Use ConfigServer for Passwords Management (Optional)

Owned by Ondřej Tesař
Aug 26, 2024
4 min read

Password management in your application is up to you. One of the options is to use https://pricefx.atlassian.net/wiki/spaces/INTG/pages/2513666473 which handles the passwords for you, however this server resides in the Pricefx network and provides another layer of complexity and requires access to it.

Step 1 – Create Data Repository

Create a data repository in GitLab. The repository has to be in the integration group and its name has to start with the prefix config-server-data-*, e.g. config-server-data-trane.

Step 2 – Assign Permission

Add a permission to the pmconfig user.

The permission is required so that the config-server can fetch the repository data via this pmconfig user.

Step 3 – Create Branch

Create a branch im and switch to it.

The im branch is required to properly supply application defaults. You may operate on a different branch, but you will not have centrally managed default values.

Step 4 – Create Properties

Create property files with properties and (optionally) encrypt them.

Create property files as needed. Create them in the root folder with standardized Spring naming application-profile, e.g. application.properties, application-dev.properties, etc.

For details on adding properties see https://pricefx.atlassian.net/wiki/spaces/INTG/pages/2514583782.

Your profiles must match the default qa and prod, otherwise you will not get the defaults.

For example, if you use the profile production (and store corresponding application-production.properties), you can fetch your configuration, but not the default (kafka, logstash).

Step 4b – Encryption (Optional)

If you feel the need for encryption of properties, follow the steps mentioned in https://pricefx.atlassian.net/wiki/spaces/INTG/pages/2513633602/Repository#Encryption.

Step 5 – Create User

Have a unique user for the application created.

Right now your repository is accessible by the config-server under the admin user. However, exposing the admin user in your configuration is not recommended for security reasons (attackers might get access to different repositories and confidential data).

Write to @Michal Štěpán from the Platform team with a request:

  • I need a config-server user XXX with a password YYY (or generate a new one), which will be able to fetch configuration of the application ZZZ.

  • This step requires restart of the config-server so it may take some time.

  • The user is shared in both QA and PROD instances.

Step 6 – Connect to config-server

Set up the application to connect to the config-server.

Now you may proceed with the setup of the client app.

Create bootstrap.yml in your project resources folder with the following content:

spring: profiles: qa cloud: config: uri: https://qa.platform.pricefx.com:8888 username: XXX password: YYY name: ZZZ profile: qa label: im --- spring: profiles: prod cloud: config: uri: https://platform.pricefx.com:8889 username: XXX password: YYY name: ZZZ profile: prod label: im

Where:

  • XXX and YYY – Username and password from the previous step.

  • ZZZ – Application name from Step 1 (trane in this example).

Properties are subject to change.

Step 7

Try it. Use the defined properties as if they were in your application.properties file.

Why IM 1.2.0+ Has No Preconfigured Setup

IntegrationManager from the version 1.2.0 no longer provides a preconfigured setup, as was common in the previous versions. The reason is security.

The well-known pattern, The Twelve-Factor App suggests to separate configuration from code. This is important since one leak could compromise the whole service.

How to Implement

There are several options depending on your use case.

 

Required logstash/kafka

No services needed

 

Required logstash/kafka

No services needed

Connection to Pricefx servers

Use config-server which will handle your connections.

Use config-server which will handle your connections.

Isolated

Either create a FW exception or implement it yourself. Provide these properties to the application.properties file:

#elastic integration.logstash.address= // fill out integration.logstash.enabled=true #kafka integration.kafka.brokers= // fill out integration.kafka.username= // fill out integration.kafka.password= // fill out integration.kafka.security-protocol=SASL_SSL integration.kafka.sasl-mechanism=PLAIN integration.kafka.ssl-endpoint-algorithm=https # App passwords integration.connections.encryption-password= // fill out // fill out if you need to use different certificate than self-signed server.ssl.key-store= // fill out server.ssl.key-store-password=// fill out

No connection is required, but make sure that IM is not trying to connect to kafka:

integration.event-driven.enabled=false

 

 

IntegrationManager version 5.8.0