DEVOPS-2758-added-system-config (#69)

Add System Configuration feature

Introduce system configuration support for advanced Lightrun server settings.
The feature allows providing a signed JSON config file through ConfigMap.
Documentation available at docs/advanced/system_config.md

Author: imeliran

README.md

@@ -39,50 +39,57 @@ To ensure a smooth and secure production deployment of Lightrun, follow these ke
 
 - Decide whether to use Helm-managed secrets or an external secrets manager.
     [More info on Secrets Management](docs/installation/secrets.md)
-#### **4. Lightrun Certificate**
+
+#### **4. System Configuration**
+
+- Obtain the system configuration file and signature from Lightrun.
+    [More info on System Configuration](docs/advanced/system_config.md)
+
+#### **5. Lightrun Certificate**
 
 - Plan how Lightrun certificate will be issued and managed for secure communications.
     [More info on Certificate](docs/installation/certificate.md)
-#### **5. Database**
+
+#### **6. Database**
 
 > [!TIP]
 > Use external managed database
 
 - Choose between a local or external database.
     [More info on Database Setup](docs/components/database.md)
 
-#### **6. Router**
+#### **7. Router**
 
 - Decide how external traffic will reach the Lightrun router (Ingress, Service, OpenShift Route).
     [More info on Router](docs/components/router/index.md)
 
-#### **7. Container Images Registry**
+#### **8. Container Images Registry**
 
 - Choose where to store and manage container images (e.g., private registry, Docker Hub, Azure Container Registry, AWS ECR).
     [More info on Container Image Registry](docs/installation/container_image_registry.md)
 
-#### **8. Redis**
+#### **9. Redis**
 > [!TIP] 
 > Use external managed redis
 - Determine if Redis will be local or external.
     [More info on Redis Setup](docs/components/redis.md)
 
-#### **9. (Optional)RabbitMQ**
+#### **10. (Optional)RabbitMQ**
 
 - Determine if RabbitMQ is needed for sending telemetry to Lightrun.
     [More info on RabbitMQ](docs/components/rabbitmq.md)
 
-#### **10. (Optional)Network Policy**
+#### **11. (Optional)Network Policy**
 
 - Establish network policies to restrict access between services and prevent unauthorized communication.
     [More info on Network Policy](docs/advanced/network_policy.md)
 
-#### **11. (Optional)Internal TLS Communication**
+#### **12. (Optional)Internal TLS Communication**
 
 - Decide whether internal TLS is necessary for secure component communication.
     [More info on Internal TLS](docs/advanced/internal_tls.md)
 
-#### **12. Choose Your Deployment Option**
+#### **13. Choose Your Deployment Option**
 
 Decide where to run your Kubernetes cluster based on your infrastructure needs. Consider whether you'll deploy all services locally (including RabbitMQ, Redis, and MySQL) or use managed cloud services.
 ##### **Supported Kubernetes Platforms:**

chart/templates/backend-deployment.yaml

@@ -60,6 +60,9 @@ spec:
       {{- end }}
       serviceAccountName: {{ template "lightrun-be.serviceAccountName" . }}
       volumes:
+        - name: system-config
+          configMap:
+            name: {{ include "lightrun.fullname" . }}-system-config
         - name: encryption-keys
           secret: 
             secretName: {{ include "secrets.backend.name" . }}
@@ -130,6 +133,10 @@ spec:
             "/usr/src/lightrun/{{ .Values.deployments.backend.jar_name }}"
           ]
           volumeMounts:
+            - name: system-config
+              mountPath: {{ .Values.general.system_config.file_path }}
+              subPath: {{ base .Values.general.system_config.file_path }}
+              readOnly: true
             - name: encryption-keys
               mountPath: /encryption-keys
               readOnly: true
@@ -193,6 +200,10 @@ spec:
             - secretRef:
                 name: {{ include "secrets.backend.name" . }}
           env:
+            - name: LIGHTRUN_SYSTEM_CONFIG_JSON_FILE_PATH
+              value: {{ .Values.general.system_config.file_path }}
+            - name: LIGHTRUN_SYSTEM_CONFIG_JSON_SIGNATURE
+              value: {{ .Values.general.system_config.signature }}
             - name: SERVER_SECURITY_ENCRYPTION-KEYS-PATH
               value: file:/encryption-keys
             - name: LIGHTRUN_HOSTNAME

chart/templates/backend-system-config-cm.yaml

@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "lightrun.fullname" . }}-system-config
+data:
+  system_config.json: {{ .Values.general.system_config.content }}

chart/values.yaml

@@ -11,6 +11,14 @@ general:
   lightrun_endpoint: "lightrun.example.com"
   ## DNS record that will be used to access the platform
   deployment_type: on-prem
+
+  system_config:
+    # Path to the system config file
+    file_path: "/opt/lightrun/system_config.json"
+    # Content of the system config file, base64 encoded
+    content: ""
+    # Signature of the system config file, base64 encoded
+    signature: ""
   ## on-prem, saas, single-tenant
   deploy_secrets:
     enabled: true

docs/advanced/_index.md

@@ -1,4 +1,5 @@
 This advanced guide covers in-depth configuration options for deploying Lightrun using the Helm chart
 
 - [Internal TLS](internal_tls.md)
-- [Network Policy](network_policy.md)
+- [Network Policy](network_policy.md)
+- [System Configuration](system_config.md)

docs/advanced/system_config.md

@@ -0,0 +1,73 @@
+# System Configuration File
+
+This document describes how to configure and use the System Configuration feature in the Lightrun platform. The system configuration file allows administrators to adjust settings that control the behavior of the Lightrun server.
+
+## Overview
+
+The System Configuration is a JSON file that contains various settings that modify the behavior of the Lightrun server. This configuration is provided via a ConfigMap and mounted into the backend container. The file is digitally signed to ensure authenticity and prevent unauthorized modifications.
+
+## Configuration Options
+
+To use the System Configuration feature, you need to provide:
+
+1. **Content**: The base64-encoded JSON configuration content (provided by Lightrun)
+2. **Signature**: A base64-encoded signature of the JSON content (provided by Lightrun)
+3. **File Path**: The location where the configuration file will be mounted in the container (default: `/opt/lightrun/system_config.json`)
+
+### Values.yaml Configuration
+
+Add the following configuration to your `values.yaml` file or override the values when installing/upgrading the Helm chart:
+
+```yaml
+general:
+  system_config:
+    # Path to the system config file
+    file_path: "/opt/lightrun/system_config.json"
+    # Content of the system config file, base64 encoded
+    content: "ewogICJzb21lQ29uZmlndXJhdGlvbkZpZWxkIjogdHJ1ZSwKICAiYW5vdGhlckNvbmZpZ3VyYXRpb25GaWVsZCI6IDEyMwp9Cg=="
+    # Signature of the system config file, base64 encoded (provided by Lightrun)
+    signature: "c2lnbmF0dXJlLXZhbHVlLWZyb20tbGlnaHRydW4="
+```
+
+> [!IMPORTANT]
+> - The content must be base64-encoded valid JSON
+> - The signature must be base64-encoded and match the content exactly to be considered valid
+> - Contact Lightrun support to obtain a valid signature and content
+
+### How It Works
+
+When the Lightrun backend starts:
+
+1. The backend reads the system configuration file from the specified path
+2. It validates the file's signature against the provided signature value
+3. If valid, the configuration is applied to modify the backend's behavior
+4. If invalid, the backend will log an error and may use default settings instead
+
+## Updating the Configuration
+
+To update the system configuration:
+
+1. Obtain a new configuration content and corresponding signature from Lightrun support
+2. Update your `values.yaml` file or use `--set` parameters with the new values
+3. Apply the changes using Helm:
+
+```bash
+helm upgrade lightrun lightrun/lightrun -f values.yaml
+```
+
+> [!NOTE]
+> Updating the system configuration requires a restart of the Lightrun backend deployment with strategy recreate to take effect.
+
+## Troubleshooting
+
+If you experience issues with the system configuration:
+
+1. Verify that the content is properly base64-encoded
+2. Ensure the signature matches the provided content
+3. Check the backend logs for any error messages related to system configuration:
+
+```bash
+kubectl logs -l <lightrun-backend> -n <namespace>
+```
+
+For assistance with system configuration issues, contact Lightrun support.