read settings from environment variables

The integration tests require that some settings are read from environment variables, in order to simplify the setup.

• CORS_ALLOWED_ORIGINS,
• CORS_ALLOWED_METHODS, this should not be needed
• CORS_ALLOWED_HEADERS, this should not be needed
• TANK_CORS_ALLOW_CREDENTIALS,
• TANK_CORS_DEBUG

added To Do label

marked this issue as related to aura#328 (closed)

assigned to @eigenwijsje

changed the description

mentioned in issue aura#328 (closed)

changed milestone to %1.0-alpha5 — Capable Capybara

added P3 label

added Doing label and removed To Do label

changed the description

Looking at https://gitlab.servus.at/aura/dashboard/-/blob/main/.gitlab-ci.yml?ref_type=heads#L117:

• store.path -> $TANK_STORE_PATH,
• store.format and store.sample-rate already have to these values,
• store.db.type is already postgres,
• store.db.host -> $TANK_DB_HOST,
• store.db.tls is already disabled,
• store.db.username -> $TANK_DB_USERNAME,
• store.db.password -> $TANK_DB_PASSWORD,
• store.db.database -> $TANK_DB_NAME,
• importer.temp-path -> $TANK_IMPORTER_TEMP_PATH,
• importer.workers and importer.normalizer already have these values,
• auth.sessions.max-age, auth.sessions.static.engine and auth.sessions.engine already have these values,
• auth.sessions.static.engine.secret -> $AURA_ENGINE_SECRET
• auth.oidc.issuer-url is set to ${AURA_PROTO}://${AURA_HOST}/openid,
• auth.oidc.client-id -> $OIDC_CLIENT_ID,
• auth.oidc.client-secret -> $OIDC_CLIENT_SECRET,
• auth.oidc.callback-url is set to ${AURA_PROTO}://${AURA_HOST}/tank/auth/oidc/callback,
• auth.oidc.login-timeout already has this value,

That leaves us the web.cors part of the configuration,

• web.cors.allowed-origins: I’ll keep the name used in steering -> $CORS_ALLOWED_ORIGINS,
• web.cors.allowed-methods and web.cors.allowed-headers: I think these should be the default values,
• web.cors.allow-credentials: I’m not sure about this, but I’ll add $TANK_CORS_ALLOW_CREDENTIALS,
• web.cors.debug: I’ll add $TANK_CORS_DEBUG.

Is that OK for you @kmohrf ?

The auth.oidc.issuer-url default, that is based on other environment variables, is fine, but I think we should provide a separate environment variable for that too.

A simple example is the current test configuration. There, steering is started on a separate host without using NGINX to rewrite URLs. In that case the issuer-url would be something like http://10.8.16.2:8000/openid with tank and dashboard running on other hosts.

I can read ${OIDC_ISSUER_URL} into the config. This way it can be e.g. http://oidc-issuer:8000/openid and the amount of magic needed it will be zero.

I can also read ${OIDC_CALLBACK_URL} into the config.

How does this sound? @kmohrf

changed the description

added Cycle [4/24] label

added ready-for-testing label and removed Doing label

• auth.oidc.issuer-url is read from `$OIDC_ISSUER_URL,
• auth.oidc.callback-url is read from `$OIDC_CALLBACK_URL,
• web.cors.allowed-methods is set to GET,PUT,POST,PATCH,DELETE
• web.cors.allow_credentials is set true if $CORS_ALLOW_CREDENTIALS is present,
• web.cors.allowed-origins is set from $CORS_ALLOWED_ORIGINS (list of strings separated by ","),
• web.cors.debug is set true if $CORS_DEBUG is present.

cc: @kmohrf

Sounds good.

My only nitpick: I think boolean variables should be set based on the variable content, not based on variable existence, because doing something like CORS_ALLOW_CREDENTIALS=0 is pretty common and it can be quite surprising if this would be evaluated to CORS_ALLOW_CREDENTIALS = True internally.

I often do something like this:

CORS_ALLOW_CREDENTIALS = os.getenv("CORS_ALLOW_CREDENTIALS").lower() in {"1", "true", "on", "yes"}

Thanks, I did Go’s equivalent (in my view) to this for both CORS_ALLOW_CREDENTIALS and CORS_DEBUG.

added 9h 40m of time spent

closed

removed ready-for-testing label