Deploy and Secure Nacos Config Center on Huawei CCE & Kubernetes
This guide explains how to use Nacos as a centralized configuration center in Spring Boot micro‑services, covering common pitfalls of static configs, best‑practice namespace/group/DataId design, dependency setup, YAML examples, security annotations, role‑based access, Dockerfile tweaks, CCE deployment, database schema, and Kubernetes manifests for test and production environments.
Introduction: Nacos can be deployed as a DS‑type service in Huawei Cloud CCE containers to provide centralized configuration management for Spring Boot micro‑services, enabling real‑time updates, version control, and secure access.
Problems with traditional static configuration files:
Local static configs lack real‑time updates.
Risk of production incidents when test configs are mistakenly applied.
Missing audit, version control, and permission management makes it hard to trace changes or roll back.
Best practice naming:
Namespace – represents different environments (dev, test, prod).
Group – represents a project (e.g., logistics, education).
DataId – each application’s main configuration file.
Dependency for Spring Boot:
<dependency>
<groupId>com.alibaba.boot</groupId>
<artifactId>nacos-config-spring-boot-starter</artifactId>
<version>0.2.10</version>
</dependency>Sample application.yml configuration:
spring:
application:
name: demo # project name
profiles:
active: dev # activate environment
nacos:
config:
group: ${spring.application.name}
data-id: ${spring.application.name}-${spring.profiles.active}.yaml
bootstrap:
enable: true
log-enable: true
auto-refresh: true
type: YAML
username: nacos # set after enabling auth
password: nacosEnvironment‑specific YAML files (dev, test, prod) only need to set server-addr and namespace values.
Startup error troubleshooting: add @Primary to the thread‑pool configuration class.
Dynamic value injection:
// replace @Value
@NacosValue(value = "${jwt.header}", autoRefreshed = true)
// replace @ConfigurationProperties
@NacosConfigurationProperties(prefix = "template-config.auth", groupId = "${spring.application.name}", dataId = "${spring.application.name}-${spring.profiles.active}.yaml", autoRefreshed = true)Security management: assign users to namespaces so they can only view configurations of the designated environment; bind roles and permissions via the Nacos UI (images omitted).
Production integration steps:
Add the spring-cloud-starter-alibaba-nacos-config dependency.
Include the encryption library ismart-common-encryption if needed.
Update application.yml with Nacos server address, namespace, group, and encrypted credentials.
Dockerfile example (base image from Huawei Cloud Registry):
FROM swr.cn-north-1.myhuaweicloud.com/isoftstone2017/centos7-jdk8:20190425
EXPOSE 8086
WORKDIR /app
ADD conference/target/*.jar /app/conference.jar
ENTRYPOINT java -jar -Dspring.profiles.active=test -Dspring.application.name=conference -Dspring.config.location=/app/config/application.yml /app/conference.jarCCE public configuration (shared across all services) stores common Nacos connection parameters in a ConfigMap, allowing password changes in a single place.
spring:
application:
name: ${NACOS-NAME}
profiles:
active: ${NACOS-ACTIVE}
cloud:
nacos:
config:
server-addr: ${NACOS-SERVER:10.136.0.33:8848}
namespace: ${spring.application.name}
group: ${spring.profiles.active}
username: ${NACOS-USER:nacos}
password: ${NACOS-PASSWORD:PWD(...)}
file-extension: yaml
config:
import:
- optional:nacos:${spring.application.name}-${spring.profiles.active}.yamlOperational tasks in Nacos UI: add namespaces, create configuration files, modify passwords (plain or encrypted), and manage user roles.
Password encryption example (AES):
String content = "test11";
String key1 = UUID.randomUUID().toString().replaceAll("-", "").substring(0,16);
SymmetricCrypto aes = new SymmetricCrypto(SymmetricAlgorithm.AES, key1.getBytes(StandardCharsets.UTF_8));
String encryptHex = aes.encryptHex(content);
String result = key1 + encryptHex;
System.out.println("encryptHex = " + result);
// Use in config: password: ${NACOS-PASSWORD:PWD(encryptHex)}Database schema for Nacos (tables such as config_info, config_info_aggr, config_info_beta, config_info_tag, config_tags_relation, group_capacity, tenant_capacity, tenant_info, users, roles, permissions) is provided to illustrate the underlying storage structure.
Kubernetes deployment scripts (test and production) include Service, ConfigMap, and StatefulSet definitions with environment variables for MySQL connection, Nacos mode, server list, and authentication enable flag.
Common operational questions addressed:
Steps to integrate Nacos: add dependency, modify config files, update Dockerfile.
Switching environments by changing spring.profiles.active.
Role‑based access to specific application configs.
Ensuring only authorized personnel can modify configs in test and production.
Updating production Nacos password via shared config.
Using unencrypted passwords for quick local testing.
Failover handling by replacing application.yaml with a full config file.
Original article link: https://blog.51cto.com/u_11555417/9346050 (copyright belongs to the author).
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.