1. Introduction

1.1. ConfigSeeder

ConfigSeeder® is a configuration management tool that is capable of

  • managing configuration values at a central place

  • manage their validity based on environment, application version, dates or contexts

  • provide configuration data to different runtime environments and technologies (Kubernetes Connector, OS Connector, Ansible Plugin)

  • provide easy integration into different programming languages and frameworks (Client Libraries)

See the description of our Features for more details about what ConfigSeeder® can do.

1.2. Ecosystem

ConfigSeeder® consists of different components:

ConfigSeeder Ecosystem

See our article about the ConfigSeeder® Components for more details.

1.3. Document content

This document describes how to set up ConfigSeeder® with no previous knowledge.

If you are looking for information regarding how to work with ConfigSeeder® or details about configuring ConfigSeeder®, please have a look at our user and system documentation available at Documentation.

Be aware that the setup described in this document is not production ready, reasons:

  • The default configuration of the H2 Variant of ConfigSeeder® has the identity providers of github and and Oneo preconfigured. Everybody with a github account or knowledge about our preconfigured users will now be able to login and have tenant_admin and developer privileges!

  • In the examples, the setup-profile is used. This provile allows to log in to ConfigSeeder® and assume any permissions and is meant for testing and setting up ConfigSeeder® only. In a production environment, this profile must be deactivated!

If the setup profile is activated, replace the loginCredential with a random 12 character string. Otherwise, everybody reading this tutorial knows how to log in to your ConfigSeeder®!

2. Before you start

2.1. Variants of ConfigSeeder®

ConfigSeeder® comes in different variants, each variant support one specific database as persistency:

H2

ConfigSeeder® with H2 persistency:

  • ConfigSeeder® with H2 persistency is intended for prototyping and executing proof of concepts.

  • This variant comes with preconfigured security settings and is therefore easy to use.

PostgreSQL

ConfigSeeder® with PostgreSQL persistency:

  • ConfigSeeder® with PostgreSQL persistency is ready to be used in production.

  • In contrast to ConfigSeeder® with H2 persistency there is no preconfigured security.

  • You will need a valid license to use this variant.

SQL Server

ConfigSeeder® with SQL Server persistency:

  • ConfigSeeder® with SQL Server persistency is ready to be used in production.

  • In contrast to ConfigSeeder® with H2 persistency there is no preconfigured security

  • You will need a valid license to use this variant.

In this quickstart guide, all shown examples will show how to set up ConfigSeeder® with H2 persistency.

Don’t use ConfigSeeder® with H2 persistency in Production! Use one of the variants with PostgreSQL or SQL Server persistency for production.

2.2. Restriction of the default license

We ship a default license embedded in ConfigSeeder® with H2 persistency.

This license has the following restrictions:

  • License can only be used with H2 persistency

  • License doesn’t support the use of our extensions (OS Connector, Kubernetes Connector)

  • License is valid until the end of the year

Other details:

Limitation Value

Number of tenants

1

Number of Configuration Groups

2

Number of Environments

2

Number of API Keys

2

2.3. Request a license

You will need a license for ConfigSeeder® if you

  • like to try out one of our Extensions (See OS Connector and Kubernetes Connector)

  • like to try out ConfigSeeder® with PostgreSQL or MS SQL persistency

  • need a license with a longer term for the H2 variant

  • want to use ConfigSeeder® in a production environment with commercial use

Please don’t hesitate to contact us.

3. Install ConfigSeeder

3.1. Installation variants overview

There are several ways to install ConfigSeeder®. In this quickstart guide, the following variants are described:

3.2. Install ConfigSeeder® Helm Charts

3.2.1. Description & delimination

Installing ConfigSeeder® with the provided Helm Charts will be done in three steps:

  1. In the first step, the Helm Chart is installed as is. Goals:

    • ensure that ConfigSeeder® can be installed and will start up without issues.

  2. As a second step, the setup profile is activated. Goals:

    • The administrator can log in via a prepared URL to set up ConfigSeeder® (Add License and environments, …​)

    • (Optionally) Enable Swagger for the ConfigSeeder® Rest API

  3. Install ConfigSeeder® with an individual application.yaml configuration file. Goals:

    • Enable the reader to install ConfigSeeder® in such a way that he can use all available configuration options.

    • Lay the foundation to setup security integration in a next step

When working with Kubernetes, there are many options about how to route traffic from outside the cluster to an application:

  1. Plain Kubernetes: Ingress

  2. Openshift: Route

  3. Service Mesh: Istio or Traffik

  4. …​

Because of these many options the Helm Charts don’t contain any support for routing traffic. The Chart will create the Service-Object, but the routing itself has to be set up by the User.

3.2.2. Preconditions

The following preconditions must be met before ConfigSeeder® can be installed:

  • Helm 3 must be available

  • Access to the Kubernetes Cluster must be set up

  • Helm Chart for ConfigSeeder® Management H2 is downloaded and available at the location from where the following commands will be executed

3.2.3. Step I: Install Helm Chart as is

3.2.3.1. Install ConfigSeeder

ConfigSeeder® can be installed with the following commands.

The example uses the namespace configseeder-management. Adjust as needed.

If the target cluster requires pod security policies, go directly to Step II.

  1. Set Namespace

    export ns=configseeder-management

  2. Create Namespace

    kubectl create ns ${ns} --dry-run=client -o yaml | kubectl apply -f -

  3. Install Helm Chart

    helm -n ${ns} upgrade -i configseeder-h2 configseeder-management-h2-2.25.0-RC2+001.tar.gz

  4. (Optional) Set up routing of traffic for ConfigSeeder®

    The exact steps you need to take depend on how your cluster is set up.

3.2.3.2. Verify installation

  • Verify the status of the pod

    kubectl -n {ns} get pods -w

    The pod of ConfigSeeder® Management should be up and running after some time. There shouldn’t be any restarts.

    Example:

    kubectl -n ${ns} get pods -w
NAME                                       READY   STATUS    RESTARTS   AGE
configseeder-management-599bc46dd5-hx5tq   0/1     Running   0          16s
configseeder-management-599bc46dd5-hx5tq   1/1     Running   0          69s

  • Verify logs: There shouldn’t be any errors.

    kubectl -n ${ns} logs <pod>

    Example:

    kubectl -n ${ns} logs configseeder-management-599bc46dd5-hx5tq
...
2020-09-08 04:55:08.577 ... Tomcat started on port(s): 8080 (http) with context path ''
2020-09-08 04:55:08.684 ... Tomcat initialized with port(s): 8081 (http)
2020-09-08 04:55:08.685 ... Starting service [Tomcat]
2020-09-08 04:55:08.685 ... Starting Servlet engine: [Apache Tomcat/9.0.33]
2020-09-08 04:55:08.689 ... Initializing Spring embedded WebApplicationContext
2020-09-08 04:55:08.689 ... Root WebApplicationContext: initialization completed in 109 ms
2020-09-08 04:55:08.705 ... Exposing 8 endpoint(s) beneath base path '/actuator'
2020-09-08 04:55:13.851 ... Tomcat started on port(s): 8081 (http) with context path ''
2020-09-08 04:55:13.865 ... Started ConfigSeederManagementAppH2 in 55.532 seconds (JVM running for 56.391)

    As you can see, ConfigSeeder® uses two ports:

    • Port 8080 is used per default for traffic to the Web UI and Rest API ('normal' workload)

    • Port 8081 is used to expose the actuators (Lifeliness & Readiness Probes)

  • Access ConfigSeeders Web UI

    If you have set up an Ingress rule or similar, open your Browser and access the configured URL

    Otherwise:

    kubectl -n ${ns} port-forward svc/configseeder-management 8080

    Open your Browser and navigate to http://localhost:8080, ConfigSeeder® Management should be loaded:

    ConfigSeeder Login Screen

    Log in with your github account or one of the default logins configured on our identity provider. See default logins.

3.2.4. Step II: Activate Setup-Profile

3.2.4.1. Install ConfigSeeder

  1. Set Namespace

    export ns=configseeder-management

  2. Create Namespace

    kubectl create ns ${ns} --dry-run=client -o yaml | kubectl apply -f -

  3. Provide values-management-h2.yaml:

    configseeder:
  activeProfiles: "setup,swagger"
  loginCredential: "1234567890ab"

    If the Cluster runs with activated Pod Security Policies, add the following configuration snippet to the yaml:

    psp:
  create: true
  existingPspClusterRole: psp:restricted-ro

    Important:

    • The ClusterRole pointing to the Pod Security Policy must already exist

    • Change the name of the role as needed

  4. Install Helm Chart

    helm -n ${ns} upgrade -i configseeder-h2 configseeder-management-h2-{project-version}+001.tar.gz \
--values values-management-h2.yaml

  5. (Optional) Set up routing of traffic for ConfigSeeder®

    The exact steps you need to take depend on how your cluster is set up.

3.2.4.2. Verify installation

3.2.5. Step III: Install ConfigSeeder® with individual application configuration.

3.2.5.1. Install ConfigSeeder

  1. Follow steps 1-3 of the installation instructions in Step II

  2. Provide application-management-h2.yaml:

    spring:
  security:
    oauth2:
      client:
        provider:
          github:
            authorization-uri:   https://github.com/login/oauth/authorize
            token-uri:           https://github.com/login/oauth/access_token
            user-info-uri:       https://api.github.com/user

        registration:
          github:
            client-id:                0a71bb6b524870cb4ba1
            client-secret:            ff2a25830899fb40115cd720f01b575858959687
            authorization-grant-type: authorization_code
            redirect-uri:             '{baseUrl}/login/oauth2/code/{registrationId}'
            scope:                    read:user,user:email
            client-name:              GitHub

configseeder:
  server:
    security:
      auth:
        redirect-only-one: true
        oauth2:
          enabled: true
          mapping:
            github:
              first-name-last-name:    name
              username:                login
              static-roles:            TENANT_ADMIN,DEVELOPER,cs

    In this example, github is set up as OIDC Identity Provider (the IDP of Oneo GmbH is not configured / removed).

    Configuring your own IDP works the same, just enter your configuration.

    With set up security integration, the setup profile (and login credentials) can be removed.

  3. Install Helm Chart

    helm -n ${ns} upgrade -i configseeder-h2 configseeder-management-h2-{project-version}.tar.gz \
--values values-management-h2.yaml \
--set-file application_configuration=./application-management-h2.yaml

  4. Verify if pod was restarted

    kubectl -n {ns} get pods

    If the age of the pod shows that it wasn’t restarted, kill the pod

    kubectl -n ${ns} delete pods <pod>

3.2.5.2. Verify installation

  • See Step I - Verify installation

  • With the given configuration there is only one IDP configured and the option configseeder.server.security.auth.redirect-only-one is set to true

  • Therefore the page with the option to select the Identity Provider is not shown, but the user is either redirected to github or directly logged in (if the session with github is still active)

3.3. Run ConfigSeeder® jar file

3.3.1. Description & delimination

Installing ConfigSeeder® by directly running the jar file will be done in multiple steps:

  1. In the first step, the jar is started without providing additional configuration. Goals:

    • ensure that ConfigSeeder® will start up without issues.

  2. As a second step, the setup profile is activated. Goals:

    • The administrator can log in via a prepared URL to set up ConfigSeeder® (Add License and environments, …​)

    • (Optionally) Enable Swagger for the ConfigSeeder® Rest API

  3. Install ConfigSeeder® with an individual application.yaml configuration file. Goals:

    • Enable the reader to install ConfigSeeder® in such a way that he can provide an application configuration file.

    • Lay the foundation to setup security integration in a next step

Every configuration option can also be set with an environment variable. It is not required to provide an individual configuration file.

  1. In the final step, ConfigSeeder® is installed as a service.

The installation instructions stop there, this quickstart guide doesn’t provide information like how to route traffic to ConfigSeeder® or information about other networking topics.

3.3.2. Preconditions

The following preconditions must be met before ConfigSeeder® can be started:

  • Access to a linux machine (example created for Ubuntu)

  • Java 11 must be installed

  • For installing ConfigSeeder® as a service (or using a low port), root privileges are required

  • The jar file for ConfigSeeder® Management H2 is downloaded and available at the location from where the following commands will be executed.

3.3.3. Step I: Run jar-File without providing configuration

3.3.3.1. Start ConfigSeeder

Start ConfigSeeder with the following command:

java -jar configseeder-server-management-app-h2-2.25.0-RC2.jar

Per default, ConfigSeeder®:

  • will log to the console

  • use port 8080

  • store data to ~/configseeder.mv.db

3.3.3.2. Verify installation

  • There shouldn’t be any errors in the log

  • Access ConfigSeeders Web UI

    Open your Browser and navigate to http://localhost:8080, ConfigSeeder® Management should be loaded:

    ConfigSeeder Login Screen

    Log in with your github account or one of the default logins configured on our identity provider. See default logins.

3.3.4. Step II: Activate Setup-Profile

3.3.4.1. Start ConfigSeeder

Start ConfigSeeder with the following command:

SPRING_PROFILES_ACTIVE="setup,swagger" \
CONFIGSEEDER_SERVER_SETUP_LOGIN_CREDENTIAL=1234567890ab \
java -jar configseeder-server-management-app-h2-2.25.0-RC2.jar
3.3.4.2. Verify installation

3.3.5. Step III: Run ConfigSeeder® with individual application configuration.

3.3.5.1. Install ConfigSeeder

Install ConfigSeeder® with the following commands.

  1. Provide application-management-h2.yaml

    Content:

    spring:
  profiles:
    active: setup,swagger

  security:
    oauth2:
      client:
        provider:
          github:
            authorization-uri:   https://github.com/login/oauth/authorize
            token-uri:           https://github.com/login/oauth/access_token
            user-info-uri:       https://api.github.com/user

        registration:
          github:
            client-id:                0a71bb6b524870cb4ba1
            client-secret:            ff2a25830899fb40115cd720f01b575858959687
            authorization-grant-type: authorization_code
            redirect-uri:             '{baseUrl}/login/oauth2/code/{registrationId}'
            scope:                    read:user,user:email
            client-name:              GitHub

configseeder:
  server:
    setup.login.credential: 1234567890ab

    security:
      auth:
        redirect-only-one: true
        oauth2:
          enabled: true
          mapping:
            github:
              first-name-last-name:    name
              username:                login
              static-roles:            TENANT_ADMIN,DEVELOPER,cs

    In this example, github is set up as OIDC Identity Provider (the IDP of Oneo GmbH is not configured / removed).

    Configuring your own IDP works the same, just enter your configuration.

    With set up security integration, the setup profile (and login credentials) can be removed.

  2. Start ConfigSeeder with the following command:

    java -jar configseeder-server-management-app-h2-2.25.0-RC2.jar

ConfigSeeder® will pick up the configuration file (as long as it is named application.yaml and lies in the directory the jar ist started from)

3.3.5.2. Verify installation

  • See Step I - Verify installation

  • With the given configuration there is only one IDP configured and the option configseeder.server.security.auth.redirect-only-one is set to true

  • Therefore the page with the option to select the Identity Provider is not shown but the user is either redirected to github or directly logged in (if the session with github is still active)

3.3.6. Step IV: Install ConfigSeeder® as a service

3.3.6.1. Install ConfigSeeder

The following steps show how ConfigSeeder® can be run as a service.

It isn’t a complete guide about how to set up a production ready ConfigSeeder® installation.

  1. Log in as root / sudo to root

  2. Create installation directory

    mkdir /opt/configseeder

  3. Copy jar to installation directory

    cp configseeder-server-management-app-h2-2.25.0-RC2.jar /opt/configseeder/

  4. Navigate to installation directory

    cd /opt/configseeder

  5. Create a symlink to the jar

    ln -s configseeder-server-management-app-h2-2.25.0-RC2.jar configseeder-server-management-app-h2.jar

  6. Create application configuration

    File application.yaml:

    spring:
  profiles:
    active: swagger

  datasource:
    url: jdbc:h2:file:/opt/configseeder/data/configseeder;AUTO_RECONNECT=TRUE
    username: sa
    password:

  security:
    oauth2:
      client:
        provider:
          github:
            authorization-uri:   https://github.com/login/oauth/authorize
            token-uri:           https://github.com/login/oauth/access_token
            user-info-uri:       https://api.github.com/user

        registration:
          github:
            client-id:                0a71bb6b524870cb4ba1
            client-secret:            ff2a25830899fb40115cd720f01b575858959687
            authorization-grant-type: authorization_code
            redirect-uri:             '{baseUrl}/login/oauth2/code/{registrationId}'
            scope:                    read:user,user:email
            client-name:              GitHub

configseeder:
  server:
    security:
      auth:
        redirect-only-one: true
        api-key:
          private-key: 'MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDUMnDydy2+seU/e53IYctk0EmpAnSPAKJfc9yDrokrnGtW3FJzPjh31wTVJ2dWLhqAAKuFH65DKOHXcE/vSRc5JAi0dYfWvuTuQfG1INs5XP8k/OVV8T3qb31WDCaJhGMMO1+pagNj6FXVvWAoVnfYAnYjV8Am0yu0x6sHjBo9bP31ib4v6SAoXCx4hI0ShMxM2+5WVt/lIotLdQZGeKmcRtFmLxJqPiN7LAWNloIaUWxEyISsDD3O74LkZTwfAqyrfWWgW6zrs8g56fGZyVu23Z3Fyt2PBiX4A+Ba40bKvPzTrliR07ID1ywAvtvtao3jx67Q77UZbemNHc4KPYohO9jkWDCgxuOoU+CWmrYZViw2PAbaVDz1XT05amTN9aOiJdDLwz4YTHwFEUwnRItU3vRxJrmeIlQgFZnBYZvoM4nJDhrKmjoQIZa+o3VkHxNw2JEgzH0O1n5xI9a25X8FcZQhggyAzPFLFPwiEB450wi0i+vezIwJI1CWfwNBcasnYKJ33IqK1DOGiZQRJNDRKFmAT1yEYEoqmdECM43TrtfduH3jnd6RUTZYbYsezLimrGsMKEPsshNjkDxbcAu3woE9q5qzL6nBElL76HULwiynAw5zg/uegjxW+o5YAXDDROg3L5GPvjiaDR02hQzOJDLlPNUEElDHUcYKf5HqMwIDAQABAoICAEigpxXmAqs1OjC7P6rZBgOQYtXM+FYFso2XG0+aymo51Gdba4D0N+GUn5vRK8ZMa1eKYypiSIPGF15km4db7e3pzmztmTvABJ0jxvXmtAHzOYTQZjI/KqD13eE4sWv5+uix3bEfjt+AIvjQI3xK9CPj28mG/EaNmnT6rigcJNMHXfjPV2AQm6gUvEfXnm1LNJ3N3MqCW4mShDikaixumibZ+kvOKrBgakZ7L79hV1Bos/Tq6LX2TqVoRtWjbKt0f+MGPWVgW1QlKY/g6YdoatKxEZIkOCb+xLoZoY2aIp27h5FwJ/JpkZFM8UukB6RAByaCLuxmTwbQHtLk86N/oqnTHvPcW0VftNKdfoxmdMgwk2RGn+tQszVtWfaRr+SMyAZsoP5OontJ+y6KZGRCxvKq08jyYjEobYPMSsFyCSRbkZ0phQafMg7M/r4VXuecpuqbglPYwlmj7TaSm1J9x90XXvs1ZEFcU5hMW7JLrKVBK+1n6OOXO5y2O8odh1vt71VY6qyo6GJUHK5KABBibdC9Mjhxp4xS6i1rmZO+7/jK4Fokw3pixNNS1/qo8z+jyZHckIXW02sdn7jxSFxIfBE655vEanxkiVpOxPAetMKJjRMwPxdjeEn9549R/qQaxdcjkWdChRSdvoIC1okFQ+G5CpZqV6/pP/rXWSwuTMTRAoIBAQD/D39SM/FflLlhiW0MWXzyGKXmGJ4uU8ox0jMKORko1cPG5Kwlhpchf25Sj17gCGMU8PH3qLLFDNqJ3l6yQSrsxmKiLnRwM6jVGndPC/h+ILVaeetw+AiGBc4WcGV9ZylhTJDCpKTMWB9OyzsoE7nscRT8lZZ4JeBrO67Q/zntJtmVADGtW4xky7SS+C5u8B0BFx6QY4xb2GNbP1sBwsmjx9dnJ2WsOYiOGMTqJkLQSBJpWTVmC/+I7SdW1spL06Qwa5R0Kyfg06btF4wHpr/CLupsIydKQbSG2URHQNF1b/IfJ8cv0EUx17aBhYMToMAgz/AGB4cPcsqRx/11ULq5AoIBAQDU+obewoRvSJtmyH4OZk3sizSlLb9sFP4Dpsh6DLTZcWZkaDoNZKvnSsiCd6MAn97tJgAOFOKGGB92rjTsEE/pPGPXPEI2TCK4AqyyXKZUZYq+ZBedZFV7SyyUD2uEk1Am1JM4UZt3xWNsZTXvh0mobMATp0X3Qc9b2WrpYSzbXXOaZh9LWYyn0ZyuQmHX2e8ck9DrVYbU4bYDfxeMI8+WtSrWWL//je8HttsA8m2XAxPa9TvfNDfJ1OmqA7rs6KKnJ4mC9mwsc9nvjhndNlJRsDCYw8p3nCfWRxvzKGMjxVt/+ZVO6+2Dbe+67TIXyYl0Z1ulANfKBXaLGvzZ8eZLAoIBAB+PHlTggnQuJcXwyCJoDDK0ZAqVbzUSPwltFc2lBPztfjzk3HwELD0D1HW4saeMwh28NmRLZltFXOEEN7lcoOANJ/UjRFsBuVks3ihUtdl9WJMqVLx0pDFZFIfoPlaG5jLY02ySDKYQHUeVk+tAjZe44jzikWyqWxtJljbb7aHvVaq/DGaD1lo+bkhlFvG5Gg2he7Gn750JqDmJHEyaenKeboOf90+ZCtFyNSM3urqkwEpytE29HFAn798p0nwRYtZu6T56fIOwDI53hGcJ9d4kCfN5YgopGRo6Vd1vIruiL1Y1iMrcvUMOitF54J8UG9GziOJmGgsKTBA/q5fRdlkCggEAZ67jM9UcphSB2wLmI1p4uxx176ga1aJOmzZ5yLkg3e7P+zemc1i8O2hzvthBWY969paWVkSilsdtodhjWT0Dujc1H9ZtIYPlLxHWQyrJqrKYXeHagTwURWaueBIdtLgGwDCizzsjZaaJpX6MSGTjXgQ7ahX4AMxgB4YL/zvYm56eJd9rgsJAsH5iOY+FlJC7UH1Bqx/C+SY89uzLaOUSLXtbNGiWZ/IQGQBTE93xrh/IbcMPd7UzJ6Xob2VLfgQvExMzZbdTqDxqL65NNx037B7LOcOvcJVr62xI1hKmWQa+acn2fypqQZ6mo6jPxzbNHQcoXWbQpsAMGuJzkCKsiwKCAQA6xEZ2K2pCC/YnJz6aZZWK2LuoR7y+AIJIuJ++nmh0ohqqCeBHGzJb31UQ9mIbirO+P1zyKHV81KEZhpn7BTLGaClXKjar8NTkcZaL+VgbUEZIOdisfcCI68dng3AtZtd5MImq02M5kZLPevYaoVRiYIQJxTGA9XD0OTatlW8q+UgB5KeEVdgrqzO+I/hnpFaQpUptc8kAcFDkPeSbrFLhm/EbTJAi4tCaNXW+/aCr727tmCyuqLFPSttuGGKlI/PD55kBJd1n8mOxg8XIVVB0qSRsbMon3L55rlW6rLHPaOYr904kIQgIH1OfX7i+svv2Us4A0V/0HM9AL3fLEOCH'
          public-key: 'MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1DJw8nctvrHlP3udyGHLZNBJqQJ0jwCiX3Pcg66JK5xrVtxScz44d9cE1SdnVi4agACrhR+uQyjh13BP70kXOSQItHWH1r7k7kHxtSDbOVz/JPzlVfE96m99VgwmiYRjDDtfqWoDY+hV1b1gKFZ32AJ2I1fAJtMrtMerB4waPWz99Ym+L+kgKFwseISNEoTMTNvuVlbf5SKLS3UGRnipnEbRZi8Saj4jeywFjZaCGlFsRMiErAw9zu+C5GU8HwKsq31loFus67PIOenxmclbtt2dxcrdjwYl+APgWuNGyrz8065YkdOyA9csAL7b7WqN48eu0O+1GW3pjR3OCj2KITvY5FgwoMbjqFPglpq2GVYsNjwG2lQ89V09OWpkzfWjoiXQy8M+GEx8BRFMJ0SLVN70cSa5niJUIBWZwWGb6DOJyQ4aypo6ECGWvqN1ZB8TcNiRIMx9DtZ+cSPWtuV/BXGUIYIMgMzxSxT8IhAeOdMItIvr3syMCSNQln8DQXGrJ2Cid9yKitQzhomUESTQ0ShZgE9chGBKKpnRAjON067X3bh9453ekVE2WG2LHsy4pqxrDChD7LITY5A8W3ALt8KBPauasy+pwRJS++h1C8IspwMOc4P7noI8VvqOWAFww0ToNy+Rj744mg0dNoUMziQy5TzVBBJQx1HGCn+R6jMCAwEAAQ=='
        http-header:
          enabled: true
        oauth2:
          enabled: true
          mapping:
            github:
              first-name-last-name:     name
              username:                 login
              static-roles:             TENANT_ADMIN,DEVELOPER,cs

      configurationvalue:
        encryption:
          secret: 'ehHjoCweGUToF2dVWwKfGA=='

    notification:
      api-key-expiration:
        sender: configseeder@test.com
        base-url: 'http://localhost:8080'

    • When running ConfigSeeder® as a Service (using the -Dspring.config.location option, the complete configuration must be provided).

    See chapter configure ConfigSeeder® for information about how to set up your own security, …​ .

  7. Create user configseeder

    useradd configseeder

  8. Create directory for storing data

    mkdir /opt/configseeder/data && chown configseeder /opt/configseeder/data

  9. Create systemd configuration

    File /etc/systemd/system/configseeder.service:

    [Unit]
Description=ConfigSeeder Service
After network.target=configseeder.service

[Service]
User=configseeder
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
RestartSec=1
SuccessExitStatus=143
ExecStart=/bin/bash -c "java -Xmx512m -Dspring.config.location=file:/opt/configseeder/application.yaml -jar /opt/configseeder/configseeder-server-management-app-h2.jar"

[Install]
WantedBy=multi-user.target

  10. Enable and start ConfigSeeder®

    systemctl enable configseeder
systemctl start configseeder
3.3.6.2. Verify installation

3.4. Run ConfigSeeder® with Docker Compose

3.4.1. Description & delimination

Running ConfigSeeder® with docker compose is done with the following steps:

  1. In the first step, ConfigSeeder® is started without providing additional configuration. Goals:

    • ensure that ConfigSeeder® will start up without issues.

  2. As a second step, the setup profile is activated. Goals:

    • The administrator can log in via a prepared URL to set up ConfigSeeder® (Add License and environments, …​)

    • (Optionally) Enable Swagger for the ConfigSeeder® Rest API

  3. Install ConfigSeeder® with an individual application.yaml configuration file. Goals:

    • Enable the reader to install ConfigSeeder® in such a way that he can use all available configuration options.

    • Lay the foundation to setup security integration in a next step

Every configuration option can also be set with an environment variable. It is not required to provide an individual configuration file.

The installation instructions stop there, this quickstart guide doesn’t provide information like how to route traffic to ConfigSeeder® or information about other networking topics.

3.4.2. Preconditions

The following preconditions must be met before ConfigSeeder® can be started:

  • Docker and docker-compose are installed

  • For accessing docker, root privileges are required

3.4.3. Step I: Start ConfigSeeder® without providing configuration

3.4.3.1. Start ConfigSeeder

  1. Create data directory

    mkdir -p /opt/configseeder/data

  2. Create docker-compose.yml:

    version: "3"

services:
  configseeder:
    image: configseeder/management-h2:2.25.0-RC2-alpine
    container_name: configseeder
    ports:
    - "8080:8080"
    volumes:
    - /opt/configseeder/data/:/home/appuser/
    restart: always

  3. Start ConfigSeeder®

    docker-compose up -d

3.4.3.2. Verify installation

  • Docker container should be up and running

    docker ps | grep -i configseeder

  • There shouldn’t be any errors in the log

    docker logs <containerid> -f

  • Access ConfigSeeders Web UI

    Open your Browser and navigate to http://localhost:8080, ConfigSeeder® Management should be loaded:

    ConfigSeeder Login Screen

    Log in with your github account or one of the default logins configured on our identity provider. See default logins.

3.4.4. Step II: Activate Setup-Profile

3.4.4.1. Start ConfigSeeder

  1. Create data directory

    mkdir -p /opt/configseeder/data

  2. Create docker-compose.yml:

    version: "3"

services:
  configseeder:
    image: configseeder/management-h2:2.25.0-RC2-alpine
    container_name: configseeder
    ports:
    - "8080:8080"
    volumes:
    - /opt/configseeder/data/:/home/appuser/
    environment:
      SPRING_PROFILES_ACTIVE: swagger,setup
      CONFIGSEEDER_SERVER_SETUP_LOGIN_CREDENTIAL: 1234567890ab
    restart: always

  3. Start ConfigSeeder®

    docker-compose up -d

3.4.4.2. Verify installation

3.4.5. Step III: Run ConfigSeeder® with individual application configuration.

3.4.5.1. Start ConfigSeeder

  1. Create data and application configuration directory

    mkdir -p /opt/configseeder/data
mkdir -p /opt/configseeder/config

  2. Provide /opt/configseeder/config/application.yaml:

    spring:
  security:
    oauth2:
      client:
        provider:
          github:
            authorization-uri:   https://github.com/login/oauth/authorize
            token-uri:           https://github.com/login/oauth/access_token
            user-info-uri:       https://api.github.com/user

        registration:
          github:
            client-id:                0a71bb6b524870cb4ba1
            client-secret:            ff2a25830899fb40115cd720f01b575858959687
            authorization-grant-type: authorization_code
            redirect-uri:             '{baseUrl}/login/oauth2/code/{registrationId}'
            scope:                    read:user,user:email
            client-name:              GitHub

configseeder:
  server:
    security:
      auth:
        redirect-only-one: true
        oauth2:
          enabled: true
          mapping:
            github:
              first-name-last-name:    name
              username:                login
              static-roles:            TENANT_ADMIN,DEVELOPER,cs

    In this example, github is set up as OIDC Identity Provider (the IDP of Oneo GmbH is not configured / removed).

    Configuring your own IDP works the same, just enter your configuration.

    With set up security integration, the setup profile (and login credentials) can be removed.

  3. Create docker-compose.yml:

    version: "3"

services:
  configseeder:
    image: configseeder/management-h2:2.25.0-RC2-alpine
    container_name: configseeder
    ports:
    - "8080:8080"
    volumes:
    - /opt/configseeder/data/:/home/appuser/
    - /opt/configseeder/config/application.yaml:/application.yaml
    environment:
      SPRING_PROFILES_ACTIVE: swagger,setup
      CONFIGSEEDER_SERVER_SETUP_LOGIN_CREDENTIAL: 1234567890ab
    restart: always

  4. Start ConfigSeeder®

    docker-compose up -d

3.4.5.2. Verify installation

  • See Step I - Verify installation

  • With the given configuration there is only one IDP configured and the option configseeder.server.security.auth.redirect-only-one is set to true

  • Therefore the page with the option to select the Identity Provider is not shown, but the user is either redirected to github or directly logged in (if the session with github is still active)

4. Configure ConfigSeeder

4.1. Description

The next few section show how the ConfigSeeder® ca be customized and offers pointers to other documentation.

ConfigSeeder® can be configured using a configuration file, startup parameters or environment variables. In this documentation, only configuration file property names are mentioned.

These property names can easily be converted to environment variable names:

  • Replace . with _

  • Remove all -

  • Uppercase everything

Example: * Configruation file property server.port → Environment Variable SERVER_PORT

4.2. Change Port

The default port used by _ConfigSeeder® is 8080. This can be changed by setting the option server.port to another value, see System documentation

Per default, the actuators run on the same port as the rest of the application. This behavior can be changed with the option management.server.port.

In the Helm Chart, the actuators are configured to run on port 8081.

4.3. Enable ssl/https

Per default, ConfigSeeder® runs with http. But of course, all exposed services should be protected by TLS protocols.

Depending on the setup, there are several ways how ConfigSeeder® can be accessed with https. If ConfigSeeder® runs in Kubernetes, TLS termination could be done with Ingress or Istio.

Follow the instructions in the Systemdocumentation → ssl if ConfigSeeder® should offer its services over https instead of http

4.4. Configure Encryption

For using ConfigSeeder® in a production setup, two different encryption settings have to be configured:

  1. Data Encryption

    Provide a key that is used for symmetric encryption (AES) of your configuration data stored in ConfigSeeder®.

    Follow the instructions in Systemdocumentation → encryption keys

  2. JWT Encryption

    Independent of the security encryption mechanism used, access to the UI is done with JWT Tokens created and validated by ConfigSeeder®. Provide a public and private key for signing and validating these JWT Tokens.

    Follow the instructions in Systemdocumentation → encryption keys

5. Next Steps

Appendix A: Default Logins

On the Identity Provider run by Oneo GmbH the following logins are predefined and can be used for testing:

Username Password Permissions

tenantadmin

tenantadmin

Allows to manage the demo tenant, but not to modify any configuration group values.

applicationmanager

applicationmanager

Role to fully manage configuration groups. This role is currently configured to have full access on the tenant.

leaddeveloper

leaddeveloper

Allows to manage configurations of all environments, except production, where only read access is granted.

developer

developer

Can manage all configuration values except production.

reader

reader

Has only read access to unrestricted values.

The preconfigured security integration and these users are only meant for testing!

Don’t use this configuration on production!