SpringBoot Kubernetes configmap hidden files are exposed as property sources

When using the new configtree feature on a Kubernetes deployment the symlinks used for the mounted config values end up as part of the property names.

..2020_09_08_21_05_59.625473532.mysql-password instead of mysql-password

With the following config:

spring.config.import=configtree:/workspace/config

And this file layout:

$ ls -al workspace/config
total 4
drwxrwxrwt 3 root root  120 Sep  8 21:10 .
drwxr-xr-x 1 cnb  cnb  4096 Sep  8 21:10 ..
drwxr-xr-x 2 root root   80 Sep  8 21:10 ..2020_09_08_21_10_31.247996565
lrwxrwxrwx 1 root root   31 Sep  8 21:10 ..data -> ..2020_09_08_21_10_31.247996565
lrwxrwxrwx 1 root root   21 Sep  8 21:10 mysql-password -> ..data/mysql-password
lrwxrwxrwx 1 root root   26 Sep  8 21:10 mysql-root-password -> ..data/mysql-root-password

I end up with this property resource:

{
    "name": "Config tree '/workspace/./config'",
    "properties": {
        "..2020_09_08_21_05_59.625473532.mysql-password": {
            "value": "******",
            "origin": "path [/workspace/config/..2020_09_08_21_05_59.625473532/mysql-password]:1:1"
        },
        "..2020_09_08_21_05_59.625473532.mysql-root-password": {
            "value": "******",
            "origin": "path [/workspace/config/..2020_09_08_21_05_59.625473532/mysql-root-password]:1:1"
        }
    }
}

The secret was created using:

kubectl create secret generic mysql \
  --from-literal=mysql-root-password=$(echo $RANDOM) \
  --from-literal=mysql-password=$(echo $RANDOM)

And my deployment was:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/name: secret-demo
  name: secret-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: secret-demo
  template:
    metadata:
      labels:
        app.kubernetes.io/name: secret-demo
    spec:
      containers:
      - image: secret-demo:latest
        imagePullPolicy: IfNotPresent
        livenessProbe:
          initialDelaySeconds: 10
          httpGet:
            path: /actuator/health/liveness
            port: 8080
        name: app
        env:
          - name: DEBUG
            value: 'true'
        ports:
        - containerPort: 8080
        readinessProbe:
          initialDelaySeconds: 5
          httpGet:
            path: /actuator/health/readiness
            port: 8080
        volumeMounts:
          - name: database
            mountPath: /workspace/config
            readOnly: true
      volumes:
        - name: database
          secret:
            secretName: mysql

Comment From: philwebb

Thanks. I'm pretty sure we have another issue already open for this but I can't seem to find it!

Comment From: bclozel

Sounds like #23160 but I don’t think it’s a duplicate.

Comment From: trisberg

Sample app I used to test - https://github.com/trisberg/secret-demo