Bundles configurations in the generateInstallationScript task

typesafehub / sbt-conductr

Typesafe ConductR plugin for sbt

Other

29 stars 22 forks source link

Bundles configurations in the generateInstallationScript task #187

Closed sallareznov closed 7 years ago

sallareznov commented 7 years ago

Hi,

as far as I know, the only way to inject environment variables in a service is to build a configuration bundle with Shazar and load it with the application bundle. Is there a way to do so automatically with this plugin (I don't see any but who knows)? Have you already considered this issue in a continuous deployment process?

Also, have you heard of Vault? Do you think it's a good solution for environment variables management in distributed systems? Thank you!

markusjura commented 7 years ago

Instead of using shazar you can also use the configuration:dist command inside sbt to generate the bundle configuration: https://github.com/typesafehub/sbt-conductr#bundle-configuration

Inside the src/bundle-configuration/default directory you can then add a runtime-config.sh script in which you can set environment variables for the specific bundle configuration, i.e. for a specific environment. Here is a sample service that is doing it: https://github.com/lagom/activator-lagom-java-chirper/tree/master/front-end/bundle-configuration/default

guizmaii commented 7 years ago

Hi,

Don't you think that it's a bad idea to commit secrets in Git ? I think it is. So, IMHO, the problem is still open. 😕

Will you consider something like Vault ? or provides a better process to keep our secrets out of git ? IMHO, distributed systems need a "secured env variables store". At service launch, the service itself will fetch its env variables thanks to some HTTPS calls? What do you think ?

edwardcallahan commented 7 years ago

We agree. It is absolutely not good to store secrets in Git, private repo or not. Developer default configs can be used here, but not target envs.

Bintray has an encrypted repo feature coming that we're likely to use for proper config storage extending unencrypted bundle repos currently in use. Vault is also a candidate for such.

huntc commented 7 years ago

I'm going to close this issue.

A bundle is required to be loaded initially with config. Once loaded, if the bundle is updated then our Continuous Delivery process will apply the config of anything that it replaces.