Spring Cloud for Azure starter App Configuration client library for Java
This package helps Spring Application to load properties from Azure Configuration Store.
Package (Maven) | Samples | Reference Documentation
Getting started
Prerequisites
- Java Development Kit (JDK) with version 8 or above
- Azure Subscription
- Maven 3.0 and above
Include the package
There are two libraries that can be used azure-spring-cloud-appconfiguration-config and azure-spring-cloud-appconfiguration-config-web. There are two differences between them the first being the web version takes on spring-web as a dependency, and the web version has various methods for refreshing configurations on a watch interval when the application is active. For more information on refresh see the Configuration Refresh section.
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-cloud-appconfiguration-config</artifactId>
<version>2.11.0</version>
</dependency>
or
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-cloud-appconfiguration-config-web</artifactId>
<version>2.11.0</version>
</dependency>
Key concepts
Azure App Configuration provides a service to centrally manage application settings and feature flags. Modern programs, especially programs running in a cloud, generally have many components that are distributed in nature. Spreading configuration settings across these components can lead to hard-to-troubleshoot errors during an application deployment. Use App Configuration to store all the settings for your application and secure their accesses in one place.
Examples
Please use this sample
as a reference for how to use this starter.
Supported properties
Name | Description | Required | Default |
---|---|---|---|
spring.cloud.azure.appconfiguration.stores | List of configuration stores from which to load configuration properties | Yes | true |
spring.cloud.azure.appconfiguration.enabled | Whether enable spring-cloud-azure-appconfiguration-config or not | No | true |
spring.cloud.azure.appconfiguration.refresh-interval | Amount of time, of type Duration, configurations are stored before a check can occur. | No | null |
spring.cloud.azure.appconfiguration.stores
is a list of stores, where each store follows the following format:
Name | Description | Required | Default |
---|---|---|---|
spring.cloud.azure.appconfiguration.stores[0].enabled | Whether the store will be loaded. | No | true |
spring.cloud.azure.appconfiguration.stores[0].fail-fast | Whether to throw a RuntimeException or not when failing to read from App Configuration during application start-up. If an exception does occur during startup when set to false the store is skipped. |
No | true |
spring.cloud.azure.appconfiguration.stores[0].selects[0].key-filter | The key pattern used to indicate which configuration(s) will be loaded. | No | /application/* |
spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter | The label used to indicate which configuration(s) will be loaded. | No | ${spring.profiles.active} or if null \0 |
Configuration Store Authentication
Name | Description | Required | Default |
---|---|---|---|
spring.cloud.azure.appconfiguration.stores[0].endpoint | When the endpoint of an App Configuration store is specified, a managed identity or a token credential provided using AppConfigCredentialProvider will be used to connect to the App Configuration service. An IllegalArgumentException will be thrown if the endpoint and connection-string are specified at the same time. |
Conditional | null |
spring.cloud.azure.appconfiguration.stores[0].endpoints | When multiple replica endpoints of an App Configuration store are specified, a managed identity or a token credential provided using AppConfigCredentialProvider will be used to connect to the App Configuration service. Replica endpoints should be listed in priority order of connection. An IllegalArgumentException will be thrown if multiple authentication methods are provided. |
Conditional | null |
spring.cloud.azure.appconfiguration.stores[0].connection-string | When the connection-string of an App Configuration store is specified, HMAC authentication will be used to connect to the App Configuration service. An IllegalArgumentException will be thrown if the endpoint and connection-string are specified at the same time. |
Conditional | null |
spring.cloud.azure.appconfiguration.stores[0].managed-identity.client-id | Client id of the user assigned managed identity, only required when choosing to use user assigned managed identity on Azure | No | null |
spring.cloud.azure.appconfiguration.stores[0].monitoring
is a set of configurations dealing with refresh of configurations:
Name | Description | Required | Default |
---|---|---|---|
spring.cloud.azure.appconfiguration.stores[0].monitoring.enabled | Whether the configurations and feature flags will be re-loaded if a change is detected. | No | false |
spring.cloud.azure.appconfiguration.stores[0].monitoring.refresh-interval | Amount of time, of type Duration, configurations are stored before a check can occur. | No | 30s |
spring.cloud.azure.appconfiguration.stores[0].monitoring.feature-flag-refresh-interval | Amount of time, of type Duration, feature flags are stored before a check can occur. | No | 30s |
spring.cloud.azure.appconfiguration.stores[0].monitoring.triggers[0].key | A key that is watched for change via etag. If a change is detected on the key then a refresh of all configurations will be triggered. | Yes (If monitoring enabled) | null |
spring.cloud.azure.appconfiguration.stores[0].monitoring.triggers[0].label | The label of the key that is being watched for etag changes. | No | \0 |
spring.cloud.azure.appconfiguration.stores[0].monitoring.push-notification.primary-token.name | The name of a token used with Event Hub to trigger push based refresh. | No | null |
spring.cloud.azure.appconfiguration.stores[0].monitoring.push-notification.primary-token.secret | The secret value of a token used with Event Hub to trigger push based refresh. | No | null |
spring.cloud.azure.appconfiguration.stores[0].monitoring.push-notification.secondary-token.name | The name of a token used with Event Hub to trigger push based refresh. | No | null |
spring.cloud.azure.appconfiguration.stores[0].monitoring.push-notification.secondary-token.secret | The secret value of a token used with Event Hub to trigger push based refresh. | No | null |
spring.cloud.azure.appconfiguration.stores[x].feature-flags
is a set of configurations for the feature flags of the store:
Name | Description | Required | Default |
---|---|---|---|
spring.cloud.azure.appconfiguration.stores[0].feature-flags.enabled | Whether feature flags are loaded from the config store. | No | false |
spring.cloud.azure.appconfiguration.stores[0].feature-flags.label-filter | The label used to indicate which feature flags will be loaded. | No | \0 |
Advanced usage
Load from multiple configuration stores
If the application needs to load configuration properties from multiple stores, following configuration sample describes how the bootstrap.properties(or .yaml) can be configured.
spring.cloud.azure.appconfiguration.stores[0].connection-string=[first-store-connection-string]
spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter=[my-label]
spring.cloud.azure.appconfiguration.stores[1].connection-string=[second-store-connection-string]
If duplicate keys exists for multiple stores, the last configuration store has the highest priority.
Load from multiple labels
If the application needs to load property values from multiple labels in the same configuration store, following configuration can be used:
spring.cloud.azure.appconfiguration.stores[0].connection-string=[first-store-connection-string]
spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter=[my-label1]
spring.cloud.azure.appconfiguration.stores[0].selects[1].label-filter=[my-label2]
Multiple labels can be separated with comma, if duplicate keys exists for multiple labels, the last label has highest priority.
Spring Profiles
Spring Profiles are supported by automatically by being set as App Configuration Labels. Using the label filter configuration overrides profile use. To include Spring Profiles and labels:
spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter=${spring.profiles.active},v1
If you need to use (No Label)
you need to do the following:
spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter=,${spring.profiles.active}
where the empty value before the comma equals the \0
value.
and for yaml
spring:
cloud:
azure:
appconfiguration:
stores:
-
selects:
-
label-filter: ',${spring.profiles.active}'
Configuration Refresh
Configuration Refresh feature allows the application to load the latest property value from configuration store automatically, without restarting the application.
Changing a property key in the configuration store on Azure Portal, e.g., /application/config.message, log similar with below will be printed on the console.
INFO 17496 --- [TaskScheduler-1] o.s.c.e.event.RefreshEventListener : Refresh keys changed: [config.message]
The application now will be using the updated properties. By default, @ConfigurationProperties
annotated beans will be automatically refreshed. Use @RefreshScope
on beans which are required to be refreshed when properties are changed.
By default, all the keys following the pattern /application/*
with the label ${spring.profiles.active}
or when no Spring Profile is set (No Label)
is used. At least one watch key is required when monitoring is enabled.
spring.cloud.azure.appconfiguration.stores[0].monitoring.enabled=true
spring.cloud.azure.appconfiguration.stores[0].monitoring.triggers[0].key=[my-watched-key]
spring.cloud.azure.appconfiguration.stores[0].monitoring.triggers[0].label=[my-watched-label]
When using the web library, applications will attempt a refresh whenever a servlet request occurs after the watch interval time when monitoring is enabled.
In the console library calling refreshConfiguration on AppConfigurationRefresh
will result in a refresh if the watch interval has passed. The web library can also use this method along with servlet request method.
Push Based Refresh
The Web Provider can be connect to your Azure App Configuration store via an Azure Event Grid Web Hook to trigger a refresh event. By adding the Spring Actuator as a dependency you can add App Configuration Refresh as an exposed endpoint. There are two options appconfiguration-refresh and appconfiguration-refresh-bus. These endpoints work just like there counterparts refresh and refresh-bus, but have the required web hook authorization to work with Azure Event Grid. When needing to refresh multiple application instances azure-servicebus-jms-spring-boot-starter
needs to be setup to have the refresh triggered in all instances.
management.endpoints.web.exposure.include= appconfiguration-refresh, appconfiguration-refresh-bus
In addition a required query parameter has been added for security. No token name or value is set by default, but setting one is required in order to use the endpoints. It is suggested you set up your token value in Key Vault and add it to your store through a key vault reference. The values should be:
/application/spring.cloud.appconfiguration.stores[0].monitoring.push-notification.primary-token.name=[primary-token-name]
/application/spring.cloud.appconfiguration.stores[0].monitoring.push-notification.primary-token.secret=[primary-token-secret]
/application/spring.cloud.appconfiguration.stores[0].monitoring.push-notification.secondary-token.name=[secondary-token-name]
/application/spring.cloud.appconfiguration.stores[0].monitoring.push-notification.secondary-token.secret=[secondary-token-secret]
To setup the webhook open your app store and open the events tab. Select "+ Event Subscription". Set the name of your Event and select the Endpoint type of Web Hook. Select "Select an endpoint". You endpoint will be your look as following:
http://myApplication.azurewebsites.net/actuator/appconfiguration-refresh?myTokenName=mySecret
Your application will need to be up and running with token-name and token-secret set as Selecting Confirm Selection will validate the endpoint.
Note: This validation only happens on the creation/modification of the endpoint.
It is also highly recommended that filters are setup as otherwise a refresh will be triggered after every key creation and modification.
Failfast
Failfast feature decides whether throw RuntimeException or not when exception happens. If an exception does occur when false the store is skipped. Any store skipped on startup will be automatically skipped on Refresh. By default, failfast is enabled, it can be disabled with below configuration:
spring.cloud.azure.appconfiguration.stores[0].fail-fast=false
Placeholders in App Configuration
The values in App Configuration are filtered through the existing Environment when they are used. Placeholders can be used just like in application.properties
, but with the added benefit of support for key vault references. Example with kafka:
/application/app.name=MyApp
/application/app.description=${app.name} is configured with Azure App Configuration
Use Managed Identity to access App Configuration
Managed identity allows application to access Azure Active Directory protected resource on Azure.
In this library, Azure Identity SDK is used to access Azure App Configuration and optionally Azure Key Vault, for secrets. Only one method of authentication can be set at one time. When not using the AppConfigCredentialProvider and/or KeyVaultCredentialProvider the same authentication method is used for both App Configuration and Key Vault.
Follow the below steps to enable accessing App Configuration with managed identity:
Enable managed identities for the supported Azure services, for example, virtual machine or App Service, on which the application will be deployed.
Configure the Azure RBAC of your App Configuration store to grant access to the Azure service where your application is running. Select the App Configuration Data Reader. The App Configuration Data Owner role is not required but can be used if needed.
Configure bootstrap.properties(or .yaml) in the Spring Boot application.
The configuration store endpoint must be configured when connection-string
is empty. When using a User Assigned Id the value spring.cloud.azure.appconfiguration.managed-identity.client-id=[client-id]
must be set.
bootstrap.application
spring.cloud.azure.appconfiguration.stores[0].endpoint=[config-store-endpoint]
#If Using User Assigned Identity
spring.cloud.azure.appconfiguration.managed-identity.client-id=[client-id]
Token Credential Provider
Another method of authentication is using AppConfigCredentialProvider and/or KeyVaultCredentialProvider. By implementing either of these classes and providing and generating a @Bean of them will enable authentication through any method defined by the Java Azure SDK. The uri value is the endpoint/dns name of the connection service, so if needed different credentials can be used per config store/key vault.
public class MyCredentials implements AppConfigCredentialProvider, KeyVaultCredentialProvider {
@Override
public TokenCredential getAppConfigCredential(String uri) {
return buildCredential();
}
@Override
public TokenCredential getKeyVaultCredential(String uri) {
return buildCredential();
}
TokenCredential buildCredential() {
return new DefaultAzureCredentialBuilder().build();
}
}
Client Builder Customization
The service client builders used for connecting to App Configuration and Key Vault can be customized by implementing interfaces ConfigurationClientBuilderSetup
and SecretClientBuilderSetup
respectively. Generating and providing a @Bean
of them will update the default service client builders used in App Configuration SDK and Key Vault SDK. If necessary, the customization can be done per App Configuration store or Key Vault instance.
public interface ConfigurationClientBuilderSetup {
public void setup(ConfigurationClientBuilder builder, String endpoint);
}
public interface SecretClientBuilderSetup {
public void setup(SecretClientBuilder builder, String uri);
}
For example, the following implementation of MyClient
replaces the default HttpClient
with one using a proxy for all traffic to App Configuration and Key Vault.
public class MyClient implements ConfigurationClientBuilderSetup, SecretClientBuilderSetup {
@Override
public void setup(ConfigurationClientBuilder builder, String endpoint) {
builder.httpClient(buildHttpClient());
}
@Override
public void setup(SecretClientBuilder builder, String uri) {
builder.httpClient(buildHttpClient());
}
private HttpClient buildHttpClient() {
String hostname = System.getProperty("https.proxyHosts");
String portString = System.getProperty("https.proxyPort");
int port = Integer.valueOf(portString);
ProxyOptions proxyOptions = new ProxyOptions(ProxyOptions.Type.HTTP,
new InetSocketAddress(hostname, port));
return new NettyAsyncHttpClientBuilder()
.proxy(proxyOptions)
.build();
}
}
Troubleshooting
Logging setting
Please refer to spring logging document to get more information about logging.
Logging setting examples
- Example: Setting logging level of hibernate
logging.level.root=WARN
logging.level.org.springframework.web=DEBUG
logging.level.org.hibernate=ERROR
Next steps
The following section provide a sample project illustrating how to use the starter.
More sample code
- Azure App Configuration
- Azure App Configuration Conversation Complete
- Azure App Configuration Conversation Initial
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
Please follow instructions here to build from source or contribute.