Spring Cloud® Connectors
To connect client applications to the Config Server, Spring Cloud Services uses Spring Cloud Connectors, including the Spring Cloud Cloud Foundry Connector, which discovers services bound to applications running in Cloud Foundry.
Service Detection
The connector inspects Cloud Foundry’s VCAP_SERVICES environment variable, which stores connection and identification information for service instances that are bound to Cloud Foundry applications, to detect available services. Below is an example of a VCAP_SERVICES entry for the Spring Cloud Services Config Server.
{
"VCAP_SERVICES": {
"p-config-server": [
{
"credentials": {
"access_token_uri": "https://p-spring-cloud-services.uaa.cf.wise.com/oauth/token",
"client_id": "p-config-server-c4a56a3d-9507-4c2f-9cd1-f858dbf9e11c",
"client_secret": "9aGx9K5Vx0cM",
"uri": "https://config-51711835-4626-4823-b5a1-e5d91012f3f2.wise.com"
},
"label": "p-config-server",
"name": "config-server",
"plan": "standard",
"tags": [
"configuration",
"spring-cloud"
]
}
]
For each service in the VCAP_SERVICES variable, the connector considers the following fields:
tags: Attributes or names of backing technologies behind the service.label: The service offering’s name (not to be confused with a service instance’s name).credentials.uri: A URI pertaining to the service instance.credentials.uris: URIs pertaining to the service instance.
Config Server Detection Criteria
To establish availability of the Config Server, the Spring Cloud Cloud Foundry Connector compares VCAP_SERVICES service entries against the following criteria:
tagsincludingconfiguration
Application Configuration
When the connector detects a Config Server service instance which has been bound to the application, it will automatically set the spring.cloud.config.uri property in the client application’s environment, using the URL provided in the Config Server instance’s credentials object. The connector will also set additional security properties to allow the client application to access the Config Server service instance.
HashiCorp Vault Token Renewal
When the spring.cloud.config.token property is set on an application, the connector enables automatic token renewal for a HashiCorp Vault client token. By default, the token’s Time To Live (TTL) is set at 300000 milliseconds and the connector automatically renews the application’s token every 60000 milliseconds.
You can configure the token’s TTL and the renewal interval using properties under vault.token, set in the application.yml or application.properties file. The TTL is set using the vault.token.ttl property and the renewal interval is set using the vault.token.renew.rate property.
The following YAML sets the token TTL to 600000 milliseconds (10 minutes) and sets the renewal interval to 180000 milliseconds (three minutes).
vault:
token:
ttl: 600000
renew:
rate: 180000
HashiCorp Vault Property Source Redaction
In the Spring Boot Actuator /env endpoint, property names and values from a HashiCorp Vault property source are redacted for security. By default, the connector redacts properties whose names begin with configService:vault:, and they are displayed in the output of /env as shown in the following example:
"configService:vault:game": {
"******": "Properties from this source are redacted for security reasons"
},
You can configure the pattern used to determine which properties to redact, as well as the message displayed in place of those properties’ values, using properties set in the application.yml or application.properties file. The pattern is set using the endpoints.env.mask.sourceNamePatterns property (wildcards, written as *, are allowed) and the message is set using the endpoints.env.mask.message property.
For example, the following YAML sets the redacted property name pattern to match property sources whose names begin with configService: and sets the message to Redacted for security.
endpoints:
env:
mask:
sourceNamePatterns: "configService:"
message: "Redacted for security"
See Also
For more information about Spring Cloud Connectors, see the following: