Skip to content

OpenCRVS Country Configuration - v1.1.0-stable
Compare
Choose a tag to compare
@euanmillar euanmillar released this 23 Sep 13:44
· 1203 commits to develop since this release
v1.1.0
86bba68

An example OpenCRVS country configuration. To be used in conjunction with opencrvs-core release v1.1.0

Read the release notes!
Read the v1.0.1 to v1.1.0 migration notes!

Breaking changes - country configuration

v1.1.0 includes the following configuration improvements which are breaking changes. You must rebase all changes from the Farajaland master branch into your country configuration fork to retrieve all these updates as explained in the migration notes.

  • The country configuration now loads the JWT public key from core from a new endpoint in the auth microservice "/.well-known". This improves our security processes as we can now rotate the public key without taking the stack down. An additional benefit of this change is this also allows development teams to start the country configuration server with just yarn dev, rather than previously the v1.0.1 requirement to run yarn dev <-- path to the core directory -->.

  • We fixed a bug in our provided Github Action deploy.yml.

  • Docker Compose yml files have all been updated to support bugfixes in core.

  • The core emergency-backup-metadata.sh and emergency-restore-metadata.sh scripts contained bugs which have been resolved and these scripts are now located in the country configuration server.

  • The Ansible playbooks in core, now extend an additional playbook.yml in the country configuration. This allows application secrets that LUKS encrypt the manager node databases' /data folder to be configured as you wish. The prop encrypt_passphrase has been renamed to disk_encryption_key to more accurately reflect the use case of this value. The disk__encryption__key is saved into a file at the location root/disk-encryption-key.txt The script decrypt.sh is run on a system reboot, as we noticed that on reboot the data folder would not mount until it is decrypted. Mongo DB and Elasticsearch passwords are saved into an example text file opencrvs.secrets inside the encrypted data/ folder. We do not advise that the opencrvs.secrets & disk-encryption-key.txt files are used in production. You should reconfigure the playbook and the reading of these secrets from the decrypt, backup and restore scripts, to instead provide them via an API from a Hardware Security Module (HSM). Secret storage is outside the scope of OpenCRVS in this release. In the December OpenCRVS release v.1.2.0 we intend to show an example of how an HSM could be configured. In the meantime, MOSIP's documentation on the requirements of a Hardware Security Module is useful reading.

  • The following translation keys have been added: "config.application.updatingeMessage": "Updating..."

    "constants.requestReason": "Reason for request"

    "form.field.label.updatingUser": "Updating user"

    "form.field.label.creatingNewUser": "Creating new user"

    "form.section.user.preview.title": "Confirm details"

    "record.certificate.collectedInAdvance": "Printed in advance by"

Assets 2