1

I've got a Spring Boot Admin application which uses a Kubernetes Service Discovery to get the Spring Boot client applications.

spring:
  cloud:
      kubernetes:
        discovery:
          all-namespaces: true
          service-labels:
            springbootadmin: true
        reload:
          enabled: true
          period: 60s
          strategy: refresh

Without secured actuator endpoints this works fine.

But as soon as the client actuator endpoints are protected by basic auth this does not work any more. The Spring Boot Admin Documentation describes how to add the authentication data to the Spring Boot Admin Server bit it does not describe how to provide this when the services are discovered via Kubernetes.

I've tried these configurations. But they don't work:

  1. Spring Boot Admin Docs: spring.boot.admin.instance-auth.default-user-name + password
  2. Spring Boot Admin Tutorial spring.boot.admin.client.instance.metadata.user.name + password

I also found an answer which describes how to configure the credentials in the Kubernetes annotations. This works but I would prefer to configure the credentials in the Spring Boot Admin configuration (where I can use Secrets) and not separately for each service in the Kubernetes configuration as an unsecure label.

I think I have to inject the credentials in the Service Discovery metadata. But how?

EDIT

I've examined the service discovery and found no auth configuration options which could be provided:

  1. class KubernetesDiscoveryProperties.Metadata
  2. class de.codecentric.boot.admin.server.cloud.discovery.DefaultServiceInstanceConverter
Matthias M
  • 12,906
  • 17
  • 87
  • 116
  • What do you mean by "I want to secure the client actuator endpoints". Endpoints are on the server side. Do you want to know how to protected actuator endpoints? Or do you want to know how to configure client to access actuator endpoints protected by some credentials? – mentallurg Feb 14 '21 at 00:48
  • @mentallurg I want to know how Spring Boot Admin can access the already proteced endpoint. I've also updated my question. – Matthias M Feb 14 '21 at 07:49

2 Answers2

0

It might be an option to add a custom header to the requests that are sent by SBA to the clients:

@Bean
public HttpHeadersProvider customHttpHeadersProvider() {
    return (instance) -> {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Authorization", "Basic bXlTcGVjaWFsVXNlcm5hbWU6bXlTcGVjaWFsUGFzc3dvcmQ=");
        return httpHeaders;
    };
}
JayDee101
  • 61
  • 1
  • 3
0

The authentication can be set by these settings:

spring:
  boot:
    admin:
      instance-auth:
        default-user-name: user
        default-password: pw

These settings are read by the Configuration Class AdminServerInstanceWebClientConfiguration which instantiates a bean basicAuthHttpHeadersProvider.

Matthias M
  • 12,906
  • 17
  • 87
  • 116