprofile(suchasthe dev profileifyouwantBasicauthenticationdisabledonlyfordevelopment):
---
spring:profiles:dev
security:basic:enabled:false
Formoreinformation,see“Security”intheSpringBootReferenceGuide .
©CopyrightPivotalSoftwareInc,2013-2018 73 1.1
UsingtheDashboardPagelastupdated:
Tofindthedashboard,navigateinPivotalCloudFoundry®AppsManagertotheServiceRegistryserviceinstance’sspaceandclickManageinthelistingfortheserviceinstance.
Ifyouareusingversion6.8.0orlateroftheCloudFoundryCommandLineInterfacetool(cfCLI),youcanalsouse cfserviceSERVICE_NAME ,whereSERVICE_NAME isthenameoftheServiceRegistryserviceinstance:
$cfserviceserviceregistry
Serviceinstance:service-registryService:p-service-registryBoundapps:Tags:Plan:standardDescription:ServiceRegistryforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.wise.com/dashboard/p-service-registry/a9bcaf09-ba0a-4650-bdfc-75784882245e
LastOperationStatus:createsucceededMessage:Started:2016-09-19T21:05:32ZUpdated:
VisittheURLgivenfor“Dashboard”.
BeforeyouhaveboundanyapplicationstoaServiceRegistryinstance,theServiceRegistrydashboardwillreflectthatthereare“Noapplicationsregistered”.
Toseeapplicationslistedinthedashboard,bindanapplicationwhichuses @EnableDiscoveryClient totheserviceinstance(seetheWritingClientApplications topic).OnceyouhaverestagedtheapplicationandithasregisteredwithEureka,thedashboardwilldisplayitunderRegisteredApps.
Note:ServiceRegistryforPivotalCloudFoundryiscurrentlybasedonSpringCloud®OSSBrixton.IfbindingaSpringCloudOSSAngelapplicationtoaServiceRegistryserviceinstance,youmayseeirregularbehaviorintheServiceRegistryserviceinstancedashboard’slistingfortheapplication.
ForinformationoncurrentclientdependenciesprovidedforusewithSpringCloudServicesserviceinstances,seetheClientDependencies
topic.
©CopyrightPivotalSoftwareInc,2013-2018 74 1.1
©CopyrightPivotalSoftwareInc,2013-2018 75 1.1
SpringCloudConnectorsPagelastupdated:
ToconnectclientapplicationstotheServiceRegistry,SpringCloudServicesusesSpringCloudConnectors ,includingtheSpringCloudCloudFoundryConnector ,whichdiscoversservicesboundtoapplicationsrunninginCloudFoundry.
ServiceDetectionTheconnectorinspectsCloudFoundry’s VCAP_SERVICES environmentvariable,whichstoresconnectionandidentificationinformationforserviceinstancesthatareboundtoCloudFoundryapplications,todetectavailableservices.Belowisanexampleofa VCAP_SERVICES entryfortheSpringCloudServicesServiceRegistry.
{"VCAP_SERVICES":{"p-service-registry":[{"credentials":{"access_token_uri":"https://p-spring-cloud-services.uaa.cf.wise.com/oauth/token","client_id":"p-service-registry-57bdc399-5b2e-4131-b941-d0a4275c2da4","client_secret":"GAmFDRU4KGnS","uri":"https://eureka-32fb7386-2d57-4054-91b4-9fd4dcbac221.apps.wise.com"},"label":"p-service-registry","name":"service-registry","plan":"standard","tags":["eureka","discovery","registry","spring-cloud"]}]
Foreachserviceinthe VCAP_SERVICES variable,theconnectorconsidersthefollowingfields:
tags :Attributesornamesofbackingtechnologiesbehindtheservice.
label :Theserviceoffering’sname(nottobeconfusedwithaserviceinstance’sname).
credentials.uri :AURIpertainingtotheserviceinstance.
credentials.uris :URIspertainingtotheserviceinstance.
ServiceRegistryDetectionCriteriaToestablishavailabilityoftheServiceRegistry,theSpringCloudCloudFoundryConnectorcomparesVCAP_SERVICES serviceentriesagainstthefollowingcriteria:
tags including eureka
ApplicationConfigurationInaSpringBootapplicationwhichisboundtoaServiceRegistryserviceinstance,theconnectorautomaticallyconfiguresaSpringCloudNetflixEurekaclientconfigurationbean.Theclientconfigurationincludesthediscoveryzone,whichisconfiguredusingtheURLfromtheservicebinding;thisisequivalenttosettingthe eureka.client.serviceUrl.defaultZone property.
EurekaVirtualHostnameConfigurationEachNetflixEurekaclientapplicationhasaninsecurevirtualhostname,setontheapplicationusingthe eureka.instance.virtualHostName property,andasecurevirtualhostname,setontheapplicationusingthe eureka.instance.secureVirtualHostname property.Ifeitherofthesepropertiesisnotset,SpringCloudNetflixEurekasetsthecorrespondingvirtualhostnametothevalueofthe spring.application.name propertyontheclientapplication.
TheSpringCloudServicesconnectorforServiceRegistrysuppliesmissinghostnamevaluesinthesameway.However,ifavirtualhostnameisnotexplicitlyprovidedandtheconnectormustderiveahostnamefromthevalueofthe spring.application.name property,theconnectorsanitizesthatvaluebyusinga-charactertoreplaceanycharacterwhichisinvalidinahostname.
Examplesofvaluesprovidedforthe eureka.instance virtualhostnameproperties,valuesprovidedforthe spring.application.name property,andthevirtualhostnamesresultingfromcombinationsofthesevaluesorfromprovidingagivenvaluefor spring.application.name butnonefora eureka.instance propertyarelistedbelow.
eureka.instance property spring.application.name Resultantvirtualhostname
vhn san vhn
v_hn san v_hn
(notprovided) san san
Important:Ifyouprovideavalueforeitherofthe eureka.instance.virtualHostName or eureka.instance.secureVirtualHostname properties,itwillnotbesanitized,andyoumustensurethatthevalueisavalidhostname.Theconnectorsanitizesonlyvirtualhostnameswhicharederivedfromthespring.application.name property.
©CopyrightPivotalSoftwareInc,2013-2018 76 1.1
(notprovided) s_an s-an
x_y x_y x_y
eureka.instance property spring.application.name Resultantvirtualhostname
SeeAlsoFormoreinformationaboutSpringCloudConnectors,seethefollowing:
SpringCloudCloudFoundryConnectordocumentation
SpringCloudSpringServiceConnectordocumentation
SpringCloudConnectorsdocumentation
SpringCloudConnectorsforSpringCloudServicesonPivotalCloudFoundry
©CopyrightPivotalSoftwareInc,2013-2018 77 1.1
AdditionalResourcesPagelastupdated:
SpringCloud®Services1.0.0onPivotalCloudFoundry -ServiceRegistry-YouTube(shortscreencastdemonstratingServiceRegistryforPivotalCloudFoundry)
Home·Netflix/eurekaWiki (documentationforNetflixEureka,theserviceregistrythatunderliesServiceRegistryforPivotalCloudFoundry)
SpringCloudNetflix (documentationforSpringCloudNetflix,theopen-sourceprojectwhichprovidesNetflixOSSintegrationsforSpringapplications)
MicroserviceRegistrationandDiscoverywithSpringCloudandNetflix’sEureka (discussionandexamplesofconfiguringEurekaandNetflixRibbonusingSpringCloud)
Client-sideservicediscoverypattern (generaldescriptionofServiceDiscoverypattern)
Serviceregistrypattern (generaldescriptionofserviceregistryconcept)
©CopyrightPivotalSoftwareInc,2013-2018 78 1.1
CircuitBreakerDashboardforPivotalCloudFoundry
OverviewCircuitBreakerDashboardforPivotalCloudFoundry (PCF)providesSpringapplicationswithanimplementationoftheCircuitBreakerpattern.Cloud-nativearchitecturesaretypicallycomposedofmultiplelayersofdistributedservices.End-userrequestsmaycomprisemultiplecallstotheseservices,andifalower-levelservicefails,thefailurecancascadeuptotheenduserandspreadtootherdependentservices.Heavytraffictoafailingservicecanalsomakeitdifficulttorepair.UsingCircuitBreakerDashboard,youcanpreventfailuresfromcascadingandprovidefallbackbehavioruntilafailingserviceisrestoredtonormaloperation.
Whenappliedtoaservice,acircuitbreakerwatchesforfailingcallstotheservice.Iffailuresreachacertainthreshold,it“opens”thecircuitandautomaticallyredirectscallstothespecifiedfallbackmechanism.Thisgivesthefailingservicetimetorecover.
CircuitBreakerDashboardforPivotalCloudFoundryisbasedonHystrix ,Netflix’slatencyandfault-tolerancelibrary.FormoreinformationaboutHystrixandabouttheCircuitBreakerpattern,seeAdditionalResources .
Refertothesampleapplicationsinthe“traveler”repository tofollowalongwithcodeinthissection.
©CopyrightPivotalSoftwareInc,2013-2018 79 1.1
CreatinganInstancePagelastupdated:
YoucancreateaCircuitBreakerDashboardserviceinstanceusingeithertheCloudFoundryCommandLineInterfacetool(cfCLI)orPivotalCloudFoundry (PCF)AppsManager.
UsingthecfCLIBeginbytargetingthecorrectorgandspace.
$cftarget-omyorg-sdevelopment
APIendpoint:https://api.cf.wise.com(APIversion:2.43.0)User:userOrg:myorgSpace:development
Ifdesired,viewplandetailsfortheCircuitBreakerDashboardproductusing cfmarketplace-s
.
$cfmarketplaceGettingservicesfrommarketplaceinorgmyorg/spacedevelopmentasuser...OK
serviceplansdescriptionp-circuit-breaker-dashboardstandardCircuitBreakerDashboardforSpringCloudApplicationsp-config-serverstandardConfigServerforSpringCloudApplicationsp-mysql100mb-devMySQLserviceforapplicationdevelopmentandtestingp-rabbitmqstandardRabbitMQisarobustandscalablehigh-performancemulti-protocolmessagingbroker.p-service-registrystandardServiceRegistryforSpringCloudApplications
TIP:Use'cfmarketplace-sSERVICE'toviewdescriptionsofindividualplansofagivenservice.
$cfmarketplace-sp-circuit-breaker-dashboardGettingserviceplaninformationforservicep-circuit-breaker-dashboardasuser...OK
serviceplandescriptionfreeorpaidstandardStandardPlanfree
Run cfcreate-service
,specifyingtheservice,planname,andinstancename.
$cfcreate-servicep-circuit-breaker-dashboardstandardcircuit-breaker-dashboardCreatingserviceinstancecircuit-breaker-dashboardinorgmyorg/spacedevelopmentasadmin...OK
Createinprogress.Use'cfservices'or'cfservicecircuit-breaker-dashboard'tocheckoperationstatus.
Asthecommandoutputsuggests,youcanusethe cfservices or cfservice commandstocheckthestatusoftheserviceinstance.Whentheserviceinstanceisready,the cfservice commandwillgiveastatusof create
succeeded:
$cfservicecircuit-breaker-dashboard
Serviceinstance:circuit-breaker-dashboardService:p-circuit-breaker-dashboardBoundapps:Tags:Plan:standardDescription:CircuitBreakerDashboardforSpringCloud®ApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-circuit-breaker-dashboard/97869d78-5d4e-410b-9c71-bb622ca49f7d
LastOperationStatus:createsucceededMessage:Started:2016-06-29T19:13:13ZUpdated:2016-06-29T19:16:19Z
UsingAppsManagerLogintoAppsManagerasaSpaceDeveloper.IntheMarketplace,selectCircuitBreaker.
Note:YoumaynoticeadiscrepancybetweenthestatusgivenforaserviceinstancebythecfCLI(e.g.,bythe cfservice command)versusthatshownontheServiceInstancesdashboard .Thedashboardisupdatedfrequently(closetoreal-time);thestatusretrievedbythecfCLIisnotupdatedasfrequentlyandmaytaketimetomatchthedashboard.
©CopyrightPivotalSoftwareInc,2013-2018 80 1.1
Selectthedesiredplanforthenewserviceinstance.
Provideanamefortheserviceinstance(forexample,“circuit-breaker-dashboard”).ClicktheAddbutton.
©CopyrightPivotalSoftwareInc,2013-2018 81 1.1
IntheServiceslist,clicktheManagelinkunderthelistingforthenewserviceinstance.
Itmaytakeafewminutestoprovisiontheserviceinstance;whileitisbeingprovisioned,youwillseea“Theserviceinstanceisinitializing”message.Oncetheinstanceisready,itsdashboardwillloadautomatically.
TheCircuitBreakerDashboardinstanceisnowreadytobeused.Foranexampleofusingacircuitbreakerinanapplication,seetheWritingClientApplications topic.
©CopyrightPivotalSoftwareInc,2013-2018 82 1.1
WritingClientApplicationsPagelastupdated:
Refertothesampleapplicationsinthe“traveler”repository tofollowalongwiththecodeinthistopic.
TouseacircuitbreakerinaSpringapplicationwithaCircuitBreakerDashboardserviceinstance,youmustaddthedependencieslistedintheClientDependencies topictoyourapplication’sbuildfile.BesuretoincludethedependenciesforCircuitBreakerDashboard aswell.
UseaCircuitBreakerToworkwithaCircuitBreakerDashboardinstance,yourapplicationmustincludethe @EnableCircuitBreaker annotationonaconfigurationclass .
importorg.springframework.cloud.client.circuitbreaker.EnableCircuitBreaker;//...
@SpringBootApplication@EnableDiscoveryClient@RestController@EnableCircuitBreakerpublicclassAgencyApplication{//...
Toapplyacircuitbreakertoamethod,annotatethemethodwith @HystrixCommand ,givingtheannotationthenameofa fallbackMethod .
@HystrixCommand(fallbackMethod="getBackupGuide")publicStringgetGuide(){returnrestTemplate.getForObject("http://company/available",String.class);}
The getGuide() methodusesa RestTemplate toobtainaguidenamefromanotherapplicationcalledCompany,whichisregisteredwithaServiceRegistryinstance.(SeetheServiceRegistrydocumentation ,specificallytheWritingClientApplications topic.)ThemethodthusreliesontheCompanyapplicationtoreturnaresponse,andiftheCompanyapplicationfailstodoso,callsto getGuide() willfail.Whenthefailuresexceedthethreshold,thebreakeron getGuide() willopenthecircuit.
Whilethecircuitisopen,thebreakerredirectscallstotheannotatedmethod,andtheyinsteadcallthedesignated fallbackMethod .Thefallbackmethodmustbeinthesameclassandhavethesamemethodsignature(i.e.,havethesamereturntypeandacceptthesameparameters)astheannotatedmethod.IntheAgencyapplication,the getGuide() methodonthe TravelAgent classfallsbackto getBackupGuide() .
StringgetBackupGuide(){return"Noneavailable!Yourbackupguideis:Cookie";}
Ifyouwish,youmayalsoannotatefallbackmethodsthemselveswith @HystrixCommand tocreateafallbackchain.
UseaCircuitBreakerwithaFeignClientYoucannotapply @HystrixCommand directlytoaFeign clientinterfaceatthistime.Instead,youcancallFeignclientmethodsfromaserviceclassthatisautowiredasaSpringbean(eitherthroughthe @Service or @Component annotationsorbybeingdeclaredasa @Bean inaconfigurationclass)andthenannotatetheserviceclassmethodswith @HystrixCommand .
IntheFeignversionoftheAgencyapplication ,the AgencyApplication classisannotatedwith @EnableFeignClients .
//...importorg.springframework.cloud.netflix.feign.EnableFeignClients;
@SpringBootApplication@EnableDiscoveryClient@RestController@EnableCircuitBreaker@EnableFeignClientspublicclassAgencyApplication{//...
TheapplicationhasaFeignclientcalled CompanyClient .
packageagency;
importorg.springframework.stereotype.Component;importorg.springframework.cloud.netflix.feign.FeignClient;importorg.springframework.web.bind.annotation.RequestMapping;
importstaticorg.springframework.web.bind.annotation.RequestMethod.GET;
@FeignClient("https://company")interfaceCompanyClient{@RequestMapping(value="/available",method=GET)StringavailableGuide();}
The TravelAgent class isannotatedasa @Service class.The CompanyClient classisinjectedthroughautowiring,andthe getGuide() methodusestheCompanyClient toaccesstheCompanyapplication. @HystrixCommand isappliedtotheservicemethod:
©CopyrightPivotalSoftwareInc,2013-2018 83 1.1
packageagency;
importorg.springframework.stereotype.Service;importorg.springframework.beans.factory.annotation.Autowired;
importcom.netflix.hystrix.contrib.javanica.annotation.HystrixCommand;
@ServicepublicclassTravelAgent{
@AutowiredCompanyClientcompany;
@HystrixCommand(fallbackMethod="getBackupGuide")publicStringgetGuide(){returncompany.availableGuide();}
StringgetBackupGuide(){return"Noneavailable!Yourbackupguideis:Cookie";}
}
IftheCompanyapplicationbecomesunavailableoriftheAgencyapplicationcannotaccessit,callsto getGuide() willfail.Whensuccessivefailuresbuilduptothethreshold,Hystrixwillopenthecircuit,andsubsequentcallswillberedirectedtothe getBackupGuide() methoduntiltheCompanyapplicationisaccessibleagainandthecircuitisclosed.
©CopyrightPivotalSoftwareInc,2013-2018 84 1.1
UsingtheDashboardPagelastupdated:
Tofindthedashboard,navigateinPivotalCloudFoundry®AppsManagertotheCircuitBreakerDashboardserviceinstance’sspaceandclickManageinthelistingfortheserviceinstance.
Ifyouareusingversion6.8.0orlateroftheCloudFoundryCommandLineInterface(cfCLI),youcanalsouse cfserviceSERVICE_NAME ,whereSERVICE_NAME isthenameoftheCircuitBreakerDashboardserviceinstance:
$cfservicecircuit-breaker-dashboard
Serviceinstance:circuit-breaker-dashboardService:p-circuit-breaker-dashboardBoundapps:agencyTags:Plan:standardDescription:CircuitBreakerDashboardforSpringCloudApplicationsDocumentationurl:http://docs.pivotal.io/spring-cloud-services/Dashboard:https://spring-cloud-broker.apps.wise.com/dashboard/p-circuit-breaker-dashboard/97869d78-5d4e-410b-9c71-bb622ca49f7d
LastOperationStatus:createsucceededMessage:Started:2016-06-29T19:13:13ZUpdated:2016-06-29T19:16:19Z
VisittheURLgivenfor“Dashboard”.
Toseebreakerstatusesonthedashboard,configureanapplicationasdescribedintheWritingClientApplications topic,using @HystrixCommand
annotationstoapplycircuitbreakers.ThenpushtheapplicationandbindittotheCircuitBreakerDashboardserviceinstance.Onceboundandrestaged,theapplicationwillupdatethedashboardwithmetricsthatdescribethehealthofitsmonitoredservicecalls.
Withthe“Agency”exampleapplication(seethe“traveler”repository )receivingnoload,thedashboarddisplaysthefollowing:
Toseethecircuitbreakerinaction,usecurl,JMeter ,ApacheBench ,orsimilartosimulateload.
$whiletrue;docurlagency.apps.wise.com;done
WiththeCompanyapplicationrunningandavailableviatheServiceRegistryinstance(seetheWritingClientApplications topic),theAgencyapplicationrespondswithaguidename,indicatingasuccessfulservicecall.IfyoustopCompany,Agencywillrespondwitha“Noneavailable”message,indicatingthatthecalltoits getGuide() methodfailedandwasredirectedtothefallbackmethod.
Whenservicecallsaresucceeding,thecircuitisclosed,andthedashboardgraphshowstherateofcallspersecondandsuccessfulcallsper10seconds.
©CopyrightPivotalSoftwareInc,2013-2018 85 1.1
Whencallsbegintofail,thegraphshowstherateoffailedcallsinred.
Whenfailuresexceedtheconfiguredthreshold(thedefaultis20failuresin5seconds),thebreakeropensthecircuit.Thedashboardshowstherateofshort-circuitedcalls—callswhicharegoingstraighttothefallbackmethod—inblue.Theapplicationisstillallowingcallstothefailingmethodatarateof1every5seconds,asindicatedinred;thisisnecessarytodetermineifcallsaresucceedingagainandifthecircuitcanbeclosed.
©CopyrightPivotalSoftwareInc,2013-2018 86 1.1
Withthecircuitbreakerinplaceonits getGuide() method,theAgencyexampleapplicationneverreturnsanHTTPstatuscodeotherthan 200 totherequester.
©CopyrightPivotalSoftwareInc,2013-2018 87 1.1
SpringCloud®ConnectorsPagelastupdated:
ToconnectclientapplicationstotheCircuitBreakerDashboard,SpringCloudServicesusesSpringCloudConnectors ,includingtheSpringCloudCloudFoundryConnector ,whichdiscoversservicesboundtoapplicationsrunninginCloudFoundry.
ServiceDetectionTheconnectorinspectsCloudFoundry’s VCAP_SERVICES environmentvariable,whichstoresconnectionandidentificationinformationforserviceinstancesthatareboundtoCloudFoundryapplications,todetectavailableservices.Belowisanexampleexcerptofa VCAP_SERVICES entryfortheSpringCloudServicesCircuitBreakerDashboard(editedforbrevity).
{"VCAP_SERVICES":{"p-circuit-breaker-dashboard":[{"credentials":{"dashboard":"https://hystrix-67b8d606-c287-4fb1-9b3f-bd5cb27a29b5.apps.wise.com","stream":"https://turbine-67b8d606-c287-4fb1-9b3f-bd5cb27a29b5.apps.wise.com"},"label":"p-circuit-breaker-dashboard","name":"circuit-breaker-dashboard","plan":"standard","tags":["circuit-breaker","hystrix-amqp","spring-cloud"]}]
Foreachserviceinthe VCAP_SERVICES variable,theconnectorconsidersthefollowingfields:
tags :Attributesornamesofbackingtechnologiesbehindtheservice.
label :Theserviceoffering’sname(nottobeconfusedwithaserviceinstance’sname).
credentials.uri :AURIpertainingtotheserviceinstance.
credentials.uris :URIspertainingtotheserviceinstance.
CircuitBreakerDashboardDetectionCriteriaToestablishavailabilityoftheCircuitBreakerDashboard,theSpringCloudCloudFoundryConnectorcomparesVCAP_SERVICES serviceentriesagainstthefollowingcriteria:
tags including hystrix-amqp
MetricsCollectionwithSpringCloudStreamACircuitBreakerDashboardserviceinstanceusesSpringCloudStream tocollectNetflixHystrixmetricsfromaclientapplication.Theconnectorcreatesa hystrix configurationoftheSpringCloudStreamRabbitMQbinder andconfiguresa hystrixStreamOutput channel,overwhichaclientapplicationsendsHystrixmetrics.
The defaultCandidate propertyonthe hystrix RabbitMQbinderconfigurationissetto false ,sothatthisbinderconfigurationwillnotaffectanydefaultbinderconfigurationintheclientapplicationandyoucanfreelyconfigureSpringCloudStreambinders(includingtheRabbitMQbinder)intheclientapplication.Formoreinformation,see“ConnectingtoMultipleSystems”intheSpringCloudStreamReferenceGuide .
SeeAlsoFormoreinformationaboutSpringCloudConnectors,seethefollowing:
SpringCloudCloudFoundryConnectordocumentation
SpringCloudSpringServiceConnectordocumentation
SpringCloudConnectorsdocumentation
SpringCloudConnectorsforSpringCloudServicesonPivotalCloudFoundry
©CopyrightPivotalSoftwareInc,2013-2018 88 1.1
AdditionalResourcesPagelastupdated:
SpringCloud®Services1.0.0onPivotalCloudFoundry -CircuitBreaker-YouTube(shortscreencastdemonstratingCircuitBreakerDashboardforPivotalCloudFoundry)
Home·Netflix/HystrixWiki (documentationforNetflixHystrix,thelibrarythatunderliesCircuitBreakerDashboardforPivotalCloudFoundry)
SpringCloudNetflix (documentationforSpringCloudNetflix,theopen-sourceprojectwhichprovidesNetflixOSSintegrationsforSpringapplications)
CircuitBreaker (articleinMartinFowler’sBlikiabouttheCircuitBreakerpattern)
TheNetflixTechBlog:IntroducingHystrixforResilienceEngineering (NetflixTechintroductionofHystrix)
TheNetflixTechBlog:MakingtheNetflixAPIMoreResilient (NetflixTechdescriptionofhowNetflix’sAPIusedtheCircuitBreakerpattern)
SpringOne2GX2014Replay:SpringBootandNetflixOSS (59:54inthevideobeginsanintroductionofHystrixandaSpringClouddemo)
©CopyrightPivotalSoftwareInc,2013-2018 89 1.1
