Kyle Rockman
Lead Infrastructure Engineer OpsLevel.com
Kyle Rockman - @Rocktavious
Today, I'm going to show you...
How we made sharing configuration and secrets easier
for everyone at our organization.
Kyle Rockman
Infrastructure Team @ Under Armour Connected Fitness
Develop & Support Internal
PaaS systems for our Developers
Github, Twitter - @Rocktavious
Under Armour Connected Fitness
Principles & Problems
High-level concepts of shareable, tiered key-values
Overview of our solution - Escrow
Usage/Examples
Empower UA engineers to frictionlessly deliver excellent software experiences directly to our consumers.
The Problem ...
Empower any engineering team to manage their configuration data and share it with others easily!
Solutions?
Old-French: Escroe
a bond, deed, or other document kept in the custody of a third party, taking effect only when a specified condition has been fulfilled.
Escrow
Chain - An ordered collection of links
Link - An individual piece of 'key=value' data that can be shared
Escrow Chains
It's just variables!
(with a hierarchy)
=
* Conflict resolution is
left -> right
rightmost link wins
---------------------------- Resulting Chain Data ----------------------------
Break data down into little pieces to maximise reuse and shareability
Editing data of link A affects both Chain A & B
Group: restricts edit-ableness
Private: restricts reusability for others not in the group
Link:
Group: restricts edit-ableness of the link adding and ordering them in a chain
Chain:
A
Infrastructure
B
UARun
User B
- edit link C
- see the data in link A
User A
- organize this chain
- edit 2 links
Sharing a link could have unintended effects on other chains!!!
Solution: Key Value's as an Artifact
Rendering a chain generates an immutable artifact of the rendered chain at that point in time
Future changes to the links of that chain will not affect it
But single place to change data makes updating easy
Escrow Chains
becomes a tool to compose key value data
Escrow Artifacts
are an immutable chunk of data that can be reused anywhere
Privacy Concerns
A user can only render a chain if they pass all privacy checks for every link in that chain
Rendering:
A
Infrastructure
B
UARun
Only User A is allowed to create artifacts from this chain
A
Infrastructure
B
UARun
If user A renders the chain and gives the artifact ID to user B; user B still cannot use the artifact
Once an Escrow Artifact is created from a rendered chain
The privacy checks still hold
->
This ID is generated from the final contents of the key value data, the name of the chain, and a commit message when rendering
An Artifact is identified by an ID
2cf24dba5fb0a30e26e8
/artifact/{ID}/rendered?style=default
{
"FOO": {
"source": "test",
"group": "devs",
"value": "1",
"private": false
},
"BAR": {
"source": "test2",
"group": "admins",
"value": "2",
"private": true
}
}
/artifact/{ID}/rendered?style=string
FOO=1\nBAR=2
Jenkinsfile Syntax
import groovy.json.JsonSlurper
@NonCPS
def get_escrow(escrow_id){
String username = System.getenv("ADMIN_USERNAME")
String password = System.getenv("ADMIN_PASSWORD")
String basic = username + ":" + password
String auth = basic.bytes.encodeBase64().toString()
String location = "https://example.com/api/escrow/artifact/" + escrow_id + "/rendered/"
def conn = location.toURL().openConnection()
conn.setRequestProperty( "Accept", "application/json" )
conn.setRequestProperty( "Authorization", "Basic ${auth}" )
def output = []
new JsonSlurper().parseText(conn.content.text).each {
output << it.key + "=" + it.value.value
}
return output
}
def call(escrow_id, body) {
withEnv(get_escrow(escrow_id)) {
body()
}
}
node('docker'){
withUACFEnv('b04196426111d0f182a8'){
sh 'env'
}
}
Jenkinsfile Syntax
@Rocktavious
We are hoping to opensource the tool in the coming months
https://github.com/underarmour/
https://slides.com/rocktavious/estate/
By Kyle Rockman