how to use spring boot admin in docker swarm - spring-boot-admin

Spring boot admin works fine if I run the spring boot app as an individual container under the same network.
How do I make it work for stack deployment or in swarm mode?
I tried creating a compose file with spring boot app and spring boot admin and changed the admin URL on app to localhost:8080(even tried with admin:8080, I know this will not work because the container name is no longer admin and compose creates a random name and container_name option is not supported in swarm mode), both admin and app started fine expect client is not registering with server. The problem will be the localhost:8080.
How do I fix this issue?

Try using spring.boot.admin.client.prefer-ip=true and the client will use the ip and not hostname in url. Also ensure clients can reach the server and vice versa.

Setting prefer-ip to true does not work either. The internal IP can change with each deployment.

Related

Redirection from Apache Superset to other services on the same VM

I have a docker image running instance of Apache Superset and some other services on the same VM. The other services are setup and deployed independently from the Superset app. What I would like to do is to be able to redirect via url from the Superset app into the other apps. Obviously simply passing url will redirect me inside the container.
The optimal solution would not require me to include the other services into docker container and also allow for some cross service authentication.
I'm not sure how to approach this.
Please help.

Geoserver Admin UI Behind Spring Cloud Gateway Not Working As Expected

I'm working on moving our Geoserver 2.15.4 instance behind a Spring Cloud Gateway instance. These are all running in a standalone Docker instance on a local server. I've been able to get the requests for map data working fine. However the Admin interface is not functioning correctly. I can bring up the login page, but when I try to log in, it's not maintaining the route from the reverse proxy.
So instead of POSTing to https://HOST/geoserver-admin/xxxx, it's going to https://HOST/xxxx, which is failing.
My assumption is that I'll be able to pick up the X-Forwarded-* headers from the proxy, but what I can't figure out is how to update Tomcat and/or Geoserver configuration to pick up these headers.
Thanks!

How to add security to run Ignite Web Console in k8s

I am running Ignite Web Console and Web Agent in k8s v1.9, but connection fails when using security - works fine without security. I am able to access Ignite REST API by passing 'X-Signature' value in Header using Postman, but see no way to do this through the Web Console. Same with dBeaver.
Web Console do not support connection to secured cluster.
I created issue: IGNITE-8428 Web Console: Support connect to secured cluster.
You can track it.

Recommended way to connect cloud foundry to mongodb atlas

I've got a spring boot app which is connected to mongodb atlas.
Everything is working locally.
I now want to publish this to pivotal cloud foundry.
Secure connection between PCF and atlas
In mongodb atlas I need to open up the firewall an allow certain ip numbers.
How should I configure mongodb atlas to connect to pcf in the most secure way?
Autoconfigure getting in the way
cloud foundry is overriding my connection urls to point to localhost:27017 instead of my atlas cluster.
What is the recommended way to connect to mongodb atlas?
In mongodb atlas I need to open up the firewall an allow certain ip numbers. How should I configure mongodb atlas to connect to pcf in the most secure way?
White listing IP addresses for applications that run on CF is not particularly effective. The reason it's not effective is that you don't know the IP address from which you'll be connecting, because it depends on where Diego decides to run your application. In other words, it depends on the cell where your application is told to run. To compound matters, that will change when you restart / restage your application.
Because the IP can vary, what you end up needing to do is white list all of your Cells. The problem with this and why it's not effective is that you've ended up white listing every app running on the platform.
What you can do to improve the security a bit is to make use of application security groups. ASG's can be used to limit outgoing traffic. You can also control them at the space level. That means you can configure your default running security group to not allow access to your MongoDb server, but you can allow access for individual spaces by binding an ASG to only those spaces with apps that need to talk to your MongoDb servers.
The downside of this approach is that it requires you to be a platform administrator, which means it will only work if you own your CF installation (not going to work for public providers).
More on ASG's here: https://docs.cloudfoundry.org/adminguide/app-sec-groups.html
For public providers, you can use a proxy. To make this work, you need to have your application configured to talk through a proxy when it attempts to access your Mongodb servers. You control the proxies, which have fixed IPs, so you can white list the proxies to allow access to just your app. If you don't want to run your own proxy servers, there are public proxy providers that you can use.
cloud foundry is overriding my connection urls to point to localhost:27017 instead of my atlas cluster. What is the recommended way to connect to mongodb atlas?
It's possible to disable auto configuration. One way is described in the docs here. If you include the Spring Cloud Connectors dependencies and use them manually, then the auto configuration will not run.
https://docs.cloudfoundry.org/buildpacks/java/spring-service-bindings.html#manual
The other option is to tell the Java build pack not to install the auto configuration. You can do that by setting the following environment variable for your application, either with cf set-env or via a manifest.yml file.
Ex: JBP_CONFIG_SPRING_AUTO_RECONFIGURATION='[enabled: false]'
Be careful if you do this as it will disable everything provided by the auto reconfiguration, which includes setting the "cloud" profile for your app. If you use this option to disable auto reconfiguration, you'll probably also want to set SPRING_PROFILES_ACTIVE='cloud' to manually enable the cloud profile.
I suppose your other option is to simply embrace the auto configuration. It's a little confusing / magical at first, but I've found this article to explain it very well.
https://spring.io/blog/2015/04/27/binding-to-data-services-with-spring-boot-in-cloud-foundry
Hope that helps!

Enabling remote access to Keycloak

I'm using the Keycloak authorization server in order to manage my application permissions. However, I've found out the standalone server can be accessed locally only.
http://localhost:8080/auth works, but not it does http://myhostname:8080/auth. This issue doesn't permit accessing the server from the internal network.
The standalone Keycloak server runs on the top of a JBoss Wildfly instance and this server doesn't allow accessing it externally by default, for security reasons (it should be only for the administration console, but seems to affect every url in case of Keycloak). It has to be booted with the -b=0.0.0.0 option to enable it.
However, if your Wildfly is running on a remote machine and you try to
access your administrative page through the network by it’s IP address
or hostname, let’s say, at http://54.94.240.170:8080/, you will
probably see a graceful This webpage is not available error, in
another words, Wildfly said “No, thanks, I’m not allowing requests
from another guys than the ones at my local machine”.
See also:
Enable Wildfly remote access
Wildfly remotely access administration console doesnt work
you can start keycloak server with this command
standalone.bat -b 0.0.0.0
For anyone who happens by here now, I found this in the documentation for Keycloak 8:
Users can interact with Keycloak without SSL so long as they stick to
private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x,
and 172.16.x.x. If you try to access Keycloak without SSL from a
non-private IP address you will get an error.
This is how you can disable it from the admin console, just click on your realm, and make the mentioned option.
Note: Don't forget the following
standalone.bat -b 0.0.0.0