When you attach a Tanzu Cloud Foundry foundation as a data source in Tanzu Platform, SBOM and Spring properties data are automatically collected and sent to Tanzu Platform. You can view the collected data on Tanzu Platform hub in Applications > Business Applications and manage the applications on Tanzu Platform.
The data is grouped into unique business applications, which are mappings to the Cloud Foundry spaces or Kubernetes namespaces within the data source. To ensure that Tanzu Platform has the necessary data, you must first configure your Spring applications as follows:
For applications running in Kubernetes namespaces, to allow Tanzu Platform to create the application groupings and topology views and to ensure that Git properties and metrics are also discoverable, you must configure your Spring applications for the following:
For applications in Cloud Foundry spaces, to ensure that Git properties and metrics are also discoverable, you must configure your Spring applications for the following:
To information on how to configure your Git repository so that you can secure and manage the repository, see Manage and secure Git code repositories.
Verify that you set a value for the spring.application.name
or app.name
property in the application.properties
file of your Spring application.
During the Spring application discovery, the Kubernetes hub collector fetches the application name from the spring.application.name
property, if available. If the spring.application.name
property is not available, the hub collector fetches the application name from the app.name
property.
ImportantIf a Spring application on Kubernetes is not configured with any of these properties (
spring.application.name
orapp.name
), the Kubernetes hub collector does not create this application in the hub.
If the applications discovered are Spring-based Java applications, the hub collector can collect and enrich with more Spring-specific application dependencies (database, 3rd party service, etc) and properties from actuator responses. The actuator endpoint responses are also used to collect SBOM payload for further library security analysis and recommendations for fixes for CVEs. This is accomplished using the hub collector communicating to the Spring applications running in application instances within the application platform.
Add the Spring application Actuator.
```
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
</dependencies>
```
Enable the actuator endpoints by adding the management
and endpoint
sections into your application.yml
file.
Enable the info
endpoint.
management:
endpoints:
web:
exposure:
include: "info"
(Optional) Enable the health
endpoint to collect application health information.
management:
endpoints:
web:
exposure:
include: "info,health"
endpoint:
health:
show-details: ALWAYS
(Optional) Enable the env
endpoint to collect configuration properties, such as env:systemProperties#os:name
, env:systemProperties#os:version
, etc.
NoteThe hub does not collect sensitive data, such as secrets and passwords. For Spring applications on Kubernetes, connections to Spring apps and services are formed only if URLs of those apps are present in
application.properties
section of/env
endpoint.
management:
endpoints:
web:
exposure:
include: "info,env"
endpoint:
env:
show-values: ALWAYS
If you want the application discovery collection to also collect Git repository data, so that the application views in the hub show the Git properties of the applications, add the git commit id
plugin. The Git properties in the hub help you to correlate your application runtime to commits and understand what level of security (library CVE) compliance your Spring applications in your runtime environments have. In addition, you can also expose information about the Spring Boot and application versions.
NoteWithout the
git commit id
plugin, we cannot collect any Git properties and cannot show Git information for the application in the hub.
Add the git commit id
plugin into the plugins section of your pom.xml
file:
- For a Spring application 3.x:
```
<plugin>
<groupId>io.github.git-commit-id</groupId>
<artifactId>git-commit-id-maven-plugin</artifactId>
<configuration>
<verbose>true</verbose>
</configuration>
</plugin>
```
- For a Spring application 2.x:
```
<plugin>
<groupId>pl.project13.maven</groupId>
<artifactId>git-commit-id-plugin</artifactId>
</plugin>
```
Add the git commit id
plugin into the plugins section of your pom.xml
file:
For a Spring application 3.x:
<plugin>
<groupId>io.github.git-commit-id</groupId>
<artifactId>git-commit-id-maven-plugin</artifactId>
<configuration>
<verbose>true</verbose>
</configuration>
</plugin>
For a Spring application 2.x:
<plugin>
<groupId>pl.project13.maven</groupId>
<artifactId>git-commit-id-plugin</artifactId>
</plugin>
Add the following section in your application.yml
file to set up the actuator info
endpoint for collecting Git related information.
management:
info:
git:
mode: full
Add the following section in your application.yml
file to set up the actuator info
endpoint for collecting Spring Boot version, application version, and Java related information.
management:
info:
env:
enabled: true
java:
enabled: true
info:
app:
version: "@project.version@"
spring:
boot:
version: "@project.parent.version@"
If you want the application discovery collection to also collect SBOM data and enable CVE on library analysis, so that the application views in the hub show security libraries governance dashboards, add the CycloneDX plugin.
NoteWithout adding this plugin, we don’t collect any SBOM data and don’t show security libraries governance dashboards for the applications in the hub.
Add the CycloneDX plugin into your plugins section of your pom.xml
file:
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.1</version>
<executions>
<execution>
<phase>validate</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
<configuration>
<outputFormat>json</outputFormat>
<outputName>classes/bom</outputName>
</configuration>
</plugin>
Implement the following class required by the CycloneDX plugin.
import java.io.InputStream;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.actuate.info.Info;
import org.springframework.boot.actuate.info.InfoContributor;
import org.springframework.core.io.Resource;
import org.springframework.stereotype.Component;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import brave.internal.Nullable;
@Component
class CycloneDxInfoContributor implements InfoContributor, InitializingBean {
private final Resource bomFile;
private final ObjectMapper objectMapper = new ObjectMapper();
private @Nullable JsonNode bom;
CycloneDxInfoContributor(@Value("classpath:bom.json") Resource bomFile) {
this.bomFile = bomFile;
}
@Override
public void contribute(Info.Builder builder) {
if (bom != null) {
builder.withDetail("bom", bom);
}
}
@Override
public void afterPropertiesSet() throws Exception {
if (bomFile.exists()) {
try (InputStream is = bomFile.getInputStream()) {
this.bom = objectMapper.readTree(is);
}
}
}
}
Adding a micrometer library enables Spring Performance dashboards with JVM metrics and tracing data based RED metrics. When you enable micrometer library on your Spring applications binding to micrometer Wavefront registry, the hub uses Wavefront SDK format for spans for exporting from Spring applications.
NoteWithout enabling micrometer monitoring data, enabling only actuator in your Spring applications still helps the hub to discover application dependencies and properties but cannot ingest and populate Spring performance dashboards. The Performance charts on the application dashboards will be empty.
Import the Wavefront for Spring Boot Bill of Materials (BOM) to your project replacing VERSION
with the current version.
NoteMake sure that you follow the version compatibility matrix for your Spring Boot version and Wavefront for Spring versions. Following an incorrect compatibility matrix will lead to unexpected behaviors, such as the Performance tab not displaying.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.wavefront</groupId>
<artifactId>wavefront-spring-boot-bom</artifactId>
<version>VERSION</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Add the wavefront-spring-boot-starter
and micrometer-registry-wavefront
dependencies.
<dependency>
<groupId>com.wavefront</groupId>
<artifactId>wavefront-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-wavefront</artifactId>
<scope>runtime</scope>
</dependency>
Add the micrometer-tracing-bridge-brave
and micrometer-tracing-reporter-wavefront
dependencies to send trace data to Tanzu Platform hub.
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-tracing-bridge-brave</artifactId>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-tracing-reporter-wavefront</artifactId>
<scope>runtime</scope>
</dependency>
Configure Micrometer to send data to metrics collector.
For Spring applications running in a Tanzu Cloud Foundry foundation, add the following sections to your application.yml
:
NoteMost of the sections apply to Spring 3.x. The properties may be different if you are using 2.x.
management:
endpoints:
web:
exposure:
include: "info,...,metrics"
tracing:
sampling:
probability: 0.5 # NOTE: keep to less than 0.5. This is NOT a supported property for Spring 2.x
wavefront:
application:
name: my-application
service-name: my-service
custom-tags:
instance_guid: ${CF_INSTANCE_GUID}
api-token: 1111-23this-45is-678a-faketoken # this is a fake token since wavefront lib expects a token, though this is not used for authentication to collector for ingestion
uri: http://telegraf.hub-collector.service.internal:8765
For Spring applications running in a Kubernetes cluster, add the following section to your application.yml
:
wavefront:
application:
name: my-application
service-name: my-service
uri: ${TELEGRAF_URL:http://localhost:2878/} # The TELEGRAF_URL has to be the telegraf pod in the k8s cluster that needs to be exposed with 2878 port for inbound port open for micrometer to send data
The TELEGRAF_URL has to be the telegraf pod in the k8s cluster that needs to be exposed with 2878 port for inbound port open.
NoteYou might see some errors in the logs for the Wavefront backend. Ignore the errors.
I/O error on POST request for "https://wavefront.surf/api/v2/trial/spring-boot-autoconfigure": No subject alternative DNS name matching wavefront.surf found.;