Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot disable api calls when only using secrets with path

See original GitHub issue

Describe the bug When mounting secrets from a path, there does not seem to be a way to disable calls made to the API server, even if they are not necessary to accomplish the task.

Excluding kubernetes discovery does not help:

    implementation('org.springframework.cloud:spring-cloud-starter-kubernetes-config:1.1.7.RELEASE') {
        exclude group: 'org.springframework.cloud', module: 'spring-cloud-kubernetes-discovery'
    }

or disabling any other feature and setting enable-api to false:

spring:
  application:
    name: systeminformer
  cloud:
    kubernetes:
      discovery:
        enabled: false
      reload:
        enabled: false
      secrets:
        paths: /etc/secrets/systeminformer-spc
        enabled: true
        enable-api: false
      enabled: true
      config:
        enabled: false

Calls will still be made to the API Server. This is an issue because

These calls are not needed to load secrets from a volume path
These calls will trigger useful runtime security monitoring:

Muting the alert on the monitoring tool would be bad practice as it would remove visibility into a useful security risk. Not muting the alert will flood potential real issues in a sea of false positives.

Overall, I am not sure if this is the intended behavior (still making calls to the API server despite the current configuration) or a bug. Either way, I think a way to disable any call from being made to the API server would be great.

Issue Analytics

State:
Created 3 years ago
Comments:21 (11 by maintainers)

Top GitHub Comments

1reaction

stewartie4commented, Nov 17, 2021

Thanks guys We have upgraded to spring boot 2.4 and spring.config.import with configtree works exactly as intended unfortunately spring boot 2.4 removed support for bootstrap.properties which we were using to load our vault/consul credentials But that’s my problem to sort out, i’m sure there are docs somewhere

thanks again!

1reaction

ryanjbaxtercommented, Jan 19, 2021

I still believe it could be a good thing to not contact the API server unless there is a specific need by the library user

I think that if you are going to do anything meaningful with Spring Cloud Kubernetes you are going to need to access the API server. I will close this or now, but welcome someone to convince me otherwise 😃