The Enterprise Spring Boot Governance Starter library can be configured with the following properties.
Property | Description |
---|---|
tanzu.governance.test-mode | Null by default. Possible values: [once, per_request] . When unset or set to once , the library runs the tests once at startup and returns the same result going forward. When set to per_request , the library runs tests at startup and at every call to the /actuator/governance endpoint. |
tanzu.governance.fips.exit-on-failure | True by default. When true , the application runs validation tests at startup and shutdown if any tests fail, otherwise it prints a warning message and continues. |
tanzu.governance.fips.config.bouncy-castle.enforce | True by default. When true , BouncyCastle is configured in FIPS mode and is set as the primary security provider in application context. |
tanzu.governance.fips.config.bouncy-castle.provider-config | Null by default. Set to override the BouncyCastle FIPS provider's configuration. See the Bouncy Castle documentation, Section 2.3: Provider configuration, for accepted values. |
tanzu.governance.fips.config.server-tls.enforce | True by default. When true , the application configures the web server with FIPS default ciphers and protocols. Supports Tomcat and Netty. |
tanzu.governance.specs.skip | Empty by default. Comma-separated list of Spec IDs to skip when performing validations. |
Note that even if tanzu.governance.fips.exit-on-failure
is set to false
, your application may still fail to start if a rule is enforced (by default), but related configuration or beans are not available.
For example, to enforce server TLS, the application must have SSL configured in its application properties:
server:
ssl:
enabled: true
bundle: my-ssl-bundle
// Or prior to SpringBoot 3.1 without the SSL bundle:
key-alias: my-key
key-store: classpath:certs/my-key-store.bks
key-store-password: changeit
key-password: changeit
key-store-type: "BCFKS"
An application without proper SSL configurations results in server startup error with tanzu.governance.fips.exit-on-failure=false
because the enforcer cannot find available SSL settings in the application context. To bypass this error, you can set tanzu.governance.fips.config.server-tls.enforce
to false
.