Skip to content

Config Provider Framework

Jump to bottom
ykalidin edited this page Mar 6, 2023 · 5 revisions

Your TIBCO BusinessEvents application deployed on a cloud platform can use global variables from config provider framework(formerly known as gv framework). This framework allows customers to configure and pull GV values from various end-stores (also referred as config provider in this document) when running the BE application in container mode.

Framework supports following types of GV providers:

  1. GVHTTP - Use this type when end-store has an http based API to access it. Example: AWS S3, Azure Blob, github, etc...
  2. GVConsul - Use this type when end-store is Consul
  3. GVCyberark - Use this type when end-store is CyberArk Conjur.
  4. Custom - Use this type to provide custom implementation to pull GV values from an end-store of user choice

While building the BE application image, use --config-provider flag to select config provider type - gvhttp, gvconsul, gvcyberark OR custom name. To add more than one GV use comma separated format ex: "gvconsul,gvhttp". While using multiple config providers if same key/value pair present in gvs then key/value pair from last mentioned gv is considered. More details are available in their respective sections below.

Note:

  • Sample commands are given for docker. If you are using buildah replace docker with buildah in build commands.
  • You can run with podman by simply replacing docker with podman command in all run commands.

GVHTTP

Build

To select this provider type, pass http to --config-provider flag while building the BE application image.

Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider gvhttp \
-t fdhttp:latest

Run

Following environment variables are applicable for this Config provider type:

  • GVP_HTTP_SERVER_URL - end-store URL
  • GVP_HTTP_HEADERS - Header values to access the end-store API

Examples

github

Sample run:

docker run \
-e GVP_HTTP_SERVER_URL="<SERVER_URL>" \
-e GVP_HTTP_HEADERS="Authorization:token 9222c5cf6e380ba1395e9d8acce8764265f85933,Content-Type:application/json" \
-p 8108:8108 --name=fdhttpgit fdhttp:latest

azure storage

Sample run:

docker run \
-e GVP_HTTP_SERVER_URL="<SERVER_URL>" \
-e GVP_HTTP_HEADERS="x-ms-date: $(date -u)" \
-p 8108:8108 --name=fdhttpazure fdhttp:latest

GVConsul

Prerequisites

  • The Consul server that is to be used as key-value store for the application global variables must already be setup. For instructions on installation and setup, see the Consul documentation.
  • (Optional) For a secured (HTTPS) Consul server, ensure that you have access to the CA and CLI certificates.

Procedure

  1. Connect to the Consul server that you have already setup from your web browser. Set up your application global variables in the Consul server as key-value pairs.

    Syntax for keys in Consul is

    <AppName>/<ProfileName>/<GV-Key> = <GV-Value>

    Where,

    • AppName is a name for the TIBCO BusinessEvents application of your choosing, for example, FraudDetection.
    • ProfileName is the name for the profile in the application, for example, prod, default, and so on.
    • GV-Key is the name of the global variable as defined in your TIBCO BusinessEvents application. In the case of global variables within a global variable group, use the usual format of separating them with a forward slash, for example, RMS/port.
    • GV-Value is the value to set for the global variable.

  2. (Optional) For the secured Consul server, copy the CA and CLI certificates in the same folder as application EAR and CDD files.

Build

To select this provider type, pass consul to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider consul \
-t fdconsul:latest

Run

Following environment variables are applicable for this Config provider type:

  • CONSUL_SERVER_URL - Consul URL
  • BE_APP_NAME - App name created in the Consul
  • APP_CONFIG_PROFILE - Profile created in the Consul

Sample run:

docker run \
-e "CONSUL_SERVER_URL=http://consul:8500" \
-e "BE_APP_NAME=FraudDetection" \
-e "APP_CONFIG_PROFILE=default" \
-p 8108:8108 --name=fdconsul fdconsul:latest

Sample run(Secured Consul Server):

The CONSUL_CACERT, CONSUL_CLIENT_CERT, and CONSUL_CLIENT_KEY environment variables are only required for the secured Consul server.

docker run \
-e "CONSUL_SERVER_URL=http://consul:8500" \
-e "BE_APP_NAME=FraudDetection" \
-e "APP_CONFIG_PROFILE=default" \
-e "CONSUL_CACERT=/opt/tibco/be/ext/consul-agent-ca.pem" \
-e "CONSUL_CLIENT_CERT=/opt/tibco/be/ext/dc1-cli-consul-0.pem" \
-e "CONSUL_CLIENT_KEY=/opt/tibco/be/ext/dc1-cli-consul-0-key.pem" \
-p 8108:8108 --name=fdconsul fdconsul:latest

GVCyberArk-Conjur

Prerequisites

  • The Conjur server that is to be used as key-value store for the application global variables must already be setup. For instructions on installation and setup, Refer to Conjur Quick Start.

Procedure

  1. Get the Conjur server details, such as server URL, Account name, Login name, API key and certificates from Conjur admin.

  2. Use complete Conjur variable names in Tibco Business Events. I.e. If your variables in Conjur is of the format <Conjur-account>:variable:<GV-Key> then use <GV-Key> in your Tibco Business Events Application.

    Example: If a Conjur variable is "myConjurAccount:variable:backend/ci/users-app/db-username" then use "backend/ci/users-app/db-username" as the GV key in your Tibco Business Events application.

Build

To select this provider type, pass cyberark to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider "cyberark" \
-t fdconjur:latest

Run

Following environment variables are applicable for this Config provider type:

  • CONJUR_SERVER_URL - Conjur Server URL
  • CONJUR_ACCOUNT - Account created in Conjur
  • CONJUR_LOGINNAME - User or host name
  • CONJUR_APIKEY - Api key
  • CONJUR_SECURE - Set value to true to run Conjur cli in secure mode. Also copy certificates in the same folder as application EAR and CDD files.

Sample run:

docker run \
-e "CONJUR_SERVER_URL=<Conjur server url>" \
-e "CONJUR_ACCOUNT=<Conjur account>" \
-e "CONJUR_LOGINNAME=<Conjur user or host>" \
-e "CONJUR_APIKEY=<api_key>" \
-p 8108:8108 --name=fdconjur fdconjur:latest

Note: For initializing the Conjur client in secure mode add CONJUR_SECURE=true environment variable to the above command.

Custom

Implementation

To add a custom GV provider, create a new folder under be-tools/cloud/docker/configproviders/custom/ and name it as per your choice - lets say CUSTOM_PROVIDER. Provide implementation as per below instructions:

  1. Add be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/setup.sh (setup.bat for windows). This gets invoked by the framework during BE application docker build. Provide logic to download required packages & setup environment needed for the config provider.
  2. Add be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/run.sh (run.bat for windows). This gets invoked by the framework during run time. Provide logic to pull GV values from the end-store, parse and write them into the JSON file at /home/tibco/be/configproviders/output.json

Sample output.json for reference:

{
    "KEY1": "VALUE1",
    "KEY2": "VALUE2"
}

Build

To select this provider type, pass CUSTOM_PROVIDER to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
--config-provider CUSTOM_PROVIDER \
-t fdcustom:latest

Example - custom/aws

There is a custom config provider aws added as a reference example. This GV provider can pull GVs from AWS Secrets Manager or AWS S3.

Refer to following files at be-tools/cloud/docker/configproviders/custom/aws for the implementation logic:

setup.sh -> Installs aws cli & other tools
run.sh -> Configure aws cli, pull secrets from AWS Secrets Manager

Build

Sample command to build BE app image which uses aws GV provider:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
--config-provider aws \
-t fdcustom:latest

Run

Sample run command to pull GVs from AWS Secrets Manager:

docker run \
-e AWS_ACCESS_KEY_ID=<AWS ACCESS ID> \
-e AWS_SECRET_ACCESS_KEY=<AWS SECRET> \
-e AWS_DEFAULT_REGION=<REGION> \
-e AWS_ROLE_ARN=<ASSUMED ROLE> \
-e AWS_SM_SECRET_ID=<AWS SECRETS MANAGER - SECRET ID> \
-p 8108:8108 --name=fdcustom fdcustom:latest

Note: This GV provider can be easily updated to pull GVs from S3. Uncomment the section "Read GV values from AWS S3 into JSON_FILE" and comment "Read GV values from AWS Secrets Manager into JSON_FILE" in be-tools/cloud/docker/configproviders/custom/aws/run.sh. Also update environment variable's validations and echo statements accordingly.

Parent Topic: Containerize TIBCO BusinessEvents

Clone this wiki locally