[cf-dev] Variable Substitution in manifest.yml #

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Variable Substitution in manifest.yml #

kvemula15
Hi CF Team,
I was exploring on variable substitution in manifest.yml : https://docs.cloudfoundry.org/devguide/deploy-apps/manifest.html#variable-substitution
I see there is a vars.yml that can be used to specify the values of app manifest.
Now if i have various environments like Dev, stage , prod for say then do i have to create three different vars.yml files for each environment like var-dev.yml, var-stage.yml and var-prod.yml anr read values from there during cf push?
Appreciate your leads and advice on this.
Rgds,
Karthik.
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8168) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Variable Substitution in manifest.yml #

Josh Long
If the CF CLI doesn't support environment variables, It would be really wonderful if the file would consider environment variables. It would be more in line with the 12 factor manifesto, it would discourage people from keeping secrets in `yml` files unencrypted on disk. It would also be easier to use than creating a config file. That way people can source the env variable from features in the CI services like Travis env to encrypt variables, or they could be resolved by looking up the value from something like Hashicorp Vault, all through simple environment variable use. No odd code required to write data to a `.yml` file required. 

On Mon, Jul 23, 2018 at 10:40 AM <[hidden email]> wrote:
Hi CF Team,
I was exploring on variable substitution in manifest.yml : https://docs.cloudfoundry.org/devguide/deploy-apps/manifest.html#variable-substitution
I see there is a vars.yml that can be used to specify the values of app manifest.
Now if i have various environments like Dev, stage , prod for say then do i have to create three different vars.yml files for each environment like var-dev.yml, var-stage.yml and var-prod.yml anr read values from there during cf push?
Appreciate your leads and advice on this.
Rgds,
Karthik.

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8169) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Variable Substitution in manifest.yml #

Dr Nic Williams
Yes that sounds right - or if you’re deploying in CI then your CI pipeline would create the vars.yml file for each diff target/stage.

Nic

 

From: 30111352660n behalf of
Sent: Tuesday, July 24, 2018 5:36 am
To: [hidden email]
Subject: Re: [cf-dev] Variable Substitution in manifest.yml #
 
If the CF CLI doesn't support environment variables, It would be really wonderful if the file would consider environment variables. It would be more in line with the 12 factor manifesto, it would discourage people from keeping secrets in `yml` files unencrypted on disk. It would also be easier to use than creating a config file. That way people can source the env variable from features in the CI services like Travis env to encrypt variables, or they could be resolved by looking up the value from something like Hashicorp Vault, all through simple environment variable use. No odd code required to write data to a `.yml` file required. 

On Mon, Jul 23, 2018 at 10:40 AM <[hidden email]> wrote:
Hi CF Team,
I was exploring on variable substitution in manifest.yml : https://docs.cloudfoundry.org/devguide/deploy-apps/manifest.html#variable-substitution
I see there is a vars.yml that can be used to specify the values of app manifest.
Now if i have various environments like Dev, stage , prod for say then do i have to create three different vars.yml files for each environment like var-dev.yml, var-stage.yml and var-prod.yml anr read values from there during cf push?
Appreciate your leads and advice on this.
Rgds,
Karthik.

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8170) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Variable Substitution in manifest.yml #

kvemula15
Hi Nic,
Thank you for confirming me.Can you point me to any examples /links on web of how it could be done in CI like in jenkins world for file creation that you were talking of.
Rgds,
Karthik.
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8172) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Variable Substitution in manifest.yml #

Lingesh Mouleeshwaran
Hello Karthi, 

Even we also get rid of all secrets managed in *.yml file and moved all secrets to the vault, and we have the simple jar which embedded into spring/spring boot war. 

For Example, below entry sufficient for any web application in manifest.yml, and we have made it vault orphan token lifetime which having 10 years tenure. 

env:
    JAVA_OPTS:  -Dspring.application.name="<<Vault secret path>>" -Dspring.cloud.vault.token=000-000-00000000-00 


Spring dependency entry :

Below entries required for any web application to embed your vault client jar.

<dependency>
            <groupId>com.config.vault</groupId>
            <artifactId>vault-java</artifactId>
            <version>1.0.0</version>
  </dependency>

<context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath*:/spring-vault-conf.xml  //this file will have details about your propertyplaceholder logic 
        </param-value>
    </context-param>

Your vault client can be the child of class PropertyPlaceholderConfigurer and you can override below method to read from the vault and populate to system ENVs

/**
* {@inheritDoc}
* @throws IOException
*/
protected void loadProperties(Properties properties) throws IOException {
        super.loadProperties(properties.putAll(vaultResource.read()));
}

Hope this gives you some context what you're looking, additional even if go via Jenkins/Travis services, still, secrets are exposed to an environment variable, anyone can able to look the secrets via cf env.

Regards
Lingesh M

On Tue, Jul 24, 2018 at 2:29 PM, <[hidden email]> wrote:
Hi Nic,
Thank you for confirming me.Can you point me to any examples /links on web of how it could be done in CI like in jenkins world for file creation that you were talking of.
Rgds,
Karthik.


_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8173) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_