1.0.6 • Published 6 years ago
hydra-env-secret v1.0.6
hydra-env-secret
Allow Hydra Microservice to read the secret (password, API key) in ENV variables. Nowadays, we often deploy the microservice in Docker container, or better Kubernetes cloud, the secrets usually pass to the container by ENV or mount to Kubernetes pods by secret ENV.
It will fallback to the hard-coded password in config.json if no ENV variable.
Usage
Installation
npm install -S hydra-env-secret
Configuration
config/k8s-config.json
{
"env_refs": ["hydra.redis.password"], // (1)
"environment": "development",
"hydra": {
"serviceName": "hydra-event-bus-service",
"serviceIP": "",
"servicePort": 0,
"serviceType": "hydra-event-bus",
"serviceDescription": "Provides the Event Bus for Hydra microservices",
"plugins": {
"logger": {
"logRequests": true,
"elasticsearch": {
"host": "elastic",
"port": 6379,
"index": "hydra"
}
}
},
"redis": {
"url": "redis",
"port": 6379,
"db": 15,
"password_ref": "REDIS_PASSWORD" // (2)
}
}
}
- 1 define the path to the field need to reference from ENV variable
- 2 ref field which exactly same as field name with
_ref
suffix
Changes in code
/*
* lib/config-helper.js
*/
const configWrapper = require('hydra-env-secret');
const initConfig = require('../config/config.json');
module.exports = configWrapper(initConfig);
/*
* main.js
*/
const configHelper = require('./lib/config-helper');
// config.init('./config/config.json') // Before
config.init(configHelper) // After
Dockerize your app
FROM node:8.7
# Create app directory
WORKDIR /usr/src/app
COPY package.json package-lock.json ./
COPY config/k8s-config.json config/config.json
RUN npm install --production
# Bundle app source
COPY . .
EXPOSE 3000
CMD [ "npm", "start" ]
Run it
docker run -e "REDIS_PASSWORD=someVeryLongPasswordToSecureYourRedis" khoinqq/hydra-event-bus-service:latest
After transform
{
"env_refs": ["hydra.redis.password"],
"environment": "development",
"hydra": {
"serviceName": "hydra-event-bus-service",
"serviceIP": "",
"servicePort": 0,
"serviceType": "hydra-event-bus",
"serviceDescription": "Provides the Event Bus for Hydra microservices",
"plugins": {
"logger": {
"logRequests": true,
"elasticsearch": {
"host": "elastic",
"port": 6379,
"index": "hydra"
}
}
},
"redis": {
"url": "redis",
"port": 6379,
"db": 15,
"password_ref": "REDIS_PASSWORD",
"password": "someVeryLongPasswordToSecureYourRedis"
}
}
}
Run on Kubernetes
# redis-secret.yaml
apiVersion: v1
data:
redis-password: c29tZVZlcnlMb25nUGFzc3dvcmRUb1NlY3VyZVlvdXJSZWRpcw== #1
kind: Secret
metadata:
name: redis
type: Opaque
# deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: hydra-event-bus-service
spec:
replicas: 1
template:
metadata:
labels:
app: hydra-event-bus-service
spec:
containers:
- name: hydra-event-bus-service
image: "khoinqq/hydra-event-bus-service:latest"
imagePullPolicy: Always
env:
- name: REDIS_PASSWORD #2
valueFrom:
secretKeyRef:
name: redis
key: redis-password #3
ports:
- containerPort: 3000
Deploy the pod
$ kubectl apply -f redis-secret.yaml
$ kubectl apply -f deployment.yaml
- 1 base64 encoded password
- 2 match the value of
password_ref
inconfig.json
- 3 match the key in
redis-secret.yaml
Done
Please note it will fallback to the hard-coded value, so you can define both password_ref
and password
contains the development. This way you can use the same file for your local development works.