Use ConfigServer for Passwords Management (Optional)
- Ondřej Tesař
Password management in your application is up to you. One of the options is to use https://pricefx.atlassian.net/wiki/spaces/INTG/pages/2513666473 which handles the passwords for you, however this server resides in the Pricefx network and provides another layer of complexity and requires access to it.
Step 1 – Create Data Repository
Create a data repository in GitLab. The repository has to be in the integration group and its name has to start with the prefix config-server-data-*, e.g. config-server-data-trane.
Step 2 – Assign Permission
Add a permission to the pmconfig user.
The permission is required so that the config-server can fetch the repository data via this pmconfig user.
Step 3 – Create Branch
Create a branch im and switch to it.
The im branch is required to properly supply application defaults. You may operate on a different branch, but you will not have centrally managed default values.
Step 4 – Create Properties
Create property files with properties and (optionally) encrypt them.
Create property files as needed. Create them in the root folder with standardized Spring naming application-profile, e.g. application.properties, application-dev.properties, etc.
For details on adding properties see https://pricefx.atlassian.net/wiki/spaces/INTG/pages/2514583782.
Your profiles must match the default qa and prod, otherwise you will not get the defaults.
For example, if you use the profile production (and store corresponding application-production.properties), you can fetch your configuration, but not the default (kafka, logstash).
Step 4b – Encryption (Optional)
If you feel the need for encryption of properties, follow the steps mentioned in https://pricefx.atlassian.net/wiki/spaces/INTG/pages/2513633602/Repository#Encryption.
Step 5 – Create User
Have a unique user for the application created.
Right now your repository is accessible by the config-server under the admin user. However, exposing the admin user in your configuration is not recommended for security reasons (attackers might get access to different repositories and confidential data).
Write to @Michal Štěpán from the Platform team with a request:
I need a config-server user XXX with a password YYY (or generate a new one), which will be able to fetch configuration of the application ZZZ.
This step requires restart of the config-server so it may take some time.
The user is shared in both QA and PROD instances.
Step 6 – Connect to config-server
Set up the application to connect to the config-server.
Now you may proceed with the setup of the client app.
Create bootstrap.yml in your project resources folder with the following content:
spring:
profiles: qa
cloud:
config:
uri: https://qa.platform.pricefx.com:8888
username: XXX
password: YYY
name: ZZZ
profile: qa
label: im
---
spring:
profiles: prod
cloud:
config:
uri: https://platform.pricefx.com:8889
username: XXX
password: YYY
name: ZZZ
profile: prod
label: imWhere:
XXX and YYY – Username and password from the previous step.
ZZZ – Application name from Step 1 (
tranein this example).
Properties are subject to change.
Step 7
Try it. Use the defined properties as if they were in your application.properties file.
Why IM 1.2.0+ Has No Preconfigured Setup
IntegrationManager from the version 1.2.0 no longer provides a preconfigured setup, as was common in the previous versions. The reason is security.
The well-known pattern, The Twelve-Factor App suggests to separate configuration from code. This is important since one leak could compromise the whole service.
How to Implement
There are several options depending on your use case.
 | Required logstash/kafka | No services needed |
|---|---|---|
Connection to Pricefx servers | Use config-server which will handle your connections. | Use config-server which will handle your connections. |
Isolated | Either create a FW exception or implement it yourself. Provide these properties to the #elastic
integration.logstash.address= // fill out
integration.logstash.enabled=true
#kafka
integration.kafka.brokers= // fill out
integration.kafka.username= // fill out
integration.kafka.password= // fill out
integration.kafka.security-protocol=SASL_SSL
integration.kafka.sasl-mechanism=PLAIN
integration.kafka.ssl-endpoint-algorithm=https
# App passwords
integration.connections.encryption-password= // fill out
// fill out if you need to use different certificate than self-signed
server.ssl.key-store= // fill out
server.ssl.key-store-password=// fill out
| No connection is required, but make sure that IM is not trying to connect to kafka: integration.event-driven.enabled=false |
Â
IntegrationManager version 5.8.0