Comments (14)
also the whole branch-stuff becomes a bit dirty because if you have e.g. a branch for app1, version X and a branch for app2, version Y, the Y-branch should not contain any artefacts from app1, but master then contains all artefacts? also the branch-naming should then be explicit (i.e. with prefix) to differentiate.
from spring-cloud-config.
I second this. Our current configuration solution involves one git repository per application so that a) each application's configuration is isolated from all others and b) each git repo can have its own set of permissions (administered in GitHub). It would be great if Spring Cloud Config Server could support a similar setup.
@warmuuh As for the isolation, a possible workaround would be to create the initial config repo with only a basic commit (ex: a README). Then create a branch per-application and commit application-specific config files in the relevant branch.
As an upside, this would isolate application files from each other, preventing an accidental "search, replace all, commit, push" workflow from affecting multiple apps.
However, creating speculative configuration would require creating a branch-from-a-branch (which may get confusing or be error prone for some users). Also, this doesn't solve the git credential problem of all users being able to push changes to any app (even if the configs are isolated in various branches).
from spring-cloud-config.
I don't think it would be terribly difficult to implement a git-repository-per-application version of EnvironmentRepository
. If anyone wants to contribute some code, please feel free (see the guidelines on contributing in the readme).
from spring-cloud-config.
I will give it a shot since this is a deal breaker for our internal project.
from spring-cloud-config.
@dsyer it might be a little more complicated than that. Currently the encrypt.key
value is global to the Spring Cloud Config Server. Supposing @iceycake implements such an EnvironmentRepository
, the Config Server would still allow any client to decrypt any other project's encrypted values.
I know this behaviour is the current stated design of the Config Server. However, assuming we want the Config Server to aggregate multiple git repositories so that they can be independently managed and audited, it seems fitting to extend that capability to the encryption of the properties inside that git repository.
The solution here might be (as the documentation alludes) to embed the Config Server into a Spring Boot app with Spring Security enabled with custom/advanced authorization rules such that various clients can only access the configurations to which they are entitled.
Alternatively, instead of security the reading of the properties (given that they may already be in a relatively open git repo), the extra layer of authorization could apply to the /decrypt
endpoint, though that API would have to be changed to somehow be aware of the project for which it is decrypting the value.
from spring-cloud-config.
The decrypt endpoint is only used (if at all) for local properties in a client. The config server does decryption before shipping configuration, so it could in principle be modified to use a different key per repository (or per app). There would still be some challenges with key management.
Unless someone has a bright idea about the key management, wouldn't it be quite useful to stick with a global encryption service, since no client app devs actually need to or can do the encryption? All secrets are encrypted the same way, but if this change was implemented, they can live in different git repositories for the convenience of developers.
On a related note, I had thought that hashing with something like the application name is probably a useful enhancement (like Travis CI does with its secrets), so that the same secret value in different applications has a different cipher. (That's a completely different feature, so if you like that idea or think it's worth discussing please open another issue.)
from spring-cloud-config.
As for our use case, I believe we can live with a global key on the config server because all of the repositories are under the same organization. I understand there is a need of different keys in different use case but my implementation will try to stick with a single key.
from spring-cloud-config.
To be clear I don't yet actually have that use case either. I could live with a shared encryption key for now as well.
I just assumed that if @iceycake needed properties in separate repos then they should be encrypted with different keys for maximum isolation.
from spring-cloud-config.
I finally able to allocate the upcoming few days to work on this issue. Currently, the endpoints look like something like
/{name}/{profiles}/{label}
I am wondering if it is acceptable to do something like:
/{name}/{profiles}/{label}?repo=team1
where we have the repo name defines in the properties like:
spring: cloud: config: server: git: - name: team1 uri: http://gitserver/team1/config-repo - name: team2 uri: http://gitserver/team2/config-repo
By doing this, we can backward compatible with the current implementation.
from spring-cloud-config.
I think it's better to hide the repo IDs from the client. You would need to know (and configure) which apps belong to which repo, but isn't it better to do that in a static way? E.g.
spring:
cloud:
config:
server:
git:
repos:
team1:
uri: http://gitserver/team1/config-repo
apps: foo,bar*
team2:
uri: http://gitserver/team2/config-repo
apps: spam
default:
uri: http://gitserver/default/config-repo
apps: *
The wildcard in the fallback repo can probably be optionally omitted (and spring.cloud.config.server.git.uri
could be used as a default for the fallback, so existing apps would continue to work).
from spring-cloud-config.
In our use case, the config server deployment is developer self serving. As a result, we will not know what app associates to what team/repo. In addition, app name collision can happen with the number of development teams we have. That's why associating the app name and repo id is a bad idea.
from spring-cloud-config.
I suspect it might be better in that case to concatenate the repo name with the app name?
from spring-cloud-config.
This would work.
http://configserver/{app-name}/{profiles}/{label}
spring: cloud: config: server: git: repos: team1: uri: http://gitserver/team1/config-repo app-name: team1-* team2: uri: http://gitserver/team2/config-repo app-name: team2-* default: uri: http://gitserver/default/config-repo app-name: *
from spring-cloud-config.
Cool, so all we need is a PatternMatchUtils
to filter the repository list before we finish the find? That probably means we can implement this feature as a very thin wrapper around the existing JGitEnvironmentRepository
.
from spring-cloud-config.
Related Issues (20)
- After upgrading spring-cloud-config-client from 4.0.2 to 4.1.0 and Spring Boot from 3.1.5 to 3.2.0 properties from application.yml are missing
- AWS Parameter Store Environment Repository returns profiles in the wrong order
- spring.main.allow-circular-references=true does not work HOT 1
- Spring Profile Active is not setting
- Incorrect prioritizing of profile specific property sources HOT 20
- Process AOT - Error with "composite" profile in Spring Cloud Config Server generating Native Image HOT 3
- Moving spring cloud config server with s3 backend from bootstrap.yml to application.yml
- Using scheduler and refresh scope HOT 3
- Question: resolving maps by properties/yml endpoint HOT 5
- Enable force refresh by forceRefresh query parameter regardless of refreshRate HOT 1
- Spring Cloud Config client not able to connect to the Spring Cloud Config server HOT 5
- Upgrade the bcprov-jdk18on dependency to 1.78 HOT 1
- Pass JWT token to spring cloud config server HOT 1
- [Refactoring] Introduce RequestContext to easily pass new parameters to downstream methods
- Spring Boot Cloud Config Unable to Decrypt Password even symetric key is being provided via Yml Config
- Allow Users To Customize HttpClient HOT 1
- [Issue] Spring Cloud Starter Config(spring cloud config client) prevents loading of vault secrets HOT 3
- Config file same key overriding order/precedence HOT 3
- How can I safeguard my GitHub password in the workflow and deploy it using Docker? HOT 2
- Wrong ordering of property sources in config client when using spring.config.import HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-cloud-config.