CloudOps for Kubernetes

2.10.x

Injecting Commerce Configuration at Runtime

Overview

Self Managed Commerce Docker images support injecting commerce configuration at runtime of the containers. This is useful when:

  • Deploying production environments where the configuration must be kept secret and is not to be committed into the Self Managed Commerce codebase
  • Overriding the configuration set in the Self Managed Commerce codebase

This method of injecting configuration is secured using Git repositories, Gnu Privacy Guard (GPG) keys and git-crypt.

Note: You must be familiar with Self Managed Commerce configuration in the deployment package. For more information about the configuration in the deployment package, see Self Managed Commerce Configuration. For more information about environment configuration, see Environment Specific Configuration.

Additional setup is required to use this functionality, including the following tasks:

  • Creating a new Git repository containing configuration that will be injected
  • Creating a new Secure Shell (SSH) key that is used for cloning the repository
  • Creating a new GPG key that is used for encrypting the repository
  • Encrypting the Git repository using git-crypt
  • Noting the public host key of the server hosting the new Git repository

Pre-requisites

  • Ensure that you install the following tools on your local workstation:

Creating the Git repository

  1. Create a new Git repository

    Note: If you can use the same Git repository hosting service that you use to host the CloudOps for Kubernetes repositories.

  2. Create a new SSH key-pair. Authorize the key-pair under a utility account to clone the newly created repository.

    Note: Password protected SSH keys are not supported.

Encrypting the repository

  1. Clone the Git repository that you created in the Creating the Git repository section.

  2. Run the following command to initialize the repository with git-crypt:

    git-crypt init

  3. Create a .gitattributes file in the repository with the following contents:

    * filter=git-crypt diff=git-crypt
.gitattributes !filter !diff

    Note: This Git attributes file will configure git-crypt to encrypt everything in the repository. To configure git-crypt differently, see the git-crypt documentation.

  4. Add and commit the .gitattributes file.

  5. Run the following command to create a new GPG key pair:

    gpg --gen-key

    Note: Password protected GPG keys are not supported. Additionally, we recommend using a long-term utility account email instead of a personal email.

  6. Run the following command to authorize the GPG key to unlock the repository:

    git-crypt add-gpg-user $ID

    Note: Replace $ID with the ID of the GPG key from step 5.

  7. Run the following command to export the private GPG key to a local unencrypted directory:

    gpg --export-secret-keys -a $ID > /path/to/unencrypted/directory/my-private-key.asc

    Note: Replace $ID with the ID of the GPG key from step 5

Adding Self Managed Commerce Configuration

  1. Add Self Managed Commerce configuration to the repository in the same format as Commerce configuration in the deployment package.

    Note: For the configuration to be copied during the deployment, ensure that your environment folder follows this directory format.

    ${env-name}
   files
      ...
   ...

    You can include multiple configuration sets in the repository. The following example is a production configuration containing certificates and other secret information:

    prod-author
   files
      conf
         secure
            author-certificate-1.p12
            author-certificate-2.p12
   secure-filtering.properties

prod-live
   files
      conf
         secure
            live-certificate-1.p12
            live-certificate-2.p12
   secure-filtering.properties

  2. Add and commit the configuration files.

  3. Run git-crypt status to validate the files are encrypted correctly.

    The output of the command will look similar to the following example:

    $ git-crypt status
not encrypted: .git-crypt/.gitattributes
not encrypted: .git-crypt/keys/default/0/6E34CFEF60D34EAD74735515634491886294C9C3.gpg
not encrypted: .gitattributes
    encrypted: prod-author/files/conf/ep.properties
    encrypted: prod-author/filtering.properties
    encrypted: prod-live/data-population.properties
    encrypted: prod-live/files/conf/cache/ehcache-2-seconds.xml
    encrypted: prod-live/files/conf/cortex/jwtTokenStrategy.config
    encrypted: prod-live/files/conf/ep.properties
    encrypted: prod-live/filtering.properties

Creating the GPG and SSH Key Secrets

  1. Copy the contents of the private GPG key created in the Encrypting the repository section.

    The contents will start and end with the following lines:

    ----BEGIN PGP PRIVATE KEY BLOCK-----

<redacted>

-----END PGP PRIVATE KEY BLOCK-----

  2. Create a Jenkins SSH key credential with the GPG key.

  3. Repeat steps 1 to 2 with the private SSH key created in the Creating the Git repository section.

Finding the public host key

  1. Identify the hostname of the Git repository hosting service that you are using.

    Some common hosting services include:

    • github.elasticpath.net
    • github.com
    • gitlab.com
    • bitbucket.org

  2. Run ssh-keyscan to fetch the public host key of the server.

    $ ssh-keyscan github.com 2> /dev/null
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

  3. Run the following command to generate the public fingerprint using the public key featched using ssh-keyscan

    $ ssh-keyscan github.com 2> /dev/null | ssh-keygen -lf -
2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)

  4. Compare the fingerprint with the Git hosting service documentation to validate that you have the correct public host key.

    The following documentation links are for common hosting services containing fingerprints:

Sample Jenkins parameters

When running the Jenkins job deploy-or-delete-commerce-stack and following the examples in this section, the values for the Jenkins parameters required for injecting configuration are:

  • epEnvironment is the name of the environment folder in your configuration repository.
  • EP_COMMERCE_CONFIG_REPO is the SSH URL to the newly created Git repository.
  • EP_COMMERCE_CONFIG_GPG_KEY is the GPG Jenkins SSH key credential that you created in the Creating the GPG and SSH Key Secrets section.
  • EP_COMMERCE_CONFIG_SSH_KEY is the SSH Jenkins SSH key credential that you created in the Creating the GPG and SSH Key Secrets section.
  • EP_COMMERCE_CONFIG_HOST_KEY is the host key that you validated in the Finding the public host key section.

Configuration Source Priority

Use the following steps to ensure that configuration for an environment is constructed correctly:

  1. Files are copied from the default configuration folder in the Self Managed Commerce code

  2. Files are copied from an environment specific configuration folder in the Elastic Path Commerce code if one exists. For example, for prod-live, ensure that any duplicate files are overwritten.

  3. Files are copied from an environment-specific configuration folder in an encrypted Git repository. For example, for prod-live, ensure that any duplicate files are overwritten.

The environment specific configuration folder is set in the Docker container by the environment variable epEnvironment.

Last updated on 7/31/2024
Update Self Managed CommerceNext