Home

Secrets & Config Management

Rierino stores infrastructure configuration and secrets outside its database storage for more flexible and secure administration

Configuration Management

Rierino's default deployment model uses ConfigMaps for storing infrastructure configuration details (such as system addresses, database connections). It is also possible to use a central KV management solution (e.g. etcd) for the same purpose.

Infrastructure Updates

All infrastructure related configurations are kept in "properties" entry of the "global-config" config map of each related namespace (e.g. "admin-backend", "admin-gateway"). In case of a systems change (e.g. server address or port update). Related property entries can be updated on these maps.

Most system configurations (such as database URI) support automated reconnect feature and reconnect commands, which means that when the service pods updated config map contents, they will automatically start using new configuration.

It is also possible to restart deployments to reflect configuration changes.

Version Upgrade

It is possible to upgrade Rierino version used in each individual microservice separately. This can be achieved in 3 ways, depending on the deployed artifact and preferred upgrade action:

  1. For runner deployments, it is possible to update rierinoVersion parameter from "Admin UI - Devops" application and redeploy from its action menu

  2. For runner and gateway deployments, it is possible to update RIERINO_VERSION environment variable from "[DEPLOYMENT_NAME]-config-env" config map in their respective namespace and restart the deployment, which will download and use given version artifacts

  3. For UI deployments, it is possible to edit deployment configuration to use a new container image with the required Rierino version

Environment Variables

Admin UI utilizes a predefined list of environment variables (which are stored in environment ConfigMaps and Secrets), which can be customized to change its behavior:

Variable
Description
Default

PASS_THRU

Whether Admin UI should act as a proxy for all API calls

false

RIERINO_MODE

Whether developer Apps & UIs should be enabled

dev

API_URL

Server-side URL for API calls

http://controller-gateway-gateway-admin-lb.admin-gateway.svc.cluster.local:443/api/

NEXT_PUBLIC_API_URL

Client-side URL for API calls (when PASS_THRU=false)

https://[DOMAIN]/api/

OPENAI_API_KEY

OpenAI API key for AI assistance

n/a

GPT_ASSISTANT_[type]

IDs of AI assistants to use for different UIs

n/a

DISABLE_COMPRESS

Whether content compression should be disabled in responses to client

false

REFRESH_MS

Milliseconds to refresh cached language, icon and other lookups

5000

SCHEMA_CACHE_TTL

Seconds to refresh data schema

60

DISABLE_SCHEMA_CACHE

Whether data schema caching should be disabled

false

LOCALES

List of locales to allow for users to switch between

enUS,trTR

DEFAULT_LOCALE

Default locale for users

enUS

SCRIPT_URLS

External script URLs to include for remote webcomponents

https://cdn.jsdelivr.net/npm/@microsoft/fast-components/dist/fast-components.min.js

LANDING_PATH

Path to redirect users to for admin UI root URL (if not defined, displays landing page)

/app/demo

Secrets Management

Rierino's default deployment model uses Secrets for storing credential details (such as database credentials, API keys). It is also possible to use a central vault solution (e.g. HashiCorp Vault) for the same purpose.

External System Credential Updates

It is possible to update credentials used for accessing external systems directly on those systems (such as changing username / password used for accessing MongoDB) using your company policies and procedures for credentials rotation.

Once any credential is updated, they should be also updated in "properties" entry of the "global-secrets" secret of each related namespace (e.g. "admin-backend").

Similar to infrastructure updates, credential updates are automatically used for reconnection, while it is also possible to restart pods to force using new credentials.

When creating credentials on external systems, it is recommended to apply least privilege policy for granting access to related microservices. Such as for a microservice responsible for reading product data, using a read-only database user with access rights to related database only.

Rierino Token Key Updates

Rierino API gateways use encryption keys for issued JWT tokens, which can be updated simply by modifying the gateway token configuration from "Admin UI - Devops" application. Changing these keys automatically invalidate all currently active access tokens.

Artifact Credentials Change

In case credentials for accessing Rierino artifacts (e.g. GitHub tokens) change, it is necessary to update these credentials in following secrets in each namespace:

  1. ".dockerconfigjson" entries in "global-secrets-docker" secrets, which are used for accessing docker images for deployment.

  2. MAVEN_USER and MAVEN_PASSWORD environment variable entries in "global-secrets-env" secrets, which are used for accessing Maven artifacts for deployment.

PreviousCost & License ManagementNextTesting & Health-Check

Last updated