Skip to content

gv providers

Jump to bottom
Lakshmi Narayana Mekala edited this page Jun 27, 2023 · 1 revision

Config provider Framework supports following types of GV providers:

  1. GVHTTP - Use this type when end-store has an http based API to access it. Example: AWS S3, Azure Blob, github, etc...
  2. GVConsul - Use this type when end-store is Consul
  3. GVCyberark - Use this type when end-store is CyberArk Conjur.
  4. Custom - Use this type to provide custom implementation to pull GV values from an end-store of user choice

Note:

  • Sample commands are given for docker. If you are using buildah replace docker with buildah in build commands.
  • You can run with podman by simply replacing docker with podman command in all run commands.

Order of Precedence of Global Variable Overrides

Global variable values are selected at runtime using values set in the following ways, shown in order of precedence, highest to lowest:

  1. Config Provider Framework -> GVHTTP,GVCONSUL,GVCYBERARK,GVAWS - gv provider's list mentioned in the order of left to right is given the highest priority
    Example: In the above order, gv's defined in aws is given the highest priority
  2. Global Variable's defined in the helm chart - envVars section
  3. Kuberenetes secrets mentioned in the helm chart - envVarsFromSecrets section (if there are morethan one secret, then the secret which is listed at the last is given priority)
  4. Kuberenetes configmaps mentioned in the helm chart - envVarsFromConfigMaps section (if there are morethan one configpamp, then the configpamp which is listed at the last is given priority)
  5. Kuberenetes configmaps which gets created using helm chart - configs section is given the lowest priority

GVHTTP

Build

To select this provider type, pass gvhttp to --config-provider flag while building the BE application image.

Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider gvhttp \
-t fdhttp:latest

Run

Following environment variables are applicable for this Config provider type:

  • GVP_HTTP_SERVER_URL - end-store URL
  • GVP_HTTP_HEADERS - Header values to access the end-store API

Examples

github

Sample run:

docker run \
-e GVP_HTTP_SERVER_URL="<SERVER_URL>" \
-e GVP_HTTP_HEADERS="Authorization:token 9222c5cf6e380ba1395e9d8acce8764265f85933,Content-Type:application/json" \
-p 8108:8108 --name=fdhttpgit fdhttp:latest

azure storage

Sample run:

docker run \
-e GVP_HTTP_SERVER_URL="<SERVER_URL>" \
-e GVP_HTTP_HEADERS="x-ms-date: $(date -u)" \
-p 8108:8108 --name=fdhttpazure fdhttp:latest

GVConsul

Prerequisites

  • The Consul server that is to be used as key-value store for the application global variables must already be setup. For instructions on installation and setup, see the Consul documentation.
  • (Optional) For a secured (HTTPS) Consul server, ensure that you have access to the CA and CLI certificates.

Procedure

  1. Connect to the Consul server that you have already setup from your web browser. Set up your application global variables in the Consul server as key-value pairs.

    Syntax for keys in Consul is

    <AppName>/<ProfileName>/<GV-Key> = <GV-Value>

    Where,

    • AppName is a name for the TIBCO BusinessEvents application of your choosing, for example, FraudDetection.
    • ProfileName is the name for the profile in the application, for example, prod, default, and so on.
    • GV-Key is the name of the global variable as defined in your TIBCO BusinessEvents application. In the case of global variables within a global variable group, use the usual format of separating them with a forward slash, for example, RMS/port.
    • GV-Value is the value to set for the global variable.

  2. (Optional) For the secured Consul server, copy the CA and CLI certificates in the same folder as application EAR and CDD files.

Build

To select this provider type, pass gvconsul to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider gvconsul \
-t fdconsul:latest

Run

Following environment variables are applicable for this Config provider type:

  • CONSUL_SERVER_URL - Consul URL
  • BE_APP_NAME - App name created in the Consul
  • APP_CONFIG_PROFILE - Profile created in the Consul

Sample run:

docker run \
-e "CONSUL_SERVER_URL=http://consul:8500" \
-e "BE_APP_NAME=FraudDetection" \
-e "APP_CONFIG_PROFILE=default" \
-p 8108:8108 --name=fdconsul fdconsul:latest

Sample run(Secured Consul Server):

The CONSUL_CACERT, CONSUL_CLIENT_CERT, and CONSUL_CLIENT_KEY environment variables are only required for the secured Consul server.

docker run \
-e "CONSUL_SERVER_URL=http://consul:8500" \
-e "BE_APP_NAME=FraudDetection" \
-e "APP_CONFIG_PROFILE=default" \
-e "CONSUL_CACERT=/opt/tibco/be/ext/consul-agent-ca.pem" \
-e "CONSUL_CLIENT_CERT=/opt/tibco/be/ext/dc1-cli-consul-0.pem" \
-e "CONSUL_CLIENT_KEY=/opt/tibco/be/ext/dc1-cli-consul-0-key.pem" \
-p 8108:8108 --name=fdconsul fdconsul:latest

GVCyberArk-Conjur

Prerequisites

  • The Conjur server that is to be used as key-value store for the application global variables must already be setup. For instructions on installation and setup, Refer to Conjur Quick Start.

Procedure

  1. Get the Conjur server details, such as server URL, Account name, Login name, API key and certificates from Conjur admin.

  2. Use complete Conjur variable names in Tibco Business Events. I.e. If your variables in Conjur is of the format <Conjur-account>:variable:<GV-Key> then use <GV-Key> in your Tibco Business Events Application.

    Example: If a Conjur variable is "myConjurAccount:variable:backend/ci/users-app/db-username" then use "backend/ci/users-app/db-username" as the GV key in your Tibco Business Events application.

Build

To select this provider type, pass gvcyberark to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider "gvcyberark" \
-t fdconjur:latest

Run

Following environment variables are applicable for this Config provider type:

  • CONJUR_SERVER_URL - Conjur Server URL
  • CONJUR_ACCOUNT - Account created in Conjur
  • CONJUR_LOGINNAME - User or host name
  • CONJUR_APIKEY - Api key
  • CONJUR_SECURE - Set value to true to run Conjur cli in secure mode. Also copy certificates in the same folder as application EAR and CDD files.

Sample run:

docker run \
-e "CONJUR_SERVER_URL=<Conjur server url>" \
-e "CONJUR_ACCOUNT=<Conjur account>" \
-e "CONJUR_LOGINNAME=<Conjur user or host>" \
-e "CONJUR_APIKEY=<api_key>" \
-p 8108:8108 --name=fdconjur fdconjur:latest

Note: For initializing the Conjur client in secure mode add CONJUR_SECURE=true environment variable to the above command.

Custom

Implementation

To add a custom GV provider, create a new folder under be-tools/cloud/docker/configproviders/custom/ and name it as per your choice - lets say CUSTOM_PROVIDER. Provide implementation as per below instructions:

  1. Add be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/setup.sh (setup.bat for windows). This gets invoked by the framework during BE application docker build. Provide logic to download required packages & setup environment needed for the config provider.
  2. Add be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/run.sh (run.bat for windows). This gets invoked by the framework during run time. Provide logic to pull GV values from the end-store, parse and write them into the JSON file at /home/tibco/be/configproviders/output.json

Sample output.json for reference:

{
    "KEY1": "VALUE1",
    "KEY2": "VALUE2"
}

Build

To select this provider type, pass CUSTOM_PROVIDER to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
--config-provider CUSTOM_PROVIDER \
-t fdcustom:latest

Example - custom/aws

There is a custom config provider aws added as a reference example. This GV provider can pull GVs from AWS Secrets Manager or AWS S3.

Refer to following files at be-tools/cloud/docker/configproviders/custom/aws for the implementation logic:

setup.sh -> Installs aws cli & other tools
run.sh -> Configure aws cli, pull secrets from AWS Secrets Manager

Build

Sample command to build BE app image which uses aws GV provider:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
--config-provider aws \
-t fdcustom:latest

Run

Sample run command to pull GVs from AWS Secrets Manager:

docker run \
-e AWS_ACCESS_KEY_ID=<AWS ACCESS ID> \
-e AWS_SECRET_ACCESS_KEY=<AWS SECRET> \
-e AWS_DEFAULT_REGION=<REGION> \
-e AWS_ROLE_ARN=<ASSUMED ROLE> \
-e AWS_SM_SECRET_ID=<AWS SECRETS MANAGER - SECRET ID> \
-p 8108:8108 --name=fdcustom fdcustom:latest

Note: This GV provider can be easily updated to pull GVs from S3. Uncomment the section "Read GV values from AWS S3 into JSON_FILE" and comment "Read GV values from AWS Secrets Manager into JSON_FILE" in be-tools/cloud/docker/configproviders/custom/aws/run.sh. Also update environment variable's validations and echo statements accordingly.

Clone this wiki locally