Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📝 [open-zaak/open-zaak#1649] Document envvars #206

Merged
merged 3 commits into from
Aug 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,31 @@ jobs:
- name: Publish coverage report
uses: codecov/codecov-action@v3

check-envvar-docs:
runs-on: ubuntu-latest
name: Documentation build

steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
cache-dependency-path: 'requirements/*.txt'
- name: Install dependencies
run: pip install -r requirements/ci.txt pytest
- name: Generate environment variable documentation using OAf and check if it was updated
run: |
bin/generate_envvar_docs.sh
changes=$(git diff docs/installation/config.rst)
if [ ! -z "$changes" ]; then
echo $changes
echo "Please update the environment documentation by running \`bin/generate_envvar_docs.sh\`"
exit 1
fi
env:
DJANGO_SETTINGS_MODULE: openklant.conf.ci

docker:
needs: tests
name: Build Docker image
Expand Down
4 changes: 4 additions & 0 deletions bin/generate_envvar_docs.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash

# Generates the documentation for environment variables
src/manage.py generate_envvar_docs --file docs/installation/config.rst --exclude-group Celery
4 changes: 3 additions & 1 deletion docs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Open Klant Documentation

**Open Klant** is a modern, open-source data- and services-layer to store and
expose client metadata and communications between clients and the municipality.
It implements the `VNG API standard for Klantinteracties`_ in line with the
It implements the `VNG API standard for Klantinteracties`_ in line with the
`Common Ground`_ model.

.. _`Common Ground`: https://commonground.nl/
Expand All @@ -26,3 +26,5 @@ Open Klant `is`_ and only uses open source.
.. toctree::
:maxdepth: 3
:hidden:

installation/index
118 changes: 118 additions & 0 deletions docs/installation/config.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
.. _installation_env_config:

===================================
Environment configuration reference
===================================


Open Klant can be ran both as a Docker container or directly on a VPS or
dedicated server. It relies on other services, such as database and cache
backends, which can be configured through environment variables.


Available environment variables
===============================


Required
--------

* ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool <https://www.miniwebtool.com/django-secret-key-generator>`_.
* ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``.


Database
--------

* ``DB_NAME``: name of the PostgreSQL database. Defaults to: ``openklant``.
* ``DB_USER``: username of the database user. Defaults to: ``openklant``.
* ``DB_PASSWORD``: password of the database user. Defaults to: ``openklant``.
* ``DB_HOST``: hostname of the PostgreSQL database. Defaults to ``db`` for the docker environment, otherwise defaults to ``localhost``.
* ``DB_PORT``: port number of the database. Defaults to: ``5432``.


Cross-Origin-Resource-Sharing
-----------------------------

* ``CORS_ALLOW_ALL_ORIGINS``: allow cross-domain access from any client. Defaults to: ``False``.
* ``CORS_ALLOWED_ORIGINS``: explicitly list the allowed origins for cross-domain requests. Example: http://localhost:3000,https://some-app.gemeente.nl. Defaults to: ``[]``.
* ``CORS_ALLOWED_ORIGIN_REGEXES``: same as ``CORS_ALLOWED_ORIGINS``, but supports regular expressions. Defaults to: ``[]``.
* ``CORS_EXTRA_ALLOW_HEADERS``: headers that are allowed to be sent as part of the cross-domain request. By default, Authorization, Accept-Crs and Content-Crs are already included. The value of this variable is added to these already included headers. Defaults to: ``[]``.


Elastic APM
-----------

* ``ELASTIC_APM_SERVER_URL``: URL where Elastic APM is hosted. Defaults to: ``None``.
* ``ELASTIC_APM_SERVICE_NAME``: Name of the service for this application in Elastic APM. Defaults to ``openklant - <environment>``.
* ``ELASTIC_APM_SECRET_TOKEN``: Token used to communicate with Elastic APM. Defaults to: ``default``.
* ``ELASTIC_APM_TRANSACTION_SAMPLE_RATE``: By default, the agent will sample every transaction (e.g. request to your service). To reduce overhead and storage requirements, set the sample rate to a value between 0.0 and 1.0. Defaults to: ``0.1``.


Optional
--------

* ``SITE_ID``: The database ID of the site object. You usually won't have to touch this. Defaults to: ``1``.
* ``DEBUG``: Only set this to ``True`` on a local development environment. Various other security settings are derived from this setting!. Defaults to: ``False``.
* ``USE_X_FORWARDED_HOST``: whether to grab the domain/host from the X-Forwarded-Host header or not. This header is typically set by reverse proxies (such as nginx, traefik, Apache...). Note: this is a header that can be spoofed and you need to ensure you control it before enabling this. Defaults to: ``False``.
* ``IS_HTTPS``: Used to construct absolute URLs and controls a variety of security settings. Defaults to the inverse of ``DEBUG``.
* ``CACHE_DEFAULT``: redis cache address for the default cache. Defaults to: ``localhost:6379/0``.
* ``CACHE_AXES``: redis cache address for the brute force login protection cache. Defaults to: ``localhost:6379/0``.
* ``EMAIL_HOST``: hostname for the outgoing e-mail server. Defaults to: ``localhost``.
* ``EMAIL_PORT``: port number of the outgoing e-mail server. Note that if you're on Google Cloud, sending e-mail via port 25 is completely blocked and you should use 487 for TLS. Defaults to: ``25``.
* ``EMAIL_HOST_USER``: username to connect to the mail server. Defaults to: ``(empty string)``.
* ``EMAIL_HOST_PASSWORD``: password to connect to the mail server. Defaults to: ``(empty string)``.
* ``EMAIL_USE_TLS``: whether to use TLS or not to connect to the mail server. Should be True if you're changing the ``EMAIL_PORT`` to 487. Defaults to: ``False``.
* ``DEFAULT_FROM_EMAIL``: The default email address from which emails are sent. Defaults to: ``[email protected]``.
* ``LOG_STDOUT``: whether to log to stdout or not. Defaults to: ``False``.
* ``LOG_LEVEL``: control the verbosity of logging output. Available values are ``CRITICAL``, ``ERROR``, ``WARNING``, ``INFO`` and ``DEBUG``. Defaults to: ``WARNING``.
* ``LOG_QUERIES``: enable (query) logging at the database backend level. Note that you must also set ``DEBUG=1``, which should be done very sparingly!. Defaults to: ``False``.
* ``LOG_REQUESTS``: enable logging of the outgoing requests. Defaults to: ``False``.
* ``SESSION_COOKIE_SAMESITE``: The value of the SameSite flag on the session cookie. This flag prevents the cookie from being sent in cross-site requests thus preventing CSRF attacks and making some methods of stealing session cookie impossible. Defaults to: ``Strict``.
* ``CSRF_COOKIE_SAMESITE``: The value of the SameSite flag on the CSRF cookie. This flag prevents the cookie from being sent in cross-site requests. Defaults to: ``Strict``.
* ``ENVIRONMENT``: An identifier for the environment, displayed in the admin depending on the settings module used and included in the error monitoring (see ``SENTRY_DSN``). The default is set according to ``DJANGO_SETTINGS_MODULE``.
* ``SUBPATH``: If hosted on a subpath, provide the value here. If you provide ``/gateway``, the component assumes its running at the base URL: ``https://somedomain/gateway/``. Defaults to an empty string. Defaults to: ``None``.
* ``RELEASE``: The version number or commit hash of the application (this is also sent to Sentry).
* ``NUM_PROXIES``: the number of reverse proxies in front of the application, as an integer. This is used to determine the actual client IP adres. On Kubernetes with an ingress you typically want to set this to 2. Defaults to: ``1``.
* ``CSRF_TRUSTED_ORIGINS``: A list of trusted origins for unsafe requests (e.g. POST). Defaults to: ``[]``.
* ``NOTIFICATIONS_DISABLED``: indicates whether or not notifications should be sent to the Notificaties API for operations on the API endpoints. Defaults to ``True`` for the ``dev`` environment, otherwise defaults to ``False``.
* ``DISABLE_2FA``: Whether or not two factor authentication should be disabled. Defaults to: ``False``.
* ``LOG_OUTGOING_REQUESTS_EMIT_BODY``: Whether or not outgoing request bodies should be logged. Defaults to: ``True``.
* ``LOG_OUTGOING_REQUESTS_DB_SAVE``: Whether or not outgoing request logs should be saved to the database. Defaults to: ``False``.
* ``LOG_OUTGOING_REQUESTS_DB_SAVE_BODY``: Whether or not outgoing request bodies should be saved to the database. Defaults to: ``True``.
* ``LOG_OUTGOING_REQUESTS_MAX_AGE``: The amount of time after which request logs should be deleted from the database. Defaults to: ``7``.
* ``SENTRY_DSN``: URL of the sentry project to send error reports to. Default empty, i.e. -> no monitoring set up. Highly recommended to configure this.





Specifying the environment variables
=====================================

There are two strategies to specify the environment variables:

* provide them in a ``.env`` file
* start the component processes (with uwsgi/gunicorn/celery) in a process
manager that defines the environment variables

Providing a .env file
---------------------

This is the most simple setup and easiest to debug. The ``.env`` file must be
at the root of the project - i.e. on the same level as the ``src`` directory (
NOT *in* the ``src`` directory).

The syntax is key-value:

.. code::

SOME_VAR=some_value
OTHER_VAR="quoted_value"


Provide the envvars via the process manager
-------------------------------------------

If you use a process manager (such as supervisor/systemd), use their techniques
to define the envvars. The component will pick them up out of the box.
17 changes: 17 additions & 0 deletions docs/installation/index.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
.. _installation_index:

Installation
============

In addition to making its source code available publicly, the reference
implementation for Open Klant are also maintained and
work out-of-the-box for most use cases.

For the sake of simplicity, we have chosen to use Docker and Docker Compose for
this.

.. toctree::
:maxdepth: 1
:caption: Further reading

config
4 changes: 1 addition & 3 deletions requirements/base.txt
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,6 @@ asgiref==3.8.1
# django-cors-headers
asn1crypto==1.5.1
# via webauthn
async-timeout==4.0.3
# via redis
attrs==23.2.0
# via
# glom
Expand Down Expand Up @@ -230,7 +228,7 @@ mozilla-django-oidc-db==0.19.0
# via open-api-framework
notifications-api-common==0.2.2
# via commonground-api-common
open-api-framework==0.6.1
open-api-framework==0.7.1
# via -r requirements/base.in
orderedmultidict==1.0.1
# via furl
Expand Down
7 changes: 1 addition & 6 deletions requirements/ci.txt
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,6 @@ asn1crypto==1.5.1
# webauthn
astroid==3.2.4
# via pylint
async-timeout==4.0.3
# via
# -c requirements/base.txt
# -r requirements/base.txt
# redis
attrs==23.2.0
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -492,7 +487,7 @@ notifications-api-common==0.2.2
# -c requirements/base.txt
# -r requirements/base.txt
# commonground-api-common
open-api-framework==0.6.1
open-api-framework==0.7.1
# via
# -c requirements/base.txt
# -r requirements/base.txt
Expand Down
7 changes: 1 addition & 6 deletions requirements/dev.txt
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,6 @@ astroid==3.2.4
# -c requirements/ci.txt
# -r requirements/ci.txt
# pylint
async-timeout==4.0.3
# via
# -c requirements/ci.txt
# -r requirements/ci.txt
# redis
attrs==23.2.0
# via
# -c requirements/ci.txt
Expand Down Expand Up @@ -561,7 +556,7 @@ notifications-api-common==0.2.2
# -c requirements/ci.txt
# -r requirements/ci.txt
# commonground-api-common
open-api-framework==0.6.1
open-api-framework==0.7.1
# via
# -c requirements/ci.txt
# -r requirements/ci.txt
Expand Down
7 changes: 7 additions & 0 deletions src/openklant/templates/open_api_framework/env_config.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{% extends "open_api_framework/env_config.rst" %}

{% block intro %}
Open Klant can be ran both as a Docker container or directly on a VPS or
dedicated server. It relies on other services, such as database and cache
backends, which can be configured through environment variables.
{% endblock %}
Loading