A Service has its configuration which includes the information about its upstream as well as the application-layer specific configurations (e.g. HTTP-based configurations such as manipulating headers and injecting the upstream credentials) for various widely used L-7 protocols and supported by Octelium (read more about Service modes here). Here is an example:
1kind: Service2metadata:3name: svc14spec:5mode: HTTP6config:7upstream:8url: https://api.example.com9http:10auth:11bearer:12fromSecret: apikey1
The above configuration is the default configuration which is used globally for all the Service requests by default. However, in many cases, you might want to make this configuration dynamic depending on the request's context. For instance, you might want to route to a certain upstream depending on the identity of the User or the L-7 specific context (e.g. HTTP paths, headers, request body, etc...). For such cases, Octelium provides you a very flexible way to apply dynamic configuration where you can define multiple configurations and choose one of them on a per-request basis via rules that are defined exactly the same way as Policy rules (read more about Policies and access control here).
Here is an example where we can provide smart routing based on the User identity to route to additional upstreams. We now have 2 additional configs (i.e. config-1 and config-2) to the default configuration, each having a different credential representing maybe a different account and/or privileges for the upstream. If no rules match or if there are no rules, then the default config is used as a fallback config.
1kind: Service2metadata:3name: svc14spec:5mode: HTTP6# This is our typical static configuration used by default if no rules match7config:8upstream:9url: https://api.example.com10http:11auth:12bearer:13fromSecret: apikey014dynamicConfig:15# we define a list of named configs that could override the global config16configs:17- name: config-118upstream:19url: https://api-01.example.com20http:21auth:22bearer:23fromSecret: apikey124- name: config-225upstream:26url: https://api-02.example.com27http:28auth:29bearer:30fromSecret: apikey231rules:32# Use the Config `config-1` for Users belonging to the Group `group-1`33- condition:34match: '"group-1" in ctx.user.spec.groups'35configName: config-136# Use the Config `config-2` for Users belonging to the Group `group-2`37- condition:38match: '"group-2" in ctx.user.spec.groups'39configName: config-2
As shown in the example above, the dynamicConfig has 2 lists: one for the named dynamic configs represented by the configs list and another, rules, for the rules that are checked upon each request to choose one of these configs when matched. Each rule has a condition that can be defined in the exact same way as Policy rule conditions (read more here). A rule matches if its condition is met and in such case its corresponding named config, represented by the configName field, is chosen to be the configuration for that particular request overriding the default Service configuration.
Dynamic configuration is not restricted to a certain Service mode. The above example can be generalized to any other mode where you can override the default configuration based on whatever dynamic rules you wish to define. For example, you can use it for the POSTGRES and MYSQL modes to route to specific upstreams and/or use specific usernames and passwords as well as databases depending on the identity and/or context of the request. For the case of SSH, you can route to different usernames and passwords/private keys depending on the identity or the request's User. You can explore more mode-specific examples here:
Also, you are not really required to define a default configuration when you have one or more named configurations unless with working with certain situations (e.g. buffering request body in HTTP-based Services (read more here)). Here is an example of a Service that acts as an API gateway:
1kind: Service2metadata:3name: my-api4spec:5mode: HTTP6dynamicConfig:7configs:8- name: v19upstream:10url: https://apiv1.example.com11http:12auth:13bearer:14fromSecret: apikey115path:16removePrefix: /v117- name: v218upstream:19url: https://apiv2.example.com20http:21auth:22bearer:23fromSecret: apikey224path:25removePrefix: /v226rules:27# Use the Config `config-1` for Users belonging to the Group `group-1`28- condition:29match: ctx.request.http.path.startsWith("/v1")30configName: v131# Use the Config `config-2` for Users belonging to the Group `group-2`32- condition:33match: ctx.request.http.path.startsWith("/v2")34configName: v235# Fallback to v1 when nothing matches36- condition:37matchAny: true38configName: v1
However, in such case, you need to be careful that your rules cover all the possible conditions.
Inheritance
In some cases, you might have multiple configurations that share one or more fields and sub-fields making the process of writing dynamic configurations mundane and even error-prone for more complex configurations. For example, here is an example for a POSTGRES Service (read more here) where you force the User to use a certain database based on the identity while keeping everything else in the config the same (i.e. same URL, same user and password). Therefore, without Inheritance, your Service looks as follows:
1kind: Service2metadata:3name: postgres4spec:5mode: POSTGRES6dynamicConfig:7configs:8- name: db19upstream:10url: postgres://address-to-pg11postgres:12user: postgres13database: db114auth:15password:16fromSecret: pg-password17- name: db218upstream:19url: postgres://address-to-pg20postgres:21user: postgres22database: db223auth:24password:25fromSecret: pg-password26rules:27- condition:28match: '"prod" in ctx.user.spec.groups'29configName: db230- condition:31matchAny: true32configName: db1
Now with Service config inheritance, your Service can become much shorter and easier to maintain and read as follows:
1kind: Service2metadata:3name: postgres4spec:5mode: POSTGRES6dynamicConfig:7configs:8- name: db19upstream:10url: postgres://address-to-pg11postgres:12user: postgres13database: my-db114auth:15password:16fromSecret: pg-password17- name: db218parent: db119postgres:20# We're overriding the `my-db1` database with `my-db2`21# while inheriting everything else from `db1` config22database: db223rules:24- condition:25match: '"prod" in ctx.user.spec.groups'26configName: db127- condition:28matchAny: true29configName: db2
You can use the default configuration whose name is reserved as default as a parent for your dynamic configs. Here is an example:
1kind: Service2metadata:3name: postgres4spec:5mode: POSTGRES6config:7name: db18upstream:9url: postgres://address-to-pg10postgres:11user: postgres12database: my-db113auth:14password:15fromSecret: pg-password16dynamicConfig:17configs:18- name: db119parent: default20postgres:21database: db122- name: db223parent: default24postgres:25database: db2
As shown above, you actually use the default as well as any other dynamic config as templates to be used as parents for other child configs. Service configuration inheritance can help you to actually create very complex dynamic configuration setups without causing degradation of maintainability and readability at scale. Note that Octelium currently only supports one-level inheritance. In other words, you cannot currently have configs whose parent also inherits from another config. Also note that the default config cannot have parents.