From 404da7e72e9e68c7fceb24517cc051555d249457 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Fri, 9 Jun 2023 10:02:33 +0300 Subject: Update issue on configs --- issues/CI-CD/configurations.gmi | 39 +++++++++++++-------------------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/issues/CI-CD/configurations.gmi b/issues/CI-CD/configurations.gmi index 556b6f1..54cea47 100644 --- a/issues/CI-CD/configurations.gmi +++ b/issues/CI-CD/configurations.gmi @@ -19,35 +19,22 @@ There are configurations that change depending on the environment that one runs Some of these, e.g. `OAUTH2_CLIENT_SECRET` are sensitive data that should not be exposed to the public. -I propose, therefore that we provide, say, a -``` -... --share=/path/to/configs/directory/ -``` -from where the applications in the container can read their configurations from. The config file(s) in the directory can then contain relevant settings for the environment where the container is run. +------------------------------ -The applications (gn2, gn3, qc-app, etc) can then be pointed to the relevant config files in their g-exps: e.g. - -Instead of -=> https://github.com/genenetwork/genenetwork-machines/blob/67d3f5dc46422c6b1812547109680c147fdde341/genenetwork-development.scm#L317-L318 using the defaults that are overridden -we could have the code do something like: +We could have different values for the configurations depending on the host saved, say at the top of "genenetwork-machines/genenetwork-development.scm", in some hash table or association list indexed into using the host. +The values for the host can be retrieved with something like: ``` -... - -(define %configs-dir "/export/data/configs") - -... - - (with-directory-excursion "genenetwork2" - (invoke #$(file-append bash "/bin/sh") - "bin/genenetwork2" - #$(file-append %configs-dir "/gn2_config.conf") - "-gunicorn-prod")) +(define (hostnames-all-fqdns) + "Retrieve all the hostnames defined in /etc/hosts" + (sethostent) + (let hnames ((hostobj (gethostent)) (thehosts (list))) + (if (not (eq? hostobj #f)) + (hnames (gethostent) (append thehosts (list (hostent:name hostobj)))) + thehosts))) ``` -where file `/export/data/configs/gn2_config.conf` holds the configurations for the application in the environment where the guix system container is run. +and at least one of the values other than "localhost" is used to determine the configuration values to load from the storage for that host. -Something similar can be done for GN3, where `GN3_CONF` can be set to something like: +The secrets (e.g. SECRET_KEY, OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, etc) can be encrypted and stored in some secrets management system (e.g. Pass [https://www.passwordstore.org/] etc.) setup in each relevant host: better yet, have all configurations (secret or otherwise) encrypted and stored in such a secrets management system and fetch them from there. This reduces the mental overhead of dealing with multiple places to fetch the configs. -``` -#$(file-append %configs-dir "/gn3_config.conf") -``` +From these, the CI/CD system can them build and intern the configurations into the store with guix functions like "plain-file", "local-file", etc. -- cgit v1.2.3