Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Spring Cloud Config ServerBy Clint Checketts

@checketts

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Huge thanks to Steve West……and my team

2

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 3

Place all of our configuration under

source control.

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Dumpedvs

Driven

4

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Who made that change?!

5

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Spring Cloud Config Server

6

• Key/Value configuration

• Encrypt/Decrypt configuration

• @RefreshScope for allowing properties to refresh

• Backed by many storage options, including Git

• Extensible

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Push versus Pull

7

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Spring Environment

8

• Populated via • application.properties• application.yml• parameters• system properties• environment variables• and more

• Profiles• Annotation support

• @Value(“{myprop}”)• @ConfigurationProperties

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Property Source Example

9

Command line arguments key1=apple

System Properties key2=dragon

System Environment key1=banana

classpath: application.yml key1=coconutkey2=elephant

classpath: bootstrap.yml key3=shark

Prec

eden

ce

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Property Source Example

10

Config Serverkey1=kiwikey2=flamingokey3=dolphin

Command line arguments key1=apple

System Properties key2=dragon

System Environment key1=banana

classpath: application.yml key1=coconutkey2=elephant

classpath: bootstrap.yml key3=shark

Prec

eden

ce

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Config Server Endpoints

• View/Fetch configuration

• http://localhost:8080/config/{name}/{profile}/{label}

• Encrypt values:

• curllocalhost:8080/encrypt-d<encryptMe>

• Decrypt values:

• curllocalhost:8080/decrypt-d<encryptedtext>

• Refresh a client

• curl-XPOSThttp://localhost:8080/refresh

11

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

@RefreshScope

12

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

@ConfigurationProperties

• Type safety

• Improved yml support

• Automatically @RefreshScope enabled

• Needs @EnableConfiguration-Properties and adding as a Bean

13

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

DEMO

14

github.com/checketts/config-server-example

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Quiz: What kind of file is this?

15

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Quiz: What kind of file is this? (Hint)

16

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Simplfied

17

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

YML Files

• Simple to read

• Comments

• Long properties into multiline values

• Spring specific yaml

18

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

YAML Multiline

Equivalent

19

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

YAML Validation

• Same technique as Spring (doesn’t allow duplicates) • Potential commit hook • Reports all errors in all files

20

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Source Control

•Traceability •Pull Request/Code Reviews •Comparison tools •Flat files

21

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Config Server Communication with Repo

22

Config Server Git RepoClient Request

Config Server Git RepoClient

RequestGit Repo

(bare clone)

Every request triggers a ‘git pull’ over network

I’ve begun placing bare clone directly on the machine

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Config Server Repository Layout

•Single repository for all teams (based on audit-ability)

•Sub-directory per ‘environment’ (profile)

•Can force directory structure

23

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Config Server Repository Branching

• Support service configuration by ‘label’

•Defaults to ‘master’, could be a branch or tag name

•We decided to keep it simple and always use master

24

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Key rotation

https://medium.com/built-to-adapt/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d#.8a3qb5ipi

25

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Extension: symmetric named keys

• {cipher}{key:env1_v1}773e94397d587…

• {cipher}{key:env1_v2}88ec77909876a…

26

Named keys are supported but focuses on certificates (asymmetric encryption). Extension needed to support named symmetric keys.

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

JWT - Json Web Token

• Base 64 Encoded Json with Signature

• eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE0NjM2NjExMjYsImV4cCI6bnVsbCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsImFwcFNlcnZpY2UiOiJteXNlcnZpY2UiLCJhcHBFbnZpcm9ubWVudCI6ImRldiJ9.H60qYETNwOE6JLsMGJwxm8zPbLK5PI_V5wYcaI2Jd3M

27

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Securing Config Server

• Leverage a token that encapsulates the application/environment

28

ROLE_APP_SERVICE_MYSERVICE

ROLE_APP_ENVIRONMENT_DEV

Then we can use Spring Security and leverage normal authorities:

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Shared Config

• How to share configuration for multiple services?

29

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Extensions Summary

• Token based authentication/authorization (not really an extension, just Spring Security)

• Exposing what the latest commit SHA was • Shared config support (devices) • Refusing to expose encrypted values • YML validation gradle task

30

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Temporary Extensions

• Pooled git repository for ‘performance’ • Locking encryption cipher/rotation

31

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Thanks! Questions?

32

@checketts github.com/checketts/config-server-example

(please rate this session)

Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /

Image Credit - Creative Commons

• Gear with wrench - Gregor Črešnar - https://thenounproject.com/search/?q=config&i=159595

• Cloud with Gear - Nimal Raj - https://thenounproject.com/nimalraj/collection/cloud-computing/?oq=cloud%20computing&cidx=0

• Environment tree - Francesco Termini - https://thenounproject.com/search/?q=environment&i=14448

• Dump Truck - James Fenton - https://thenounproject.com/search/?q=dump&i=156859

• Letter W - Karyn Christner - https://flic.kr/p/z42aN

• Angry Face - https://thenounproject.com/search/?q=angry&i=440868

33