feat(spring-boot): consideration of "ssl.enabled" properties to enable liveness/readiness probe for Spring Boot Actuator (3807)

feat(spring-boot): Consideration of ssl.enabled properties to enable liveness/readiness probe for Spring Boot Actuator
---
feat(spring-boot): Update changelog
---
feat(spring-boot): Update spring boot docs
---
feat(spring-boot): Update spring boot docs
---
Merge branch 'master' into feat-spring-boot-ssl

Author: ash-thakur-rh

CHANGELOG.md

@@ -27,6 +27,7 @@ Usage:
 * Fix #2286: Remove Guava dependency where ever possible
 * Fix #3809: Actuator liveness and readiness probe not getting generated with Spring boot 4.x.x
 * Fix #3707: Setting readOnly flag in VolumeConfig has no effect
+* Fix #1458: Consideration of "ssl.enabled" properties to enable liveness/readiness probe for Spring Boot Actuator
 
 ### 1.18.2 (2025-11-03)
 * Fix #3750: Remove unneeded XMLUtil.createNewDocument method

jkube-kit/common/src/main/java/org/eclipse/jkube/kit/common/util/SpringBootConfiguration.java

@@ -31,6 +31,8 @@ public class SpringBootConfiguration {
   private String serverKeystore;
   private String managementKeystore;
   private String servletPath;
+  private boolean serverSslEnabled;
+  private boolean managementSslEnabled;
   private String serverContextPath;
   private String managementContextPath;
   private String actuatorBasePath;
@@ -54,27 +56,40 @@ public static SpringBootConfiguration from(JavaProject project) {
       .orElse(1);
     final SpringBootConfiguration.SpringBootConfigurationBuilder configBuilder = SpringBootConfiguration.builder();
     // Spring Boot 1 and common properties
+    final String serverKeystore = properties.getProperty("server.ssl.key-store");
+    final String managementKeystore = properties.getProperty("management.ssl.key-store");
+
     configBuilder
       .managementPort(Optional.ofNullable(properties.getProperty("management.port")).map(Integer::parseInt).orElse(null))
       .serverPort(Integer.parseInt(properties.getProperty("server.port", DEFAULT_SERVER_PORT)))
-      .serverKeystore(properties.getProperty("server.ssl.key-store"))
+      .serverKeystore(serverKeystore)
       .managementHealthProbesEnabled(Boolean.parseBoolean(properties.getProperty("management.health.probes.enabled")))
-      .managementKeystore(properties.getProperty("management.ssl.key-store"))
+      .managementKeystore(managementKeystore)
       .servletPath(properties.getProperty("server.servlet-path"))
       .serverContextPath(properties.getProperty("server.context-path"))
       .managementContextPath(properties.getProperty("management.context-path"))
       .actuatorBasePath("")
       .actuatorDefaultBasePath("")
-      .webFluxBasePath(properties.getProperty("spring.webflux.base-path"));
+      .webFluxBasePath(properties.getProperty("spring.webflux.base-path"))
+      .serverSslEnabled(Optional.ofNullable(properties.getProperty("server.ssl.enabled"))
+        .map(Boolean::parseBoolean)
+        .orElse(serverKeystore != null))
+      .managementSslEnabled(Optional.ofNullable(properties.getProperty("management.ssl.enabled"))
+        .map(Boolean::parseBoolean)
+        .orElse(managementKeystore != null));
     if (majorVersion > 1) {
+      final String managementServerKeystore = properties.getProperty("management.server.ssl.key-store");
       configBuilder
         .managementPort(Optional.ofNullable(properties.getProperty("management.server.port")).map(Integer::parseInt).orElse(null))
-        .managementKeystore(properties.getProperty("management.server.ssl.key-store"))
+        .managementKeystore(managementServerKeystore)
         .servletPath(properties.getProperty("server.servlet.path"))
         .serverContextPath(properties.getProperty("server.servlet.context-path"))
         .managementContextPath(properties.getProperty("management.server.servlet.context-path"))
         .actuatorBasePath(properties.getProperty("management.endpoints.web.base-path"))
-        .actuatorDefaultBasePath("/actuator");
+        .actuatorDefaultBasePath("/actuator")
+        .managementSslEnabled(Optional.ofNullable(properties.getProperty("management.server.ssl.enabled"))
+          .map(Boolean::parseBoolean)
+          .orElse(managementServerKeystore != null));
     }
     if (majorVersion == 3) {
       configBuilder

jkube-kit/common/src/test/java/org/eclipse/jkube/kit/common/util/SpringBootConfigurationTest.java

@@ -54,6 +54,9 @@ void setUp(@TempDir Path target) throws IOException {
     properties.put("management.context-path", "management.context-path");
     properties.put("management.server.servlet.context-path", "management.server.servlet.context-path");
     properties.put("management.endpoints.web.base-path", "management.endpoints.web.base-path");
+    properties.put("server.ssl.enabled", "true");
+    properties.put("management.ssl.enabled", "true");
+    properties.put("management.server.ssl.enabled", "true");
     try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
       properties.store(fos, null);
     }
@@ -134,6 +137,99 @@ void getActuatorBasePath() {
     void getActuatorDefaultBasePath() {
       assertThat(springBootConfiguration.getActuatorDefaultBasePath()).isEqualTo("/actuator");
     }
+
+    @Test
+    @DisplayName("isServerSslEnabled returns true when server.ssl.enabled is true")
+    void isServerSslEnabled_whenExplicitlyTrue() {
+      assertThat(springBootConfiguration.isServerSslEnabled()).isTrue();
+    }
+
+    @Test
+    @DisplayName("isManagementSslEnabled returns true when management.server.ssl.enabled is true")
+    void isManagementSslEnabled_whenExplicitlyTrue() {
+      assertThat(springBootConfiguration.isManagementSslEnabled()).isTrue();
+    }
+
+    @Test
+    @DisplayName("isServerSslEnabled defaults to true when keystore configured and ssl.enabled not set")
+    void isServerSslEnabled_defaultsToTrueWithKeystore(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      properties.put("server.ssl.key-store", "keystore.jks");
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("3.0")
+          .build())
+        .build());
+      assertThat(config.isServerSslEnabled()).isTrue();
+    }
+
+    @Test
+    @DisplayName("isServerSslEnabled returns false when server.ssl.enabled is false")
+    void isServerSslEnabled_whenExplicitlyFalse(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      properties.put("server.ssl.key-store", "keystore.jks");
+      properties.put("server.ssl.enabled", "false");
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("3.0")
+          .build())
+        .build());
+      assertThat(config.isServerSslEnabled()).isFalse();
+    }
+
+    @Test
+    @DisplayName("isManagementSslEnabled returns false when management.server.ssl.enabled is false")
+    void isManagementSslEnabled_whenExplicitlyFalse(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      properties.put("management.server.ssl.key-store", "keystore.jks");
+      properties.put("management.server.ssl.enabled", "false");
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("3.0")
+          .build())
+        .build());
+      assertThat(config.isManagementSslEnabled()).isFalse();
+    }
+
+    @Test
+    @DisplayName("isServerSslEnabled defaults to false when no keystore and ssl.enabled not set")
+    void isServerSslEnabled_defaultsToFalseWithoutKeystore(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("3.0")
+          .build())
+        .build());
+      assertThat(config.isServerSslEnabled()).isFalse();
+    }
   }
 
   @Nested
@@ -207,6 +303,60 @@ void getActuatorBasePath() {
     void getActuatorDefaultBasePath() {
       assertThat(springBootConfiguration.getActuatorDefaultBasePath()).isEqualTo("/actuator");
     }
+
+    @Test
+    @DisplayName("isServerSslEnabled returns true when server.ssl.enabled is true")
+    void isServerSslEnabled_whenExplicitlyTrue() {
+      assertThat(springBootConfiguration.isServerSslEnabled()).isTrue();
+    }
+
+    @Test
+    @DisplayName("isManagementSslEnabled returns true when management.server.ssl.enabled is true")
+    void isManagementSslEnabled_whenExplicitlyTrue() {
+      assertThat(springBootConfiguration.isManagementSslEnabled()).isTrue();
+    }
+
+    @Test
+    @DisplayName("isServerSslEnabled returns false when server.ssl.enabled is false")
+    void isServerSslEnabled_whenExplicitlyFalse(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      properties.put("server.ssl.key-store", "keystore.jks");
+      properties.put("server.ssl.enabled", "false");
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("2.0")
+          .build())
+        .build());
+      assertThat(config.isServerSslEnabled()).isFalse();
+    }
+
+    @Test
+    @DisplayName("isManagementSslEnabled returns false when management.server.ssl.enabled is false")
+    void isManagementSslEnabled_whenExplicitlyFalse(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      properties.put("management.server.ssl.key-store", "keystore.jks");
+      properties.put("management.server.ssl.enabled", "false");
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("2.0")
+          .build())
+        .build());
+      assertThat(config.isManagementSslEnabled()).isFalse();
+    }
   }
 
   @Nested
@@ -351,5 +501,61 @@ void getActuatorDefaultBasePath(String version) {
       assertThat(springBootConfiguration.getActuatorDefaultBasePath()).
         isEmpty();
     }
+
+    @ParameterizedTest(name = "{0}")
+    @ValueSource(strings = {"1.0", "undefined"})
+    @DisplayName("isServerSslEnabled returns true when ssl.enabled is true (Spring Boot 1)")
+    void isServerSslEnabled_whenExplicitlyTrue(String version) {
+      springBootConfiguration = SpringBootConfiguration.from(project.toBuilder()
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version(version)
+          .build())
+        .build());
+      assertThat(springBootConfiguration.isServerSslEnabled()).isTrue();
+    }
+
+    @Test
+    @DisplayName("isManagementSslEnabled uses management.ssl.enabled property (Spring Boot 1)")
+    void isManagementSslEnabled_withManagementSslEnabled(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      properties.put("management.ssl.key-store", "keystore.jks");
+      properties.put("management.ssl.enabled", "false");
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("1.0")
+          .build())
+        .build());
+      assertThat(config.isManagementSslEnabled()).isFalse();
+    }
+
+    @Test
+    @DisplayName("isServerSslEnabled returns false when server.ssl.enabled is false (Spring Boot 1)")
+    void isServerSslEnabled_whenExplicitlyFalse(@TempDir Path target) throws IOException {
+      final Properties properties = new Properties();
+      properties.put("server.ssl.key-store", "keystore.jks");
+      properties.put("server.ssl.enabled", "false");
+      try (OutputStream fos = Files.newOutputStream(target.resolve("application.properties"))) {
+        properties.store(fos, null);
+      }
+      SpringBootConfiguration config = SpringBootConfiguration.from(JavaProject.builder()
+        .properties(properties)
+        .outputDirectory(target.toFile())
+        .dependency(Dependency.builder()
+          .groupId("org.springframework.boot")
+          .artifactId("spring-boot")
+          .version("1.0")
+          .build())
+        .build());
+      assertThat(config.isServerSslEnabled()).isFalse();
+    }
   }
 }

jkube-kit/doc/src/main/asciidoc/inc/enricher/spring-boot-healthcheck/_jkube_healthcheck_spring_boot.adoc

@@ -24,8 +24,18 @@ If the user has enabled the `management.health.probes.enabled` property this Enr
 management.health.probes.enabled=true
 ----
 
-The port number is read from the `management.port` option, and will use the default value of `8080`
-The scheme will use HTTPS if `server.ssl.key-store` option is in use, and fallback to use `HTTP` otherwise.
+The port number is read from the `management.port` (Spring Boot 1) or `management.server.port` (Spring Boot 2+) option, and will use the default value of `8080`.
+
+The probe scheme (`http` or `https`) is determined as follows:
+
+* For probes targeting the management port:
+** If `management.server.ssl.enabled` (Spring Boot 2+) or `management.ssl.enabled` (Spring Boot 1) is explicitly set, this value determines whether HTTPS is used
+** Otherwise, HTTPS is used if `management.server.ssl.key-store` (Spring Boot 2+) or `management.ssl.key-store` (Spring Boot 1) is configured
+* For probes targeting the server port:
+** If `server.ssl.enabled` is explicitly set, this value determines whether HTTPS is used
+** Otherwise, HTTPS is used if `server.ssl.key-store` is configured
+
+This allows you to disable SSL for health probes even when a keystore is configured by setting the appropriate `ssl.enabled` property to `false`.
 
 The enricher will use the following settings by default:
 

jkube-kit/doc/src/main/asciidoc/inc/generator/_spring_boot.adoc

@@ -23,7 +23,17 @@ Beside the  <<generator-options-common, common generator options>> and the <<gen
 |===
 
 The generator adds Kubernetes liveness and readiness probes pointing to either the management or server port as read from the `application.properties`.
-If the `management.port` (for Spring Boot 1) or `management.server.port` (for Spring Boot 2) and `management.ssl.key-store` (for Spring Boot 1) or `management.server.ssl.key-store` (for Spring Boot 2) properties are set in `application.properties` otherwise or `server.ssl.key-store` property is set in `application.properties` then the probes are automatically set to use `https`.
+
+The probe scheme (`http` or `https`) is determined as follows:
+
+* For probes targeting the management port:
+** If `management.server.ssl.enabled` (Spring Boot 2+) or `management.ssl.enabled` (Spring Boot 1) is explicitly set, this value determines whether HTTPS is used
+** Otherwise, HTTPS is used if `management.server.ssl.key-store` (Spring Boot 2+) or `management.ssl.key-store` (Spring Boot 1) is configured
+* For probes targeting the server port:
+** If `server.ssl.enabled` is explicitly set, this value determines whether HTTPS is used
+** Otherwise, HTTPS is used if `server.ssl.key-store` is configured
+
+This allows you to disable SSL for health probes even when a keystore is configured by setting the appropriate `ssl.enabled` property to `false`.
 
 ifeval::["{plugin-type}" == "maven"]
 The generator works differently when called together with `{goal-prefix}:watch`.

jkube-kit/jkube-kit-spring-boot/src/main/java/org/eclipse/jkube/springboot/enricher/SpringBootHealthCheckEnricher.java

@@ -127,11 +127,11 @@ protected Probe buildProbe(Integer initialDelay, Integer period, Integer timeout
         String scheme;
         String prefix;
         if (usingManagementPort) {
-            scheme = StringUtils.isNotBlank(springBootConfiguration.getManagementKeystore()) ? SCHEME_HTTPS : SCHEME_HTTP;
+            scheme = StringUtils.isNotBlank(springBootConfiguration.getManagementKeystore()) && springBootConfiguration.isManagementSslEnabled() ? SCHEME_HTTPS : SCHEME_HTTP;
             prefix = StringUtils.isNotBlank(springBootConfiguration.getManagementContextPath()) ?
               springBootConfiguration.getManagementContextPath() : "";
         } else {
-            scheme = StringUtils.isNotBlank(springBootConfiguration.getServerKeystore()) ? SCHEME_HTTPS : SCHEME_HTTP;
+            scheme = StringUtils.isNotBlank(springBootConfiguration.getServerKeystore()) && springBootConfiguration.isServerSslEnabled() ? SCHEME_HTTPS : SCHEME_HTTP;
             if (hasSpringWebFluxDependency(getContext().getProject()) && StringUtils.isNotBlank(springBootConfiguration.getWebFluxBasePath())) {
                 prefix = springBootConfiguration.getWebFluxBasePath();
             } else if (StringUtils.isNotBlank(springBootConfiguration.getServerContextPath())) {

jkube-kit/jkube-kit-spring-boot/src/main/java/org/eclipse/jkube/springboot/watcher/SpringBootWatcher.java

@@ -105,7 +105,7 @@ String getPortForwardUrl(NamespacedKubernetesClient kubernetes, final Collection
         int containerPort = springBootConfiguration.getServerPort();
         portForwardService.forwardPortAsync(kubernetes, selector, containerPort, localPort);
 
-        String scheme = StringUtils.isNotBlank(springBootConfiguration.getServerKeystore()) ?
+        String scheme = StringUtils.isNotBlank(springBootConfiguration.getServerKeystore()) && springBootConfiguration.isServerSslEnabled() ?
           "https://" : "http://";
         String contextPath = StringUtils.isNotBlank(springBootConfiguration.getServerContextPath()) ?
           springBootConfiguration.getServerContextPath() : "";