Externalize configuration using ConfigMap with Spring Boot Kubernetes

Question

I'm trying to externalize my Spring Boot configuration using ConfigMaps in Kubernetes. I've read the docs and added the dependency on my pom.xml:

<dependency>
  <groupId>org.springframework.cloud</groupId>
  <artifactId>spring-cloud-starter-kubernetes-fabric8-config</artifactId>
  <version>2.1.3</version>
</dependency>

Set my spring.application.name as webapp and created a ConfigMap from a YAML file:

spring:
  web:
    locale: en_US
    locale-resolver: fixed

Using this command:

kubectl create configmap webapp \
--namespace webapp-production \
--from-file=config.yaml

But when my application starts I get the following error:

Can't read configMap with name: [webapp] in namespace: [webapp-production]. Ignoring.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://IP/api/v1/namespaces/webapp-production/configmaps/webapp. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. configmaps "webapp" is forbidden: User "system:serviceaccount:webapp-production:default" cannot get resource "configmaps" in API group "" in the namespace "webapp-production".

I couldn't find any more info in the docs on how to configure access other than this:

You should check the security configuration section. To access config maps from inside a pod you need to have the correct Kubernetes service accounts, roles and role bindings.

How can I grant the required permissions?

I would mount the file from the `configmap` into the pod and read the config in spring boot like a regular file. — Shmuel, Jun 02 '22 at 14:24
Yes @Shmuel I thought the same but that way I would lose the hot replace feature as far as I understood — Joaquín L. Robles, Jun 02 '22 at 14:25
this has nothing to do with spring per-se, it's RBAC rules of your cluster. — Eugene, Jul 07 '22 at 07:51

score 0 · Answer 1 · answered Jun 02 '22 at 14:43

Finally I got it solved by creating an specific ServiceAccount and setting the deployment template spec.serviceAccountName:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: webapp-service-account
  namespace: webapp-production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: webapp-cluster-role
  namespace: webapp-production
# Grant access to configmaps for external configuration
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: webapp-cluster-role-binding
roleRef:
  kind: ClusterRole
  name: webapp-cluster-role
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: webapp-service-account
    namespace: webapp-production

Externalize configuration using ConfigMap with Spring Boot Kubernetes

1 Answers1