- Externalized config server & client with built-in encryption for microservices architecture: https://microservices.io/patterns/externalized-configuration.html
-
Architecture:
- Storage engine: redis, mongodb, dynamodb or filesystem
- remote-config-server: https://hub.docker.com/r/imageswjsc/remote-config-server
- remote-config-client for nodejs: https://www.npmjs.com/package/@wjsc/remote-config-client
- remote-config-client for Command line interface(CLI)
-
The remote-config server stores remote-configs with this structure:
- namespace
- key
- value
-
Every remote-config stored has client side encryption with asymetric keys.
-
value is encrypted with public key and it's only accesible by the remote-config owner
docker run --name remote-config-db-redis -p6379:6379 -d redis
- You can ignore this step if no authentication is required
wget https://github.com/square/certstrap/releases/download/v1.1.1/certstrap-v1.1.1-linux-amd64
mv certstrap-v1.1.1-linux-amd64 certstrap
chmod +x certstrap
certstrap init --organization "ca" --common-name "ca"
certstrap request-cert --common-name "server" --domain "localhost"
certstrap sign --CA ca "server"
certstrap request-cert --common-name "client"
certstrap sign --CA ca "client"
cp ./out/ca.crt ./server/certs
cp ./out/server* ./server/certs
cp ./out/ca.crt ./client/cli/certs
cp ./out/client* ./client/cli/certs
- If no authentication is required, remove CA_CERT_PATH, KEY_PATH & CERT_PATH from command
docker run -p3000:3000 \
-e STORAGE=redis \
-e DATABASE_HOST=host.docker.internal \
-e DATABASE_PORT=6379 \
-e HOST=0.0.0.0 \
-e PORT=3000 \
-v $PWD/certs:/home/node/certs/ \
-e CA_CERT_PATH=/home/node/certs/ca.crt \
-e KEY_PATH=/home/node/certs/server.key \
-e CERT_PATH=/home/node/certs/server.crt \
--name remote-config-server-redis \
-d imageswjsc/remote-config-server
cd ./client/cli
npm i
cd ./client/cli
node set_config.js -r certs/client.key -l certs/client.crt -a certs/ca.crt -n ns1 -k key1 -h localhost:3000
// The CLI will prompt for value
// output: { namespace: 'ns1', key: 'key1', value: 'value1' }
node get_config.js -r certs/client.key -l certs/client.crt -a certs/ca.crt -n ns1 -k key1 -h localhost:3000
// output: { namespace: 'ns1', key: 'key1', value: 'value1' }
cd ./client/cli
node set_config.js -r certs/client.key -l certs/client.crt -a certs/ca.crt -n ns2 -k key2 -h localhost:3000 -x
// The CLI will prompt for value
// output: { namespace: 'ns2', key: 'key2', value: 'value2' }
node get_config.js -r certs/client.key -l certs/client.crt -a certs/ca.crt -n ns2 -k key2 -h localhost:3000 -x
// output: { namespace: 'ns2', key: 'key2', value: 'value2' }
node get_config.js --help
Usage: get_config [options]
Options:
-x, --share Do not encrypt value
-r, --private <path> Client private key path
-l, --clientcert <path> Client Certificate path
-a, --cacert <path> CA Certificate path
-n, --namespace <namespace> Config namespace
-k, --key <key> Config key
-h, --host <value> Remote config server ip:port
--help display help for command
node set_config.js --help
Usage: set_config [options]
Options:
-x, --share Do not encrypt value
-r, --private <path> Client private key path
-l, --clientcert <path> Client Certificate path
-a, --cacert <path> CA Certificate path
-n, --namespace <namespace> Config namespace
-k, --key <key> Config key
-h, --host <value> Remote config server ip:port
--help display help for command
docker run -p3000:3000 \
-e STORAGE=filesystem \
-v $PWD/data:/home/node/.storage \
-e HOST=0.0.0.0 \
-e PORT=3000 \
--name remote-config-server-fs \
-v $PWD/certs:/home/node/certs/ \
-e CA_CERT_PATH=/home/node/certs/ca.crt \
-e KEY_PATH=/home/node/certs/server.key \
-e CERT_PATH=/home/node/certs/server.crt \
-d imageswjsc/remote-config-server
docker run --name remote-config-db-mongodb -p27017:27017 -d mongo
docker run -p3000:3000 \
-e STORAGE=mongodb \
-e DATABASE_HOST=host.docker.internal \
-e DATABASE_PORT=27017 \
-e DATABASE_NAME=remote-config-storage \
-e DATABASE_COLLECTION=remote-config-collection \
-e HOST=0.0.0.0 \
-e PORT=3000 \
-v $PWD/certs:/home/node/certs/ \
-e CA_CERT_PATH=/home/node/certs/ca.crt \
-e KEY_PATH=/home/node/certs/server.key \
-e CERT_PATH=/home/node/certs/server.crt \
--name remote-config-server-mongodb \
-d imageswjsc/remote-config-server
docker run --name remote-config-db-dynamodb -p8000:8000 -d amazon/dynamodb-local
docker run -p3000:3000 \
-e STORAGE=dynamodb \
-e AWS_REGION=us-east-1 \
-e DYNAMODB_ENDPOINT=http://localhost:8000 \
-e DATABASE_TABLENAME=remote-config-storage \
-e DYNAMODB_CAPACITY_READ=5 \
-e DYNAMODB_CAPACITY_WRITE=5 \
-e HOST=0.0.0.0 \
-e PORT=3000 \
-v $PWD/certs:/home/node/certs/ \
-e CA_CERT_PATH=/home/node/certs/ca.crt \
-e KEY_PATH=/home/node/certs/server.key \
-e CERT_PATH=/home/node/certs/server.crt \
--name remote-config-server-dynamodb \
-d imageswjsc/remote-config-server
STORAGE: Storage engine. Redis OR mongodb OR filesystem
DATABASE_HOST: Database connection endpoint
DATABASE_PORT: Database connection port
DATABASE_NAME: Database name
DATABASE_COLLECTION: Optional. Only when using mongodb as storage engine.
HOST: Server binding IP
PORT: Server binding port
CA_CERT_PATH: Optional. Certificate authority certificate path for SSL/TLS authentication. This file must be mounted.
KEY_PATH: Optional. Server private key path for SSL/TLS authentication. This file must be mounted.
CERT_PATH: Optional. Server certificate path for SSL/TLS authentication. This file must be mounted.
IGNORE_CLIENT_CERT: Ignore client certificate, only authenticate server.
AWS_REGION: Optional. Region for dynamodb.
AWS_ENDPOINT: Optional. Endpoint for dynamodb service
AWS_ACCESS_KEY_ID: Optional. Only for dynamodb.
AWS_SECRET_ACCESS_KEY: Optional. Only for dynamodb.
DATABASE_TABLENAME: Optional. Only for dynamodb.
DYNAMODB_CAPACITY_READ: Optional. Only for dynamodb.
DYNAMODB_CAPACITY_WRITE: Optional. Only for dynamodb.
/// If CA_CERT_PATH, KEY_PATH & CERT_PATH are not defined, the server can run in insecure mode