Creating Spring client with Feign, SSL and Load Balancer

Question

Is there any possibility to:

• Connect Spring, Feign, any Load Balancer with working SSL together?
• See any working example?
• Read explanation about how features?

Answer 1

Spring Feign with SSL and Load Balancer

I couldn't find out comprehensive source of knowledge about creating modern Spring Client based on interfaces, without writing much boilerplate code. Now, I have learned a lot and I want to share with my little project about creating such a thing, without cracking Your head against the wall, but let's start from the beggining.

Prerequisite

We need some features like:

• Java 11 or higher.
• Maven (3.6.3 is enough).
• Spring (2.6.5 is my starter version).
• Minimal knowledge about SSL.

TL;DR Gimme some code

You can download whole project from this repository. All dependencies, files, configuration is included and is ready to start as it is. You just need to specify client, two instances of one kind and two of another API to see the proof of working load balancing. Just follow instruction.

Introduction

Nowadays, we expect high avaliable, very efficient and complex infrastructure on many instances. Furthermore, everything should be encrypted over HTTPS protocol, increasing the level of security. From hundreds of different libraries I decided to do something with Feign Client and check the posibilities.

Why Feign?

• It is oficially part of a Spring Cloud components.
• Multiple implementations like OkHttpClient or ApacheHttpClient.
• Configuration over implementation in out of a box style, like Retryer or ErrorDecoder.
• It can be easly bound with Spring Load Balancer.

In my example I have used both implementation of Client to show differences in configuration, e.g. the way we can add truststore to our API client. Probably the biggest pros is fact, that we can configure our clients totally dependant from themselves. In inner traffic, between our own components, we have possibility to turn of SSL and set less timeouts, quite the opposite to outer traffic with TLS and longer timeouts.

Configuration over Implementation

As I said, we have many implementations as out of a box, ready to use with a little dose of magic. Default configuration provide us possibility to attempt max 5 times any endpoint, when it fail to response with any reason. In a simply way we can change it by creating @Bean in EndpointConfiguration.class. The most important thing is to bind our configuration with appropriate @LoadBalancerClient and @FeignClient, because It's not bean, thus we manually point at configuration.

SSL

It is important to provide truststore and build SSLContext/SSLFactory with TrustManager to work with SSL. We must override default client with our proposition of Bean, of course we can inject any other bean by constructor. Alternatively we can use default client and install certificate in JDK truststore or override javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. Very usefull is to use JVM argument -Djavax.net.debug=all during connection tests to check if our certificates are properly loaded and connection ends up with success. Of course You should not keep password in clear text format in Your production environment. It is a way better to keep encrypted format of our secret and decrypt it during application start.

Load Balancer

The most important thing that I have done is load balancer configuration with pointers to the service and configuration. We can decide current load balancing strategy defining ReactorLoadBalancer<ServiceInstance> @Bean, default one is round robin, also we can choose random way. Another challange is to provide our instances of nodes to load balancer. Every client should implement it own ServiceInstanceListSupplier with serviceId bound to the service name and list of actual instances, that specify host, port or protocol (HTTP/HTTPS).

All that glitters is not gold

Patience is the key to success. Spring, Feign and Load Balancer specification is really good, but at this moment I have not seen good working example with all those things linked up together. A lot of beans are marked as @ConditionalOnMissingBean even with combined property. It is a bit messy to see currently bean, especially client, so you have to work with debugger.