storing IDP configs in GIT

Domingues, Michael D michael-domingues at uiowa.edu
Wed Mar 23 11:37:48 EDT 2016 

Hello Andrew,

We also utilize a Git repository structure to track our Shibboleth IdP stack configuration. This includes Shibboleth IdP and Apache Tomcat configuration, as well as deployment configuration (which versions of Java, Shibboleth, and Tomcat to install, along with other system settings, environment variables, JVM options, etcetera). As others have already mentioned, this allows us to version the entire state of a release, point our deployment system (Microsoft Release Management) at a bare VM, and go.

At a high level, our repository is broken out into four directories: a common directory, including generalized and parameterized configuration common across all deployment tiers, and one additional folder per deployment tier. The net effect is as follows:

- Common
- Lab
- Test
- Production

We're a Microsoft shop, so we leverage Microsoft Release Management to interpolate connection strings and other tier-specific configuration at deployment time. For ease of management, we try and standardize as much as possible, so while in aggregate, we track and version subsets of the following directories ...

- conf
- credentials
- edit-webapp
- messages
- metadata
- views

... at a tier-specific level, we're only managing the following:

conf:
	access-control.xml
	attribute-filter.xml
	metadata-providers.xml
	relying-party.xml
credentials:
	sundry credentials
metadata:
	sundry static metadata files from one-off vendor integrations

I get the impression that "IdP on Windows" shops are in the minority around these parts, so if there are any other folks running the Shibboleth stack on Windows, we'd be happy to chat about our approach further.

Best,
Michael Domingues
University of Iowa

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Chris Reeves
Sent: Wednesday, March 23, 2016 6:45 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: storing IDP configs in GIT

On Tue 22 Mar 2016 at 23:52:42 +0000, Andrew Morgan wrote:
> Is anyone storing their IDP configuration in GIT?  I'm looking into 
> ways to keep multiple IDP nodes in sync by storing the configuration 
> in GIT. Does anyone have some tips for doing this?
> 
> I don't want the IDP to automatically refresh its configuration from 
> GIT, but I'd like to be able to trigger an update from GIT.  How can I 
> overlay my local mods and config files from a GIT repo?
> 
> I'm sure someone has done this already, so I'm trying to learn from others'
> mistakes!  :)

Hi Andrew,

We store our IdP configuration in a git repo - this isn't a dedicated repo for Shib config, but is actually the repo for our configuration management system ([puppet]). Our configuration management system will build a server from scratch, applying our configuration changes to whichever version of the IdP that we tell it to download. All changes that we make to our IdP are deployed via puppet, and therefore version-controlled.

We also use [vagrant] in combination with puppet to create and destroy dev environments at will. With a single trivial command we can build a new, local, IdP in order to test any significant changes or upgrades before going anywhere near even our test instance. This has massively increased our agility when responding to development requests.

I'm more than happy to go into further detail if you need it.

Regards,
    Chris

[puppet] https://puppetlabs.com/
[vagrant] https://www.vagrantup.com/
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list