Author: James, Clench Paign (clep@softwareag.com)
Supported Versions: 10.5 (on-premise deployment)
Overview of the tutorial
In this tutorial we will discuss about the details of externalized API Gateway configurations and how API Gateway can be started using those configurations. Let us go through the following points in detail.
- Externalized configurations and the YAML templates
- Master configuration YAML file and its usage
- Properties file support for externalized configurations
- Configuring multiple files and its effect
- Default scenario for externalized configurations
Required knowledge
This tutorial assumes that the reader has,
- a basic understanding of API Gateway as a product
- a basic understanding of API Gateway and its communication with Elasticsearch, Kibana and Filebeat
- a basic understanding of inter-component communications between Elasticsearch, Kibana and Filebeat
- a basic understanding of Terracotta cluster and API Gateway server's communication with Terracotta Big memory
- a basic understanding of Elasticsearch cluster
Why?
Currently the inter-component and cluster configurations of API Gateway are stored in different places within the product causing maintainability and operational overhead. Hence with this feature, the aforementioned configurations can be managed, provisioned from a central location supplied through one or more configuration files (YAML or Properties). This will help the API Gateway Administrator and operations teams to dynamically provision the API Gateway configurations enabling centralized configuration management, provisioning and scaling use cases.
Prerequisite steps
Complete the below prerequisite steps before starting API Gateway using externalized configurations.
- Install API Gateway advanced edition of version 10.5 and above
Details
The API Gateway Administrator can provide the configurations in one or more YAML or properties files. He would then create a master configuration file in which the configuration files sources would be defined in order and place the file in a system defined location. The API Gateway, on startup, will first read from that master configuration file and start loading configurations from the defined configuration files. Using the configuration loaded from the configuration files, the values in the respective API Gateway internal configuration files (like uiconfiguration.properties, server.cnf, etc) will be updated. After the values from the configuration files are updated in API Gateway configuration space, the rest of the API Gateway package loading will run with the updated configuration values. The below sections explain how the API Gateway configurations can be externalized in files and using which how the API Gateway server can be started without modifying the respective internal configuration files.
Externalized configurations and their YAML templates
Using this feature the inter-component and cluster configurations can be externalized. The below sample file contains the configuration sections that an Administrator can use to externalize. The Administrator can provide only the necessary sections and settings in the configuration file which he would like to externalize. The given configurations will overwrite the existing configurations in the internal files only for the given configuration values. The configurations which the user doesn't provide will not be either overwritten or removed or commented out in and from the internal configuration files, instead, whatever the values the internal files have will become effective.
apigw:
elasticsearch:
...
kibana:
...
filebeat:
...
cluster:
...
Elasticsearch configuration and details
The Elasticsearch configurations contain all the necessary properties needed for an Elasticsearch HTTP client using which API Gateway connects to either an externally running Elasticsearch server or to the Internal data store which is run by API Gateway. The key configurations are given below.
tenantId - The API Gateway tenant id, using which the Elasticsearch indices are created for that tenant
hosts - A comma separated list of external Elasticsearch instances (for e.g "host1:9200,host2:9240")
autostart - This is an optional property. If not given, the value would be "false" so that API Gateway would connect to the given external Elasticsearch hosts rather starting the Internal data store. Suppose if the user wants to connect to the internal data store, he should set autostart to be "true" so that the API Gateway would start the internal data store. Note that the hosts should point to internal data store host and port in such case. The default hosts is "localhost:9240"
http - The basic authentication credentials and few HTTP connection specific properties
https - If "enabled" is set to true, API Gateway would use the given SSL related properties to connect to configured hosts
sniff - These properties helps in adding newly added Elasticsearch node in Elasticsearch cluster with providing its detail here. It will automatically manage the node details by contacting the Elasticsearch server
outboundproxy - Outbound proxy settings between API Gateway and Elasticsearch
clientHttpResponseSize - Maximum Response payload size in MB
A sample Elasticsearch configuration is given below:
apigw:
elasticsearch:
tenantId: apigateway
hosts: localhost:9200
autostart: false
http:
username: elastic
password: changeme
keepAlive: true
keepAliveMaxConnections: 10
keepAliveMaxConnectionsPerRoute: 100
connectionTimeout: 1000
socketTimeout: 10000
maxRetryTimeout: 100000
https:
enabled: false
keystoreFilepath: C:/softwares/elasticsearch/config/keystore-new.jks
truststoreFilepath: C:/softwares/elasticsearch/config/truststore-new.ks
keystoreAlias: root-ca
keystorePassword: 6572b9b06156a0ff778c
truststorePassword: manage
enforceHostnameVerification: false
sniff:
enable: false
timeInterval: 1000
outboundProxy:
enabled: false
alias: somealias
clientHttpResponseSize: 1001231
Kibana configuration and details
The Kibana configuration supports setting the Kibana server URL which can point to either the one which is run by API Gateway or any externally running server. It also contains the SSL certificate related settings that would be used to connect to the SSL protected Elasticsearch server. The key configurations are given below.
dashboardInstance - The Kibana server URL in the format <scheme>://<hostname>:<port> for e.g http://vmabc:5601
autostart - This is an optional property. If not given the value would be "false" so that API Gateway would connect to the given external Kibana server rather starting the Internal Kibana. Suppose if the user wants to connect to the internal Kibana, he should set autostart to be "true" so that the API Gateway would start the internal Kibana. Note that the hosts should point to internal Kibana server host and port in such case. The default value is "http://localhost:9405"
sslCA - A list of paths to the PEM file for the certificate authority for the Elasticsearch instance
sslCert - The path to the PEM format certificate for SSL client authentication
sslKey - The client certificate key used for client authentication. These files are used to verify the identity of Kibana to Elasticsearch server when it is SSL protected
A sample Kibana configuration is given below.
apigw:
kibana:
dashboardInstance: http://localhost:9405
autostart: true
elasticsearch:
sslCA: C:/softwares/elasticsearch/config/SAG-B1HPWT2.pem
sslCert: C:/softwares/elasticsearch/config/SAG-B1HPWT2.crt
sslKey: C:/softwares/elasticsearch/config/SAG-B1HPWT2.key
Filebeat configuration and details
The Filebeat configuration supports configuring the SSL certificate related settings that are used to connect to the SSL protected Elasticsearch server. The key configurations are given below.
sslCA - A list of paths to the PEM file for the certificate authority for the Elasticsearch instance
sslCert - The path to the PEM format certificate for SSL client authentication
sslKey - The client certificate key used for client authentication. These files are used to verify the identity of Kibana to Elasticsearch server when it is SSL protected
A sample Filebeat configuration is given below.
apigw:
filebeat:
output:
elasticsearch:
sslCA: C:/softwares/elasticsearch-5.6.4/config/SAG-B1HPWT2.pem
sslCert: C:/softwares/elasticsearch-5.6.4/config/SAG-B1HPWT2.crt
sslKey: C:/softwares/elasticsearch-5.6.4/config/SAG-B1HPWT2.key
Cluster configuration and details
The cluster configuration contains the Terracotta clustering as well as Elasticsearch clustering settings. The key configurations are given below.
aware, name, tsaUrls, sessTimeout, actionOnStartupError - All are Terracotta cluster settings that are set in the server watt properties
terracottaLicenseFileName - The Terracotta server license file name. The file should be present under <SAG>/common/conf. API Gateway would use this file for joining the Terracotta cluster
discoverySeedHosts - The discovery.seed_hosts property in the elasrticsearch.yml file of Internal data store
initialMasterNodes - The cluster.initial_master_nodes property in the elasrticsearch.yml file of Internal data store
A sample Cluster configuration is given below.
apigw:
cluster:
aware: true
name: APIGatewayTSAcluster
tsaUrls: daeirnd33974:9510
terracottaLicenseFileName: terracotta-license.key
sessTimeout: 20
actionOnStartupError: standalone
esClusterName: SAG_EventDataStore
discoverySeedHosts: daeirnd33974:9340,daeirnd33562:9300,daeirnd33974:8300
initialMasterNodes : daeirnd33974_master
For terracottaLicenseFileName property a valid license file should be present in the <SAG>/common/conf location, otherwise the property wouldn't be effected.
Master configuration YAML file and its usage
The master configuration YAML file contains the definitions of all the configuration files (both YAML and Properties types) and should be present in the system defined location SAG\IntegrationServer\instances\<instance>\packages\WmAPIGateway\resources\configuration. The file name is config-sources.yml which is also system defined. Any other file with different name will not be understood by the product. This is the initial file that would be picked up by API Gateway on startup and from there the API Gateway will learn the defined configuration files and their available locations and reads the configuration values from them. If any of the entry has an invalid file name or path that will be just ignored but the error would be logged into the API Gateway logs.
A sample master configuration file is given below.
sources:
- type: YAML
allowEdit: true
properties:
location: elasticsearch.yml
- type: PROPERTIES
allowEdit: false
properties:
location: C:/config/resources/kibana.properties
The properties of a configuration file source entry are explained below.
Property
|
Detail
|
---|---|
type |
This is the type of the configuration source. Applicable types would be YAML, PROPERTIES and CC_YAML. YAML - a YAML configuration file PROPERTIES - a properties configuration file CC_YAML - a YAML configuration file which is reserved for Command Central updates |
allowEdit |
Enables whether this file can be updated in case of any edit from API Gateway. For now this helps to update hiding the passwords. Valid values are true or false |
properties |
A miscellaneous set of properties which API Gateway would use to connect to the defined configuration source. For 10.5 release only configuration files are supported and hence a property location needs to be specified which points to the file path. It can be either an absolute path or a relative path. In case of relative path, the file would be located relative to the system defined location SAG\IntegrationServer\instances\<instance>\packages\WmAPIGateway\resources\configuration. Note: For CC_YAML type the location is cc-config.yml which is a reserved one. This file would be the source of truth for all CRUD operations done from Command Central via REST APIs. It is strongly advised that this file should not be modified manually since it is supposed to be updated and read by and from CC by a CC Administrator. |
Hiding clear text passwords in configuration files
In order to restrict any unknown user to have access to the passwords and credentials in the configuration files for any potential threats, the Administrator can enable hiding of such secrets by setting "allowEdit" flag to true in the master configuration file. The secret texts in the configuration files would be stored in the Password manager and the clear texts in the files would be replaced with the Password manager keys after API Gateway is started and running. After this a user can see only the password keys in the files. On startup, API Gateway would retrieve the passwords for those settings from the Password manager using those keys and hence it is advised to not alter any of the password manager key values in the file. The passwords can be modified at any time and same will be replaced with the Password manager keys in the next API Gateway startup.
The below table contains the settings and their respective Password manager keys.
Setting |
Password manager key replacement
|
---|---|
|
@secure.elasticsearch.http.password |
|
@secure.elasticsearch.http.keystore.password |
|
@secure.elasticsearch.http.truststore.password |
Properties file support for externalized configurations
The settings can be configured in Properties files as well. The property names would be in par with the YAML file configuration naming convention. For e.g the "tenantId" property in the YAML structure under apigw→elasticsearch can be specified as apigw.elasticsearch.tenantId in the properties file. Actually the property names in the YAML file configurations are delimited by a "." in the property file for forming the property name.
A sample Properties file is given below.
apigw.elasticsearch.tenantId=default
apigw.elasticsearch.autostart=false
apigw.elasticsearch.hosts=vmabc\:9240
apigw.elasticsearch.http.password=admin123
apigw.elasticsearch.http.username=admin
apigw.kibana.dashboardInstance=http://localhost:9405
apigw.kibana.elasticsearch.sslCert=/path/to/your/client.crt
Configuring multiple files and its effect
The master configuration file can have many entries (0 to N) for defining multiple configuration files as configuration sources. When such file is used to start the API Gateway, the configuration values from all the files would be merged into a single effective configuration. In case of conflicts, i.e, if the same configuration value is present in two files then the value in the file which has higher preference would take priority. The order of preference is in the reverse order in which they are defined in the master configuration file, i.e, the configuration values that are defined in the last configuration file entry would have the highest preference. A sample use case is explained below.
For e.g. file1.yml has the below configurations.
apigw:
elasticsearch:
tenantId: default
file2.properties has the below property.
apigw.elasticsearch.tenantId=apigateway
file3.yml has the below configurations.
apigw:
elasticsearch:
http:
username: admin
password: admin123
kibana:
dashboardInstance: http://localhost:5601
Then the combined configuration that becomes effective would be as below.
apigw:
elasticsearch:
tenantId: apigateway
http:
username: admin
password: admin123
kibana:
dashboardInstance: http://localhost:5601
Default scenario
By default when API Gateway is starting it would read the master configuration file to learn the defined configuration source files. If the file doesn't exist in the name config-sources.yml under the system defined location or the file is invalid, the API Gateway would fallback back to its default behavior and the values defined in the internal configuration files would become effective. Similarly if any of the configuration files doesn't exist or invalid, then those files will be simply ignored and API Gateway would start with the valid configuration files. The API Gateway server startup wouldn't be halted in any of the above scenarios, instead the error logs would be logged into API Gateway application logs for debugging purpose. Enable debug level of the "Externalized Configuration" facility in the logging setting to see the logs.
The below are the sample logs for an API Gateway instance which is started using the externalized configurations.
[302]2019-08-16 11:19:02 IST [YAI.0013.8889I] [default][SAG-G43RXF2] Configuration loaded from configuration sources. APIGatewayConfig: APIGatewayConfig{elasticsearch=Elasticsearch{tenantId='apigw', hosts='localhost:9200', autostart='null', http=null, https=null, sniff=null, outboundProxy=null, clientHttpResponseSize=null, pendingRestart='null'}, kibana=null, filebeat=null, cluster=null}
[301]2019-08-16 11:19:02 IST [YAI.0013.8889I] [default][SAG-G43RXF2] APIGatewayConfig loaded from ConfigurationSource{type=PROPERTIES, allowEdit=true, properties={location=components.properties}}: APIGatewayConfig{elasticsearch=Elasticsearch{tenantId='apigw', hosts='null', autostart='null', http=null, https=null, sniff=null, outboundProxy=null, clientHttpResponseSize=null, pendingRestart='null'}, kibana=null, filebeat=null, cluster=null}
[300]2019-08-16 11:19:02 IST [YAI.0013.8887D] [default][SAG-G43RXF2] Debug: Retrieving configuration from Properties file source: ConfigurationSource{type=PROPERTIES, allowEdit=true, properties={location=components.properties}}
[299]2019-08-16 11:19:02 IST [YAI.0013.8889I] [default][SAG-G43RXF2] APIGatewayConfig loaded from ConfigurationSource{type=YAML, allowEdit=true, properties={location=components.yml}}: APIGatewayConfig{elasticsearch=Elasticsearch{tenantId='null', hosts='localhost:9200', autostart='null', http=null, https=null, sniff=null, outboundProxy=null, clientHttpResponseSize=null, pendingRestart='null'}, kibana=null, filebeat=null, cluster=null}
[298]2019-08-16 11:19:02 IST [YAI.0013.8887D] [default][SAG-G43RXF2] Debug: Retrieving configuration from YAML file source: ConfigurationSource{type=YAML, allowEdit=true, properties={location=components.yml}}
[297]2019-08-16 11:19:02 IST [YAI.0013.8887D] [default][SAG-G43RXF2] Debug: Loading configuration from sources: [ConfigurationSource{type=YAML, allowEdit=true, properties={location=components.yml}}, ConfigurationSource{type=PROPERTIES, allowEdit=true, properties={location=components.properties}}]
[293]2019-08-16 11:19:01 IST [YAI.0013.8889I] [default][SAG-G43RXF2] Configuration loaded from configuration sources. APIGatewayConfig: APIGatewayConfig{elasticsearch=Elasticsearch{tenantId='apigw', hosts='localhost:9200', autostart='null', http=null, https=null, sniff=null, outboundProxy=null, clientHttpResponseSize=null, pendingRestart='null'}, kibana=null, filebeat=null, cluster=null}
[292]2019-08-16 11:19:01 IST [YAI.0013.8889I] [default][SAG-G43RXF2] APIGatewayConfig loaded from ConfigurationSource{type=PROPERTIES, allowEdit=true, properties={location=components.properties}}: APIGatewayConfig{elasticsearch=Elasticsearch{tenantId='apigw', hosts='null', autostart='null', http=null, https=null, sniff=null, outboundProxy=null, clientHttpResponseSize=null, pendingRestart='null'}, kibana=null, filebeat=null, cluster=null}
[291]2019-08-16 11:19:01 IST [YAI.0013.8887D] [default][SAG-G43RXF2] Debug: Retrieving configuration from Properties file source: ConfigurationSource{type=PROPERTIES, allowEdit=true, properties={location=components.properties}}
[290]2019-08-16 11:19:01 IST [YAI.0013.8889I] [default][SAG-G43RXF2] APIGatewayConfig loaded from ConfigurationSource{type=YAML, allowEdit=true, properties={location=components.yml}}: APIGatewayConfig{elasticsearch=Elasticsearch{tenantId='null', hosts='localhost:9200', autostart='null', http=null, https=null, sniff=null, outboundProxy=null, clientHttpResponseSize=null, pendingRestart='null'}, kibana=null, filebeat=null, cluster=null}
[289]2019-08-16 11:19:01 IST [YAI.0013.8887D] [default][SAG-G43RXF2] Debug: Retrieving configuration from YAML file source: ConfigurationSource{type=YAML, allowEdit=true, properties={location=components.yml}}
[288]2019-08-16 11:19:01 IST [YAI.0013.8887D] [default][SAG-G43RXF2] Debug: Loading configuration from sources: [ConfigurationSource{type=YAML, allowEdit=true, properties={location=components.yml}}, ConfigurationSource{type=PROPERTIES, allowEdit=true, properties={location=components.properties}}]
system-settings.yml
The API Gateway ships with a default configuration file system-settings.yml which contains the default values of the inter-component and cluster configurations at the time of fresh installation. The API Administrator can anytime start the API Gateway with the original configuration values by referring this file in the master configuration file (config-sources.yml) with higher preference.
Limitations
- The externalized configurations are now limited to inter-component and cluster configurations and other product level configurations are not supported now
- When cluster settings are given in the configuration files, the API Gateway server on startup would update the internal settings with the values from the configuration files but the node won't join the cluster. A server restart in required for the cluster settings to become effective and to join the cluster
Troubleshooting
For any issues or misbehavior please check the below points.
- Check if the master config-sources.yml file exists and the file is a valid YAML file
- Check the configuration files locations are correctly configured in the master configuration file
- Check if the configuration files are valid YAML files
- Check the configuration files contain the right structure or naming for the settings outlined by the template
- Check whether the configured external instance (Elasticsearch or Kibana) is running before starting API Gateway
- Check the logs by enabling debug level of the "Externalized Configuration" facility in the logging setting
References
- Refer https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-discovery-settings.html for Elasticsearch cluster settings
- Refer https://www.elastic.co/guide/en/kibana/7.2/settings.html for Kibana and Elasticsearch communication yaml settings
- Refer https://www.elastic.co/guide/en/beats/filebeat/7.2/elasticsearch-output.html for Filebeat and Elasticsearch communication yaml settings
Downloadable artifacts
- Elasticsearch 7.2 download - https://www.elastic.co/downloads/past-releases/elasticsearch-7-2-0
- Kibana 7.2 doenload - https://www.elastic.co/downloads/past-releases/kibana-7-2-0
- Sample YAML configuration file sample-config.yml in the attachments
- Sample Properties configuration file sample-config.properties in the attachments
Learn more
- For Elasticsearch best practices please refer Elasticsearch Best Practices
- For starting API Gateway using docker by passing the configuration values in the environment variables please refer Getting Started with API Gateway DockerHub Image
sample-config.properties (1.92 KB)
sample-config.yml (1.79 KB)