-
Notifications
You must be signed in to change notification settings - Fork 4
gv providers
- GVHTTP - Use this type when end-store has an http based API to access it. Example: AWS S3, Azure Blob, github, etc...
- GVConsul - Use this type when end-store is Consul
- GVCyberark - Use this type when end-store is CyberArk Conjur.
- Custom - Use this type to provide custom implementation to pull GV values from an end-store of user choice
Note:
- Sample commands are given for
docker
. If you are usingbuildah
replacedocker
withbuildah
in build commands. - You can run with
podman
by simply replacingdocker
withpodman
command in all run commands.
Global variable values are selected at runtime using values set in the following ways, shown in order of precedence, highest to lowest:
- Config Provider Framework -> GVHTTP,GVCONSUL,GVCYBERARK,GVAWS - gv provider's list mentioned in the order of left to right is given the highest priority
Example: In the above order, gv's defined in aws is given the highest priority - Global Variable's defined in the helm chart - envVars section
- Kuberenetes secrets mentioned in the helm chart - envVarsFromSecrets section (if there are morethan one secret, then the secret which is listed at the last is given priority)
- Kuberenetes configmaps mentioned in the helm chart - envVarsFromConfigMaps section (if there are morethan one configpamp, then the configpamp which is listed at the last is given priority)
- Kuberenetes configmaps which gets created using helm chart - configs section is given the lowest priority
To select this provider type, pass gvhttp
to --config-provider flag while building the BE application image.
Sample:
./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider gvhttp \
-t fdhttp:latest
Following environment variables are applicable for this Config provider type:
- GVP_HTTP_SERVER_URL - end-store URL
- GVP_HTTP_HEADERS - Header values to access the end-store API
Sample run:
docker run \
-e GVP_HTTP_SERVER_URL="<SERVER_URL>" \
-e GVP_HTTP_HEADERS="Authorization:token 9222c5cf6e380ba1395e9d8acce8764265f85933,Content-Type:application/json" \
-p 8108:8108 --name=fdhttpgit fdhttp:latest
Sample run:
docker run \
-e GVP_HTTP_SERVER_URL="<SERVER_URL>" \
-e GVP_HTTP_HEADERS="x-ms-date: $(date -u)" \
-p 8108:8108 --name=fdhttpazure fdhttp:latest
- The Consul server that is to be used as key-value store for the application global variables must already be setup. For instructions on installation and setup, see the Consul documentation.
- (Optional) For a secured (HTTPS) Consul server, ensure that you have access to the CA and CLI certificates.
-
Connect to the Consul server that you have already setup from your web browser. Set up your application global variables in the Consul server as key-value pairs.
Syntax for keys in Consul is
<AppName>/<ProfileName>/<GV-Key> = <GV-Value>
Where,
-
AppName
is a name for the TIBCO BusinessEvents application of your choosing, for example, FraudDetection. -
ProfileName
is the name for the profile in the application, for example, prod, default, and so on. -
GV-Key
is the name of the global variable as defined in your TIBCO BusinessEvents application. In the case of global variables within a global variable group, use the usual format of separating them with a forward slash, for example, RMS/port. -
GV-Value
is the value to set for the global variable.
-
-
(Optional) For the secured Consul server, copy the CA and CLI certificates in the same folder as application EAR and CDD files.
To select this provider type, pass gvconsul
to --config-provider flag while building the BE application image.
Sample:
./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider gvconsul \
-t fdconsul:latest
Following environment variables are applicable for this Config provider type:
- CONSUL_SERVER_URL - Consul URL
- BE_APP_NAME - App name created in the Consul
- APP_CONFIG_PROFILE - Profile created in the Consul
Sample run:
docker run \
-e "CONSUL_SERVER_URL=http://consul:8500" \
-e "BE_APP_NAME=FraudDetection" \
-e "APP_CONFIG_PROFILE=default" \
-p 8108:8108 --name=fdconsul fdconsul:latest
Sample run(Secured Consul Server):
The CONSUL_CACERT
, CONSUL_CLIENT_CERT
, and CONSUL_CLIENT_KEY
environment variables are only required for the secured Consul server.
docker run \
-e "CONSUL_SERVER_URL=http://consul:8500" \
-e "BE_APP_NAME=FraudDetection" \
-e "APP_CONFIG_PROFILE=default" \
-e "CONSUL_CACERT=/opt/tibco/be/ext/consul-agent-ca.pem" \
-e "CONSUL_CLIENT_CERT=/opt/tibco/be/ext/dc1-cli-consul-0.pem" \
-e "CONSUL_CLIENT_KEY=/opt/tibco/be/ext/dc1-cli-consul-0-key.pem" \
-p 8108:8108 --name=fdconsul fdconsul:latest
- The Conjur server that is to be used as key-value store for the application global variables must already be setup. For instructions on installation and setup, Refer to Conjur Quick Start.
-
Get the Conjur server details, such as server URL, Account name, Login name, API key and certificates from Conjur admin.
-
Use complete Conjur variable names in Tibco Business Events. I.e. If your variables in Conjur is of the format
<Conjur-account>:variable:<GV-Key>
then use<GV-Key>
in your Tibco Business Events Application.Example: If a Conjur variable is "myConjurAccount:variable:backend/ci/users-app/db-username" then use "backend/ci/users-app/db-username" as the GV key in your Tibco Business Events application.
To select this provider type, pass gvcyberark
to --config-provider flag while building the BE application image.
Sample:
./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider "gvcyberark" \
-t fdconjur:latest
Following environment variables are applicable for this Config provider type:
- CONJUR_SERVER_URL - Conjur Server URL
- CONJUR_ACCOUNT - Account created in Conjur
- CONJUR_LOGINNAME - User or host name
- CONJUR_APIKEY - Api key
- CONJUR_SECURE - Set value to
true
to run Conjur cli in secure mode. Also copy certificates in the same folder as application EAR and CDD files.
Sample run:
docker run \
-e "CONJUR_SERVER_URL=<Conjur server url>" \
-e "CONJUR_ACCOUNT=<Conjur account>" \
-e "CONJUR_LOGINNAME=<Conjur user or host>" \
-e "CONJUR_APIKEY=<api_key>" \
-p 8108:8108 --name=fdconjur fdconjur:latest
Note: For initializing the Conjur client in secure mode add CONJUR_SECURE=true
environment variable to the above command.
To add a custom GV provider, create a new folder under be-tools/cloud/docker/configproviders/custom/
and name it as per your choice - lets say CUSTOM_PROVIDER
. Provide implementation as per below instructions:
- Add
be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/setup.sh
(setup.bat for windows). This gets invoked by the framework during BE application docker build. Provide logic to download required packages & setup environment needed for the config provider. - Add
be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/run.sh
(run.bat for windows). This gets invoked by the framework during run time. Provide logic to pull GV values from the end-store, parse and write them into the JSON file at/home/tibco/be/configproviders/output.json
Sample output.json
for reference:
{
"KEY1": "VALUE1",
"KEY2": "VALUE2"
}
To select this provider type, pass CUSTOM_PROVIDER
to --config-provider flag while building the BE application image.
Sample:
./build_image.sh \
-i app \
-s /home/user/tibco/installers \
--config-provider CUSTOM_PROVIDER \
-t fdcustom:latest
There is a custom config provider aws
added as a reference example. This GV provider can pull GVs from AWS Secrets Manager or AWS S3.
Refer to following files at be-tools/cloud/docker/configproviders/custom/aws
for the implementation logic:
setup.sh -> Installs aws cli & other tools
run.sh -> Configure aws cli, pull secrets from AWS Secrets Manager
Sample command to build BE app image which uses aws
GV provider:
./build_image.sh \
-i app \
-s /home/user/tibco/installers \
--config-provider aws \
-t fdcustom:latest
Sample run command to pull GVs from AWS Secrets Manager:
docker run \
-e AWS_ACCESS_KEY_ID=<AWS ACCESS ID> \
-e AWS_SECRET_ACCESS_KEY=<AWS SECRET> \
-e AWS_DEFAULT_REGION=<REGION> \
-e AWS_ROLE_ARN=<ASSUMED ROLE> \
-e AWS_SM_SECRET_ID=<AWS SECRETS MANAGER - SECRET ID> \
-p 8108:8108 --name=fdcustom fdcustom:latest
Note: This GV provider can be easily updated to pull GVs from S3
. Uncomment the section "Read GV values from AWS S3 into JSON_FILE" and comment "Read GV values from AWS Secrets Manager into JSON_FILE" in be-tools/cloud/docker/configproviders/custom/aws/run.sh
. Also update environment variable's validations and echo statements accordingly.