Configuration

The ECR loads configuration data from a file (typically backed by a Kubernetes config map). If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.

Service configuration structure

The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.

General service configuration

ECR uses a standard Spring Boot server.port property to configure the port to expose the REST API at.

server:
  port: <unsigned short integer>   # Server port used to expose the REST API at

Endpoint register interface

Use the below parameters to configure the REST-based endpoint register interface ECR uses to validate that EP ID exists and to listen to EP unregistered events.

kaa:
  ecr:
    ep-register:
      base-url: <URL>                  # Base URL of the endpoint register REST API
      service-instance:
        name: <service instance name>  # Instance name of the endpoint register

Configuration data transport interface

Use the following options to configure the configuration data transport interface.

kaa:
  ecr:
    configuration-consumer:
      service-instance:
        name: <service instance name>  # Name of the configuration data consumer service instance ECR will subscribe to.

Data persistence interface

ECR uses Spring Data MongoDB configuration. Refer to the corresponding documentation for the list of supported configuration options.

Note that for security reasons username and password must be sourced from the environment variables.

NATS

The below parameters configure ECR’s connection to NATS. Note that for security reasons NATS username and password are sourced from the environment variables.

nats:
  urls: <comma separated list of URL>   # NATS connection URLs

Authentication and authorization

ECR’s REST API security is implemented according to OAuth2 protocol with a UMA profile.

There’re two security configuration points:

1) Configure ECR’s HTTP client to include security header in requests to other secured services:

security:
  oauth2:
    client:
      enabled: <boolean>             # Specified if authentication is enabled for ECR REST calls. False by default.
      base-url: <URL>                # Base host url to OAuth provider
      realm: <realm name>            # Realm in OAuth provider
      clientId: <client ID>          # Client ID on whose behalf the requests will be made
      clientSecret: <client secret>  # Client secret on whose behalf the requests will be made

2) Secure REST API provided by ECR by enabling authorization and authentication:

security:
  ignored: <value>            # Controls authentication and authorization on REST API endpoints. 
                              # Possible values: '/**' to disable security or 'none' to enable.
  oauth2:
    client:
      clientId: <clientId>    # Client id on whose behalf the requests will be made
      clientSecret: <secret>  # Client secret on whose behalf the requests will be made
      accessTokenUri: <URI>   # An OAuth2-compliant Token Endpoint for obtaining tokens via the 'Implicit Flow', 'Direct Grants', or 'Client Grants'. E.g. "https://your-url-to-auth-server/auth/realms/realm-a/protocol/openid-connect/token"
      resourceUri: <URI>      # An UMA-compliant Resource Registration Endpoint which resource servers can use to manage their protected resources and scopes. E.g. "https://your-url-to-auth-server/auth/realms/realm-a/authz/protection/resource_set"
    resource:
      userInfoUri: <URI>      # This is the URL endpoint for the User Info service described in the OIDC specification. E.g. "https://your-url-to-auth-server/auth/realms/realm-a/protocol/openid-connect/userinfo"

Management

ECR monitoring and management implementation is based on the Spring Boot Actuator. Refer to the corresponding documentation for the list of supported configuration options.

Logging

By default, ECR uses Spring Boot logging configuration with logback for logging. Refer to the corresponding documentation for the list of supported configuration options.

Built-in configuration profiles

For your convenience, ECR comes with a default built-in configuration profile.

Built-in profile is optimized for a Kubernetes-based production deployment. It does not define any Kaa applications—you have to configure those for any specific Kaa-based solution.

Default

server:
  port: 80

kaa:
  ecr:
    ep-register:
      base-url: http://epr
      service-instance:
        name: epr
    configuration-consumer:
      service-instance:
        name: cmx
  security:
    oauth.client:
      enabled: false          

nats:
  urls: nats://nats:4222

management:
  server:
    port: 8080
  endpoint:
    health:
      enabled: true
      show-details: always
      status:
        http-mapping:
          UNKNOWN: SERVICE_UNAVAILABLE
    shutdown:
      enabled: true
    metrics:
      enabled: true
  endpoints:
    web:
      base-path: /
      exposure:
        include: info,health,metrics
        
spring:
  data:
    mongodb:
      database: ecr
      uri: mongodb://mongodb:27017/ecr
      username: ${mongodb.username:}
      password: ${mongodb.password:password}
      threads-allowed-to-block-for-connection-multiplier: 5
      connections-per-host: 100
      max-wait-time: 120000
      connection-timeout: 5000
      socket-timeout: 0

security:
  ignored: /**