Merge branch 'main' into drop_old_leader_election_implementation

wind57 · wind57 · commit dd4678cd0e79 · 2026-02-24T18:29:04.000+02:00
diff --git a/docs/modules/ROOT/pages/property-source-config.adoc b/docs/modules/ROOT/pages/property-source-config.adoc
@@ -7,10 +7,14 @@ an `application-profile.properties` or `application-profile.yaml` file that cont
 application or Spring Boot starters. You can override these properties by specifying system properties or environment
 variables.
 
-To enable this functionality you need to set the `spring.config.import` application configuration property to `kubernetes:` (escape with quotes when using yaml eg. `"kubernetes:"`).
-Currently you can not specify a ConfigMap or Secret to load using `spring.config.import`, by default Spring Cloud Kubernetes
-will load a ConfigMap and/or Secret based on the `spring.application.name` property.  If `spring.application.name` is not set it will
-load a ConfigMap and/or Secret with the name `application`.
+To enable this functionality you need to set the `spring.config.import` application configuration property to `kubernetes:` (escape with quotes when using yaml eg. `"kubernetes:"`):
+
+[source]
+----
+spring:
+  config:
+    import: "kubernetes:"
+----
 
 If you would like to load Kubernetes ``PropertySource``s during the bootstrap phase like it worked prior to the 3.0.x release
 you can either add `spring-cloud-starter-bootstrap` to your application's classpath or set `spring.cloud.bootstrap.enabled=true`
diff --git a/docs/modules/ROOT/pages/property-source-config/configmap-propertysource.adoc b/docs/modules/ROOT/pages/property-source-config/configmap-propertysource.adoc
@@ -542,7 +542,6 @@ spring:
 
 NOTE: Since version `5.0.0`, `includeProfileSpecificSources` is only supported for named sources (`spring.cloud.kubernetes.sources.name=XXX`); support for labeled sources has been removed.
 
-
 Notice that just like before, there are two levels where you can specify this property: for all config maps or
 for individual ones; the latter having a higher priority.
 
@@ -566,7 +565,24 @@ and want to enable fail-fast, but do not want retry to be enabled; you can disab
 by setting `spring.cloud.kubernetes.config.retry.enabled=false`.
 
 
-NOTE: Since version `5.0.0`, we have introduced the possibility to read sources individually. Until now, we would go to the namespace and read all the configmaps / secrets available and then filter out the ones requested. Since `5.0.0-M3` you can specify that you want to read them individually, by setting the property: `spring.cloud.kubernetes.config.read-type=SINGLE`. The previous option to read them all in a namespace is controlled by `spring.cloud.kubernetes.config.read-type=BATCH` and it is the default option.
+NOTE: As of 5.0.0-M3, Spring Cloud Kubernetes introduces two modes for retrieving configuration:
+
+- BATCH (`spring.cloud.kubernetes.config.read-type=BATCH`) which is the Default mode: The framework retrieves all ConfigMaps and Secrets within a namespace before filtering. This requires broader RBAC permissions (Namespace-wide `List`).
+
+- SINGLE (`spring.cloud.kubernetes.config.read-type=SINGLE`): Resources are fetched individually by name. This reduces API overhead and allows for high-security, fine-grained RBAC.
+
+This enables you to restrict the service account to only see its own configuration:
+
+[source]
+----
+- apiGroups: [""]
+resources: ["configmaps"]
+verbs: ["get", "watch"] # 'list' is often no longer required at the namespace level
+resourceNames: ["<my_app_name>"]
+----
+
+RBAC rules using `resourceNames` are only compatible with `SINGLE` mode.
+
 
 .Properties:
 [options="header,footer"]
diff --git a/spring-cloud-kubernetes-client-config/src/main/java/org/springframework/cloud/kubernetes/client/config/KubernetesClientSourcesBatchRead.java b/spring-cloud-kubernetes-client-config/src/main/java/org/springframework/cloud/kubernetes/client/config/KubernetesClientSourcesBatchRead.java
@@ -17,12 +17,18 @@
 package org.springframework.cloud.kubernetes.client.config;
 
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.stream.Collectors;
 
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.apis.CoreV1Api;
+import io.kubernetes.client.openapi.models.V1ConfigMap;
+import io.kubernetes.client.openapi.models.V1Secret;
+import org.apache.commons.logging.LogFactory;
 
 import org.springframework.cloud.kubernetes.commons.config.StrippedSourceContainer;
+import org.springframework.core.log.LogAccessor;
 
 import static org.springframework.cloud.kubernetes.client.config.KubernetesClientConfigUtils.stripConfigMaps;
 import static org.springframework.cloud.kubernetes.client.config.KubernetesClientConfigUtils.stripSecrets;
@@ -35,6 +41,8 @@
  */
 public final class KubernetesClientSourcesBatchRead {
 
+	private static final LogAccessor LOG = new LogAccessor(LogFactory.getLog(KubernetesClientSourcesBatchRead.class));
+
 	private KubernetesClientSourcesBatchRead() {
 
 	}
@@ -77,4 +85,61 @@ static List<StrippedSourceContainer> strippedSecrets(CoreV1Api coreV1Api, String
 		});
 	}
 
+	/**
+	 * read secrets by labels, without caching them.
+	 */
+	static List<StrippedSourceContainer> strippedSecrets(CoreV1Api client, String namespace,
+			Map<String, String> labels) {
+
+		List<V1Secret> secrets;
+		try {
+			secrets = client.listNamespacedSecret(namespace).labelSelector(labelSelector(labels)).execute().getItems();
+		}
+		catch (ApiException e) {
+			throw new RuntimeException(e.getResponseBody(), e);
+		}
+		for (V1Secret secret : secrets) {
+			LOG.debug(() -> "Loaded secret '" + secret.getMetadata().getName() + "'");
+		}
+
+		List<StrippedSourceContainer> strippedSecrets = stripSecrets(secrets);
+		if (strippedSecrets.isEmpty()) {
+			LOG.debug(() -> "No secrets in namespace '" + namespace + "'");
+		}
+
+		return strippedSecrets;
+	}
+
+	/**
+	 * read configmaps by labels, without caching them.
+	 */
+	static List<StrippedSourceContainer> strippedConfigMaps(CoreV1Api client, String namespace,
+			Map<String, String> labels) {
+
+		List<V1ConfigMap> configMaps;
+		try {
+			configMaps = client.listNamespacedConfigMap(namespace)
+				.labelSelector(labelSelector(labels))
+				.execute()
+				.getItems();
+		}
+		catch (ApiException e) {
+			throw new RuntimeException(e.getResponseBody(), e);
+		}
+		for (V1ConfigMap configMap : configMaps) {
+			LOG.debug(() -> "Loaded config map '" + configMap.getMetadata().getName() + "'");
+		}
+
+		List<StrippedSourceContainer> strippedConfigMaps = stripConfigMaps(configMaps);
+		if (strippedConfigMaps.isEmpty()) {
+			LOG.debug(() -> "No configmaps in namespace '" + namespace + "'");
+		}
+
+		return strippedConfigMaps;
+	}
+
+	private static String labelSelector(Map<String, String> labels) {
+		return labels.entrySet().stream().map(en -> en.getKey() + "=" + en.getValue()).collect(Collectors.joining("&"));
+	}
+
 }
diff --git a/spring-cloud-kubernetes-client-config/src/main/java/org/springframework/cloud/kubernetes/client/config/KubernetesClientSourcesSingleRead.java b/spring-cloud-kubernetes-client-config/src/main/java/org/springframework/cloud/kubernetes/client/config/KubernetesClientSourcesSingleRead.java
@@ -19,8 +19,6 @@
 import java.util.ArrayList;
 import java.util.LinkedHashSet;
 import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
 
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.apis.CoreV1Api;
@@ -105,61 +103,4 @@ static List<StrippedSourceContainer> strippedSecrets(CoreV1Api client, String na
 		return strippedSecrets;
 	}
 
-	/**
-	 * read configmaps by labels, without caching them.
-	 */
-	static List<StrippedSourceContainer> strippedConfigMaps(CoreV1Api client, String namespace,
-			Map<String, String> labels) {
-
-		List<V1ConfigMap> configMaps;
-		try {
-			configMaps = client.listNamespacedConfigMap(namespace)
-				.labelSelector(labelSelector(labels))
-				.execute()
-				.getItems();
-		}
-		catch (ApiException e) {
-			throw new RuntimeException(e.getResponseBody(), e);
-		}
-		for (V1ConfigMap configMap : configMaps) {
-			LOG.debug(() -> "Loaded config map '" + configMap.getMetadata().getName() + "'");
-		}
-
-		List<StrippedSourceContainer> strippedConfigMaps = stripConfigMaps(configMaps);
-		if (strippedConfigMaps.isEmpty()) {
-			LOG.debug(() -> "No configmaps in namespace '" + namespace + "'");
-		}
-
-		return strippedConfigMaps;
-	}
-
-	/**
-	 * read secrets by labels, without caching them.
-	 */
-	static List<StrippedSourceContainer> strippedSecrets(CoreV1Api client, String namespace,
-			Map<String, String> labels) {
-
-		List<V1Secret> secrets;
-		try {
-			secrets = client.listNamespacedSecret(namespace).labelSelector(labelSelector(labels)).execute().getItems();
-		}
-		catch (ApiException e) {
-			throw new RuntimeException(e.getResponseBody(), e);
-		}
-		for (V1Secret secret : secrets) {
-			LOG.debug(() -> "Loaded secret '" + secret.getMetadata().getName() + "'");
-		}
-
-		List<StrippedSourceContainer> strippedSecrets = stripSecrets(secrets);
-		if (strippedSecrets.isEmpty()) {
-			LOG.debug(() -> "No secrets in namespace '" + namespace + "'");
-		}
-
-		return strippedSecrets;
-	}
-
-	private static String labelSelector(Map<String, String> labels) {
-		return labels.entrySet().stream().map(en -> en.getKey() + "=" + en.getValue()).collect(Collectors.joining("&"));
-	}
-
 }
diff --git a/spring-cloud-kubernetes-controllers/pom.xml b/spring-cloud-kubernetes-controllers/pom.xml
@@ -42,9 +42,6 @@
 					<groupId>org.springframework.boot</groupId>
 					<artifactId>spring-boot-maven-plugin</artifactId>
 					<configuration>
-						<buildpacks>
-							<buildpack>docker://paketobuildpacks/java:latest</buildpack>
-						</buildpacks>
 						<image>
 							<env>
 								<BP_SPRING_CLOUD_BINDINGS_DISABLED>true</BP_SPRING_CLOUD_BINDINGS_DISABLED>
diff --git a/spring-cloud-kubernetes-fabric8-config/src/main/java/org/springframework/cloud/kubernetes/fabric8/config/Fabric8SourcesBatchRead.java b/spring-cloud-kubernetes-fabric8-config/src/main/java/org/springframework/cloud/kubernetes/fabric8/config/Fabric8SourcesBatchRead.java
@@ -17,11 +17,16 @@
 package org.springframework.cloud.kubernetes.fabric8.config;
 
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
+import io.fabric8.kubernetes.api.model.ConfigMap;
+import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.client.KubernetesClient;
+import org.apache.commons.logging.LogFactory;
 
 import org.springframework.cloud.kubernetes.commons.config.StrippedSourceContainer;
+import org.springframework.core.log.LogAccessor;
 
 import static org.springframework.cloud.kubernetes.fabric8.config.Fabric8ConfigUtils.stripConfigMaps;
 import static org.springframework.cloud.kubernetes.fabric8.config.Fabric8ConfigUtils.stripSecrets;
@@ -34,6 +39,8 @@
  */
 final class Fabric8SourcesBatchRead {
 
+	private static final LogAccessor LOG = new LogAccessor(LogFactory.getLog(Fabric8SourcesBatchRead.class));
+
 	private Fabric8SourcesBatchRead() {
 
 	}
@@ -64,4 +71,42 @@ static List<StrippedSourceContainer> strippedSecrets(KubernetesClient client, St
 				x -> stripSecrets(client.secrets().inNamespace(namespace).list().getItems()));
 	}
 
+	/**
+	 * read configmaps by labels, without caching them.
+	 */
+	static List<StrippedSourceContainer> strippedConfigMaps(KubernetesClient client, String namespace,
+			Map<String, String> labels) {
+
+		List<ConfigMap> configMaps = client.configMaps().inNamespace(namespace).withLabels(labels).list().getItems();
+		for (ConfigMap configMap : configMaps) {
+			LOG.debug(() -> "Loaded config map '" + configMap.getMetadata().getName() + "'");
+		}
+
+		List<StrippedSourceContainer> strippedConfigMaps = stripConfigMaps(configMaps);
+		if (strippedConfigMaps.isEmpty()) {
+			LOG.debug(() -> "No configmaps in namespace '" + namespace + "'");
+		}
+
+		return strippedConfigMaps;
+	}
+
+	/**
+	 * read secrets by labels, without caching them.
+	 */
+	static List<StrippedSourceContainer> strippedSecrets(KubernetesClient client, String namespace,
+			Map<String, String> labels) {
+
+		List<Secret> secrets = client.secrets().inNamespace(namespace).withLabels(labels).list().getItems();
+		for (Secret secret : secrets) {
+			LOG.debug(() -> "Loaded secret '" + secret.getMetadata().getName() + "'");
+		}
+
+		List<StrippedSourceContainer> strippedSecrets = stripSecrets(secrets);
+		if (strippedSecrets.isEmpty()) {
+			LOG.debug(() -> "No secrets in namespace '" + namespace + "'");
+		}
+
+		return strippedSecrets;
+	}
+
 }
diff --git a/spring-cloud-kubernetes-fabric8-config/src/main/java/org/springframework/cloud/kubernetes/fabric8/config/Fabric8SourcesSingleRead.java b/spring-cloud-kubernetes-fabric8-config/src/main/java/org/springframework/cloud/kubernetes/fabric8/config/Fabric8SourcesSingleRead.java
@@ -19,7 +19,6 @@
 import java.util.ArrayList;
 import java.util.LinkedHashSet;
 import java.util.List;
-import java.util.Map;
 
 import io.fabric8.kubernetes.api.model.ConfigMap;
 import io.fabric8.kubernetes.api.model.Secret;
@@ -95,42 +94,4 @@ static List<StrippedSourceContainer> strippedSecrets(KubernetesClient client, St
 		return strippedSecrets;
 	}
 
-	/**
-	 * read configmaps by labels, without caching them.
-	 */
-	static List<StrippedSourceContainer> strippedConfigMaps(KubernetesClient client, String namespace,
-			Map<String, String> labels) {
-
-		List<ConfigMap> configMaps = client.configMaps().inNamespace(namespace).withLabels(labels).list().getItems();
-		for (ConfigMap configMap : configMaps) {
-			LOG.debug(() -> "Loaded config map '" + configMap.getMetadata().getName() + "'");
-		}
-
-		List<StrippedSourceContainer> strippedConfigMaps = stripConfigMaps(configMaps);
-		if (strippedConfigMaps.isEmpty()) {
-			LOG.debug(() -> "No configmaps in namespace '" + namespace + "'");
-		}
-
-		return strippedConfigMaps;
-	}
-
-	/**
-	 * read secrets by labels, without caching them.
-	 */
-	static List<StrippedSourceContainer> strippedSecrets(KubernetesClient client, String namespace,
-			Map<String, String> labels) {
-
-		List<Secret> secrets = client.secrets().inNamespace(namespace).withLabels(labels).list().getItems();
-		for (Secret secret : secrets) {
-			LOG.debug(() -> "Loaded secret '" + secret.getMetadata().getName() + "'");
-		}
-
-		List<StrippedSourceContainer> strippedSecrets = stripSecrets(secrets);
-		if (strippedSecrets.isEmpty()) {
-			LOG.debug(() -> "No secrets in namespace '" + namespace + "'");
-		}
-
-		return strippedSecrets;
-	}
-
 }
diff --git a/spring-cloud-kubernetes-integration-tests/pom.xml b/spring-cloud-kubernetes-integration-tests/pom.xml
@@ -37,11 +37,8 @@
 						<env>
 							<BP_SPRING_CLOUD_BINDINGS_DISABLED>true</BP_SPRING_CLOUD_BINDINGS_DISABLED>
 						</env>
+						<name>docker.io/springcloud/${project.artifactId}:${project.version}</name>
 					</image>
-					<buildpacks>
-						<buildpack>docker://paketobuildpacks/java:latest</buildpack>
-					</buildpacks>
-					<imageName>docker.io/springcloud/${project.artifactId}:${project.version}</imageName>
 				</configuration>
 				<executions>
 					<execution>
diff --git a/spring-cloud-kubernetes-test-support/src/main/resources/current-images.txt b/spring-cloud-kubernetes-test-support/src/main/resources/current-images.txt
@@ -2,6 +2,6 @@ busybox:1.37.0
 istio/istioctl:1.27.3
 istio/proxyv2:1.27.3
 istio/pilot:1.27.3
-confluentinc/confluent-local:8.1.0
-rabbitmq:4.1.4-management
-wiremock/wiremock:3.13.1
+confluentinc/confluent-local:8.1.1
+rabbitmq:4.2.4-management
+wiremock/wiremock:3.13.2
