From 0c035ca07da4705060de2960c1e72807da054443 Mon Sep 17 00:00:00 2001 From: eliranb Date: Thu, 15 May 2025 15:34:33 +0300 Subject: [PATCH 1/2] Added system configuration feature --- README.md | 25 ++++++--- chart/templates/backend-deployment.yaml | 11 ++++ chart/templates/system-config-cm.yaml | 6 ++ chart/values.yaml | 8 +++ docs/advanced/_index.md | 3 +- docs/advanced/system_config.md | 73 +++++++++++++++++++++++++ 6 files changed, 116 insertions(+), 10 deletions(-) create mode 100644 chart/templates/system-config-cm.yaml create mode 100644 docs/advanced/system_config.md diff --git a/README.md b/README.md index 26bc99a..09e0156 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,18 @@ To ensure a smooth and secure production deployment of Lightrun, follow these ke - Decide whether to use Helm-managed secrets or an external secrets manager. [More info on Secrets Management](docs/installation/secrets.md) -#### **4. Lightrun Certificate** + +#### **4. System Configuration** + +- Obtain the system configuration file and signature from Lightrun. + [More info on System Configuration](docs/advanced/system_config.md) + +#### **5. Lightrun Certificate** - Plan how Lightrun certificate will be issued and managed for secure communications. [More info on Certificate](docs/installation/certificate.md) -#### **5. Database** + +#### **6. Database** > [!TIP] > Use external managed database @@ -51,38 +58,38 @@ To ensure a smooth and secure production deployment of Lightrun, follow these ke - Choose between a local or external database. [More info on Database Setup](docs/components/database.md) -#### **6. Router** +#### **7. Router** - Decide how external traffic will reach the Lightrun router (Ingress, Service, OpenShift Route). [More info on Router](docs/components/router/index.md) -#### **7. Container Images Registry** +#### **8. Container Images Registry** - Choose where to store and manage container images (e.g., private registry, Docker Hub, Azure Container Registry, AWS ECR). [More info on Container Image Registry](docs/installation/container_image_registry.md) -#### **8. Redis** +#### **9. Redis** > [!TIP] > Use external managed redis - Determine if Redis will be local or external. [More info on Redis Setup](docs/components/redis.md) -#### **9. (Optional)RabbitMQ** +#### **10. (Optional)RabbitMQ** - Determine if RabbitMQ is needed for sending telemetry to Lightrun. [More info on RabbitMQ](docs/components/rabbitmq.md) -#### **10. (Optional)Network Policy** +#### **11. (Optional)Network Policy** - Establish network policies to restrict access between services and prevent unauthorized communication. [More info on Network Policy](docs/advanced/network_policy.md) -#### **11. (Optional)Internal TLS Communication** +#### **12. (Optional)Internal TLS Communication** - Decide whether internal TLS is necessary for secure component communication. [More info on Internal TLS](docs/advanced/internal_tls.md) -#### **12. Choose Your Deployment Option** +#### **13. Choose Your Deployment Option** Decide where to run your Kubernetes cluster based on your infrastructure needs. Consider whether you'll deploy all services locally (including RabbitMQ, Redis, and MySQL) or use managed cloud services. ##### **Supported Kubernetes Platforms:** diff --git a/chart/templates/backend-deployment.yaml b/chart/templates/backend-deployment.yaml index 3ffc2dc..db5fad8 100644 --- a/chart/templates/backend-deployment.yaml +++ b/chart/templates/backend-deployment.yaml @@ -60,6 +60,9 @@ spec: {{- end }} serviceAccountName: {{ template "lightrun-be.serviceAccountName" . }} volumes: + - name: system-config + configMap: + name: {{ include "lightrun.fullname" . }}-system-config - name: encryption-keys secret: secretName: {{ include "secrets.backend.name" . }} @@ -130,6 +133,10 @@ spec: "/usr/src/lightrun/{{ .Values.deployments.backend.jar_name }}" ] volumeMounts: + - name: system-config + mountPath: {{ .Values.general.system_config.file_path }} + subPath: {{ base .Values.general.system_config.file_path }} + readOnly: true - name: encryption-keys mountPath: /encryption-keys readOnly: true @@ -193,6 +200,10 @@ spec: - secretRef: name: {{ include "secrets.backend.name" . }} env: + - name: LIGHTRUN_SYSTEM_CONFIG_JSON_FILE_PATH + value: {{ .Values.general.system_config.file_path }} + - name: LIGHTRUN_SYSTEM_CONFIG_JSON_SIGNATURE + value: {{ .Values.general.system_config.signature }} - name: SERVER_SECURITY_ENCRYPTION-KEYS-PATH value: file:/encryption-keys - name: LIGHTRUN_HOSTNAME diff --git a/chart/templates/system-config-cm.yaml b/chart/templates/system-config-cm.yaml new file mode 100644 index 0000000..87d81e0 --- /dev/null +++ b/chart/templates/system-config-cm.yaml @@ -0,0 +1,6 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "lightrun.fullname" . }}-system-config +data: + system_config.json: {{ .Values.general.system_config.content }} \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index eb6d6e8..a337964 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -11,6 +11,14 @@ general: lightrun_endpoint: "lightrun.example.com" ## DNS record that will be used to access the platform deployment_type: on-prem + + system_config: + # Path to the system config file + file_path: "/opt/lightrun/system_config.json" + # Content of the system config file, base64 encoded + content: "" + # Signature of the system config file, base64 encoded + signature: "" ## on-prem, saas, single-tenant deploy_secrets: enabled: true diff --git a/docs/advanced/_index.md b/docs/advanced/_index.md index ebee48c..0d5b726 100644 --- a/docs/advanced/_index.md +++ b/docs/advanced/_index.md @@ -1,4 +1,5 @@ This advanced guide covers in-depth configuration options for deploying Lightrun using the Helm chart - [Internal TLS](internal_tls.md) -- [Network Policy](network_policy.md) \ No newline at end of file +- [Network Policy](network_policy.md) +- [System Configuration](system_config.md) \ No newline at end of file diff --git a/docs/advanced/system_config.md b/docs/advanced/system_config.md new file mode 100644 index 0000000..d5a26e1 --- /dev/null +++ b/docs/advanced/system_config.md @@ -0,0 +1,73 @@ +# System Configuration File + +This document describes how to configure and use the System Configuration feature in the Lightrun platform. The system configuration file allows administrators to adjust settings that control the behavior of the Lightrun server. + +## Overview + +The System Configuration is a JSON file that contains various settings that modify the behavior of the Lightrun server. This configuration is provided via a ConfigMap and mounted into the backend container. The file is digitally signed to ensure authenticity and prevent unauthorized modifications. + +## Configuration Options + +To use the System Configuration feature, you need to provide: + +1. **Content**: The base64-encoded JSON configuration content (provided by Lightrun) +2. **Signature**: A base64-encoded signature of the JSON content (provided by Lightrun) +3. **File Path**: The location where the configuration file will be mounted in the container (default: `/opt/lightrun/system_config.json`) + +### Values.yaml Configuration + +Add the following configuration to your `values.yaml` file or override the values when installing/upgrading the Helm chart: + +```yaml +general: + system_config: + # Path to the system config file + file_path: "/opt/lightrun/system_config.json" + # Content of the system config file, base64 encoded + content: "ewogICJzb21lQ29uZmlndXJhdGlvbkZpZWxkIjogdHJ1ZSwKICAiYW5vdGhlckNvbmZpZ3VyYXRpb25GaWVsZCI6IDEyMwp9Cg==" + # Signature of the system config file, base64 encoded (provided by Lightrun) + signature: "c2lnbmF0dXJlLXZhbHVlLWZyb20tbGlnaHRydW4=" +``` + +> [!IMPORTANT] +> - The content must be base64-encoded valid JSON +> - The signature must be base64-encoded and match the content exactly to be considered valid +> - Contact Lightrun support to obtain a valid signature and content + +### How It Works + +When the Lightrun backend starts: + +1. The backend reads the system configuration file from the specified path +2. It validates the file's signature against the provided signature value +3. If valid, the configuration is applied to modify the backend's behavior +4. If invalid, the backend will log an error and may use default settings instead + +## Updating the Configuration + +To update the system configuration: + +1. Obtain a new configuration content and corresponding signature from Lightrun support +2. Update your `values.yaml` file or use `--set` parameters with the new values +3. Apply the changes using Helm: + +```bash +helm upgrade lightrun lightrun/lightrun -f values.yaml +``` + +> [!NOTE] +> Updating the system configuration requires a restart of the Lightrun backend deployment with strategy recreate to take effect. + +## Troubleshooting + +If you experience issues with the system configuration: + +1. Verify that the content is properly base64-encoded +2. Ensure the signature matches the provided content +3. Check the backend logs for any error messages related to system configuration: + +```bash +kubectl logs -l -n +``` + +For assistance with system configuration issues, contact Lightrun support. \ No newline at end of file From f8c30d7140fc1f6416795ad8355f76bb0950c82d Mon Sep 17 00:00:00 2001 From: eliranb Date: Thu, 15 May 2025 15:37:26 +0300 Subject: [PATCH 2/2] add new line and rename file --- .../{system-config-cm.yaml => backend-system-config-cm.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename chart/templates/{system-config-cm.yaml => backend-system-config-cm.yaml} (98%) diff --git a/chart/templates/system-config-cm.yaml b/chart/templates/backend-system-config-cm.yaml similarity index 98% rename from chart/templates/system-config-cm.yaml rename to chart/templates/backend-system-config-cm.yaml index 87d81e0..b02aa7a 100644 --- a/chart/templates/system-config-cm.yaml +++ b/chart/templates/backend-system-config-cm.yaml @@ -3,4 +3,4 @@ apiVersion: v1 metadata: name: {{ include "lightrun.fullname" . }}-system-config data: - system_config.json: {{ .Values.general.system_config.content }} \ No newline at end of file + system_config.json: {{ .Values.general.system_config.content }}