CLyman can be configured from one or more sources:
The application gives priority to the values retrieved in the above order. This means that an environment variable setting will override any other setting.
Command Line arguments and Properties File keys are lower case, and separated by periods (ie. ‘section.key=’). Environment Variables, Vault, and Consul keys are all upper case, and are separated by underscores (ie. ‘SECTION_KEY=’).
All arguments are prefixed with the application name and profile name (ie. ‘section.key’ becomes ‘clyman.prod.section.key’). The profile name can be changed by providing the command line argument ‘profile’:
./clyman profile=dev
You can store multiple profiles in your configuration sources, and then specify which one to use on startup of each instance.
The ‘cluster’ option on the command line or in a properties file, or the ‘AOSSL_CLUSTER_NAME’ environment variable, will set the name of the cluster. A cluster is a grouping of CLyman instances, which have been assigned particular scenes to manage. Each CLyman instance is designed to manage a set number of scenes, and this allows for highly optimized streaming of object updates.
The cluster name will affect both how CLyman registers with Consul, if provided, as well as the names of cluster-specific security properties.
Vault Address - Starts CLyman against a Vault instance. Specified by a collection of arguments:
vault=http://localhost:8200
to use when communicating with Vault. You may also leave this blank to enable SSL encryption without providing a client certificate.
vault.cert=
used by Vault, currently supported options are ‘APPROLE’ and ‘BASIC’
vault.authtype=BASIC
authenticating with Vault
vault.un=test
authenticating with Vault
vault.pw=test
In addition, the Vault UN and PW can be loaded from files on disk, ‘vault_un.txt’ and ‘vault_pw.txt’. This is the recommended method to set authentication info in CI/CD processes within an application container.
Secure Properties can be loaded from a properties file for development purposes, but in a Production scenario should always be loaded from a Vault instance. Once CLyman is connected to a Vault instance, the following properties can be loaded:
Secure properties can be loaded from any configuration source, but when loaded from Vault they should be present at the default path (‘secret/’) in the v2 KV Store.
Consul Address - Starts CLyman against a Consul instance. Specified by either the consul command line argument or the AOSSL_CONSUL_ADDRESS environment variable.
./clyman consul=http://127.0.0.1:8500
We may also include the arguments:
SSL Certificate to use when communicating with Consul. You may also leave this blank to enable SSL encryption without providing a client certificate.
consul.cert=
This will enable property retrieval from Consul KV Store & registering with Consul on start up.
The Consul ACL Token can alternatively be generated from the Consul Secret Store in Vault.
consul.token.role=consul-role
Properties File - Starts CLyman against a Properties File. Specified by either the props command line argument or the AOSSL_PROPS_FILE environment variable. For example:
./clyman props=app.properties
If no properties file is specified, CLyman will look for one named app.properties in both the current working folder, and in /etc/clyman/.
The consul address can also be specified within the properties file, with the key consul.
SSL Context Configuration is performed on startup, if enabled. If the following properties are set, then SSL Certs for CLyman can be generated dynamically from Vault:
transaction.security.ssl.ca.vault.active=true
transaction.security.ssl.ca.vault.role_name=test-role
transaction.security.ssl.ca.vault.common_name=local
Otherwise, SSL Certificate Generation can be configured from a file in the current working directory called ‘ssl.properties’.
HTTPS must be enabled with the following parameter:
transaction.security.ssl.enabled=true
mongo=mongodb://localhost:27017
In Production Scenarios it is recommended to use Mongo Discovery. If it is set to true, then CLyman will use Consul to find a Mongo instance, and will dynamically find new instances when it encounters many consecutive failures. To enable this, just do not provide a pre-existing connection string.
mongo.db=CLyman
mongo.obj.collection=obj3
mongo.prop.collection=prop
mongo.ssl.active=true
There are a number of other options that CLyman can be provided on startup. Below is an overview of the remaining properties:
log.file=clyman.log
log.level=Debug
http.host=127.0.0.1
http.port=8766
udp.port=8764
event.security.aes.enabled=false
transaction.id.stamp=True
transaction.format=json
event.stream.method=udp
event.format=json