{"id":22268146,"url":"https://github.com/curityio/idsvr-gitops-configuration-management","last_synced_at":"2025-03-25T14:45:21.648Z","repository":{"id":74437506,"uuid":"513589819","full_name":"curityio/idsvr-gitops-configuration-management","owner":"curityio","description":"Pipeline deployment for the Curity Identity Server with parameterized configuration","archived":false,"fork":false,"pushed_at":"2024-04-26T16:26:37.000Z","size":265,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-01-30T13:30:05.399Z","etag":null,"topics":["configuration","crypto","deployment","gitops"],"latest_commit_sha":null,"homepage":"https://curity.io/resources/learn/iam-configuration-best-practices/","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-13T16:14:10.000Z","updated_at":"2024-04-26T16:26:42.000Z","dependencies_parsed_at":"2024-04-26T17:37:35.534Z","dependency_job_id":"ec28726a-2634-465a-b7c3-1566b5f3732d","html_url":"https://github.com/curityio/idsvr-gitops-configuration-management","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fidsvr-gitops-configuration-management","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fidsvr-gitops-configuration-management/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fidsvr-gitops-configuration-management/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fidsvr-gitops-configuration-management/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/idsvr-gitops-configuration-management/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245485919,"owners_count":20623238,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["configuration","crypto","deployment","gitops"],"created_at":"2024-12-03T11:11:41.789Z","updated_at":"2025-03-25T14:45:16.629Z","avatar_url":"https://github.com/curityio.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitOps Configuration Management\n\nDemonstrates some advanced techniques for managing configuration for the Curity Identity Server.\\\nThis provides a secure and maintainable setup that avoids duplication, with reliable change management.\\\nIt also eliminates most risk when adding new environments to your deployment pipeline.\n\n## Prerequisites\n\nTo run the end-to-end setup ensure that these tools are installed locally:\n\n- [Docker](https://www.docker.com/products/docker-desktop) to deploy the system\n- [xmlstarlet](http://xmlstar.sourceforge.net/) to run a migration script that parses XML\n- [openssl](https://www.openssl.org/source/) to run crypto operations later\n\nYou will also need a `license.json` file for the Curity Identity Server.\n\n## Documentation\n\nThe following resources explain the concepts and automation in further detail:\n\n- [IAM Configuration Best Practices](https://curity.io/resources/learn/iam-configuration-best-practices/)\n- [GitOps Configuration Tutorial](https://curity.io/resources/learn/gitops-configuration-management)\n\n## Overview\n\n### First Deployment\n\nRun the first deployment, which performs auto-configuration to provide a working system.\\\nThis also creates a configuration encryption key.\n\n```bash\ncd initial-config\n./first-deployment.sh\n```\n\nThen login to the Admin UI at https://localhost:6749/admin with credentials `admin / Password1`.\\\nComplete the initial setup and upload a license file.\\\nUnder `Token Service / Clients`, create a web client and assign these values:\n\n- A client ID of `web-client`\n- A client secret\n- Redirect URI and allowed origins set to `https://web.example-dev.com`\n- Scopes of `openid profile`\n\nThen select `Changes / Download` to back up the configuration to an XML file.\\\nSave this to `initial-config/initial-config-backup.xml`.\n\n### Second Deployment\n\nThen redeploy the system without running autoconfiguration.\\\nThis will use the license file in the config backup file and the same configuration encryption key:\n\n```bash\n./second-deployment.sh\n```\n\n### Split and Parameterize the Configuration\n\nAn example split configuration is provided at `git-repo/config`, which consists of multiple XML files:\n\n- base.xml\n- environments.xml\n- facilities.xml\n- tokenservice.xml\n- authenticationservice.xml\n\nNext extract environment specific values from your `initial-config-backup.xml` file.\\\nFor demo purposes this can be done by running the following script:\n\n```bash\n./migrate-configuration.sh\n```\n\nThis creates the following plaintext environment data at `./github-repo/dev.env`:\n\n```text\nRUNTIME_BASE_URL='http://localhost:8443'\nDB_USERNAME='SA'\nWEB_BASE_URL='https://web.example-dev.com'\n```\n\nIt also creates the following protected environment variables at `./vault/dev/secure.env`:\n\n```text\nADMIN_PASSWORD='$5$uquoeYRe$GLtb4BhlI4HMAB7bScW7r6CETdFhM6DKyRoQdev3EqC'\nDB_CONNECTION='data:text/plain;aes,v:S.UWVaUGR1N1JwN2JC ...'\nDB_PASSWORD='data:text/plain;aes,v:S.Nzl1UGVRZklDVlNMMGRDSw==.2JiZkUjJKhlvYQoMH ...'\nWEB_CLIENT_SECRET='$5$.T/sE5LWsmRoD3xb$hL7dXaOV8WEKVRZeMuPlM6oFYFD7PH1UmUUHsirjaG1'\nSYMMETRIC_KEY='data:text/plain;aes,v:S.NzhhTTA3TWlHZ1BtSEJacg==.6xaTrU ...'\nSSL_KEY='data:application/p12;aes,v:S.THcyaW9XUzRxakpGZzMwcQ==.MPKK96RQ9z6 ...'\nSIGNING_KEY='data:application/p12;aes,v:S.bFRjcXpBY3hmSHREYXpBUg==.YdBLTdZTGlW ...'\nVERIFICATION_KEY='data:application/pem;aes,v:S.YUJnaGcxT0U5MjJjdTlQZQ==.RmC3nWa6x4 ...'\n```\n\n### Run Deployment with Parameters\n\nThe example parameterized deployment requires a stage of the deployment pipeline as an input parameter.\\\nA Docker image is built containing the parameterized configuration and other resources.\\\nA license key for the Curity Identity Server is also provided as a parameter.\\\nThe deployment uses the configuration encryption key created earlier:\n\n```bash\nexport STAGE=DEV\nexport LICENSE_FILE_PATH=~/Desktop/license.json\n./build.sh\n./deploy.sh\n```\n\nIn the Admin UI, edit the configuration, and add the email scope to the web client.\\\nUpon saving, a post commit script saves the configuration to your local `./configbackup` folder:\n\n- The `config_params.xml` file contains the parameterized configuration\n- The `config_values.xml` file contains stage specific values\n- The `commit_message.txt` file contains the comment used in the Admin UI\n\n### Implement Advanced Configuration Backup\n\nCreate a GitHub repository with the contents of the `git-repo` folder.\\\nEdit the `Git Integration API` and configure the `src/main/resources/application.properties` file.\\\nPoint the utility API to your repository by entering your GitHub settings:\n\n```bash\ngithubBaseUrl=https://api.github.com\ngithubUserAccount=\ngithubAccessToken=\ngithubRepositoryName=idsvr-configuration-store\n```\n\nRedeploy the system with additional Git parameters:\n\n```bash\nexport GIT_CONFIG_BACKUP=true\nexport GITHUB_USER_ACCOUNT_NAME=john.doe\nexport STAGE=DEV\nexport LICENSE_FILE_PATH=~/Desktop/license.json\n./build.sh\n./deploy.sh\n```\n\nThe post commit script then calls a utility API, which uses GitHub REST APIs to update the repo.\\\nThis results in changes being submitted to a branch, and a pull request automatically created.\\\nThis would enable a process where all configuration changes undergo people reviews:\n\n![Pull Request](doc/pull-request.png)\n\n### Create a New Environment\n\nWhen configuring a new stage of the deployment pipeline, you only need to populate new environment data.\\\nThe following script creates some crypto keys for testing, and creates a new config encryption key:\n\n```bash\ncd vault\nexport STAGE=STAGING\n./create-development-keys.sh\n```\n\nNext generate the secure environment specific data.\\\nThe script shows how to convert keystores and secrets to the Curity Identity Server's secure format:\n\n```bash\nexport IDSVR_HOME=~/idsvr-7.3.1/idsvr\n./create-secure-environment-data.sh\n```\n\nOnce the environment setup is done, you can immediately deploy the new stage with a working configuration.\\\nYou will need to add the self signed certificate generated at `/vault/staging/ssl.crt` to the system trust store.\\\nYou can then login to the Admin UI for the new STAGING environment:\n\n```bash\n./deploy.sh\n```\n\n## Further Information\n\nPlease visit [curity.io](https://curity.io/) for more information about the Curity Identity Server.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fidsvr-gitops-configuration-management","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Fidsvr-gitops-configuration-management","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fidsvr-gitops-configuration-management/lists"}