[LRUG] Config

Wed Feb 27 06:01:20 PST 2019

I think using ENV variable even in big applications is fine, but I would
put my attention on how you set up and load them. The first distinction to
make is if it is sensitive data or not, if the data is sensitive you have
to store it in something like Vault (secrets management). For config coming
from users, I would put it in a service like AWS Secrets Manager or AWS
Config.

The way you set up and deliver your config depends on the infrastructure
you are using, although you could use some custom Ruby code or gem as
others have already mentioned.

Some secret management tools:
1. Vault, not easy to configure but can store many different types of data,
including temporary SSH key to access servers.
2. SOPS (https://github.com/mozilla/sops) can encrypt YAML files but it
encrypts only the value and not the key, so it shows the data structure of
the config file. It is integrated with several cloud providers (like AWS
KMS) and PGP. It is often used with Kubernetes.
3, Chef encrypted data bags.
4. Ansible vault.
5. Kubernetes secrets.
6. Google Cloud KMS.
7. AWS Secrets Manager.

It is a very good idea that the app should fail to start if a config value
is not present. Having a schema with the name of the expected keys and
their type is even better, so I would use an equivalent of
https://clojure.org/about/spec to validate the config.

On Wed, 27 Feb 2019 at 13:14, Mark Blackman <mark at blackmans.org> wrote:

>
>
> On 27 Feb 2019, at 10:52, Patrick Gleeson <patrick.c.gleeson at gmail.com>
> wrote:
>
> Hi LRUG,
>
> After the awesome discussion on 'Continuous *' back in January, I wondered
> if this might be a place to ask another broad question I've been mulling
> for a while now.
>
> According to the 12 factor app (https://12factor.net/config) we should
> store our config in environment variables, and in Ruby that means we access
> it via ENV. I get the benefit of orthogonal config, but ENV always ends up
> feeling pretty unsatisfactory to me for config-heavy apps, for the
> following reasons:
>
> (1) No easy way of seeing for any app what config needs to be set
> (cmd-shift-F 'ENV' anyone?)
> (2) Everything is stringly typed (How many times have I forgotten that
> 'false' is truthy? And what if a config var is going to be, say, either an
> array of integers or null? "&.split(',')&.map(:to_i)" is not my favourite
> thing.)
> (3) No single place to put sensible defaults if an environment variable
> not set
> (4) No namespacing or grouping except by prefixes
> (5) No protection from typos when reading env vars
> (6) Or when writing them
> (7) No fine-grained access control to env vars (occasionally useful if
> someone semi-technical wants direct control over something set in config
> but you don't want them touching the database credentials)
> (8) Depending on where you deploy to, your UI for reading and writing env
> vars may be better or worse
> (9) Depending on where you deploy to, your mechanism for cloning an
> environment's vars may be better or worse
> (10) No revision history ("Hey Patrick, can we go back to using that
> redirect we were using last week?")
>
> For 1 - 5 I normally end up writing a wrapper around ENV with a little DSL
> to define the keys the app uses, so that I end up with file with a list of
> things like:
>
> namespace :fulfilment_centre do
>   set :hours_of_operation, type: :integer, array: true, default: [9,17]
> end
>
> And then I can call Config.fulfilment_centre.hours_of_operation with some
> confidence
>
> But I don't really know how best to get round 6 - 10. I sort of feel like
> I want a Config-as-a-Service platform with web/RESTful interfaces for
> defining environments and their config, so that my apps can pull in config
> on deploy. Does something like that exist? Or (more likely, I would
> imagine) do I want the wrong thing? And if so why?
>
> Any thoughts welcome!
>
>
> I agree that env variables are inappropriate for large/nested
> configuration. If you need more than a handful of non-optional
> configuration items, then the environment variable should just refer to a
> location, usually a file, often yaml, where the full configuration is
> specified
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>

-- 
Riccardo Tacconi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20190227/6854bb3f/attachment-0001.html>