-
Notifications
You must be signed in to change notification settings - Fork 88
Expand file tree
/
Copy pathpr.json
More file actions
1 lines (1 loc) · 6.48 KB
/
Copy pathpr.json
File metadata and controls
1 lines (1 loc) · 6.48 KB
1
.,{"title": "feat(config-service): add centralized configuration management service", "head": "Centralized-Configuration-Management-Service-Setup", "base": "main", "body": "PR: Centralized Configuration Management Service (microservices/config-service)\n\nSummary\n-------\nAdds a new standalone NestJS microservice, `config-service`, providing centralized configuration, environment management, encrypted secrets, webhook-based real-time updates, caching, versioning, and audit logging for the monorepo.\n\nWhy\n---\nCentralize management of environment variables, feature flags, and secrets to simplify configuration drift, enable runtime updates, centralize audit trails, and standardize secret rotation across services.\n\nScope / Files Changed\n---------------------\nNew service added at: `microservices/config-service`\nKey files and folders (high-level):\n- `microservices/config-service/package.json`\n- `microservices/config-service/Dockerfile`\n- `microservices/config-service/docker-compose.yml`\n- `microservices/config-service/.env.example`\n- `microservices/config-service/src/app.module.ts`\n- `microservices/config-service/src/main.ts`\n- `microservices/config-service/src/entities/*` (Config, Environment, Secret, AuditLog, WebhookSubscription)\n- `microservices/config-service/src/modules/*` (configuration, secret, environment, audit, webhook modules)\n- `microservices/config-service/src/common/*` (encryption, validation, DTOs)\n- `microservices/config-service/README.md` and related docs\n- Tests: `microservices/config-service/test/*`\n\nImplementation Details\n----------------------\n- Database: PostgreSQL via TypeORM (entities + orm-config)\n- Secrets: AES-256-CBC encryption with IV; encrypted values stored in DB, rotation support\n- Configs: key/value store, typed (string|number|boolean|json), environment-scoped, versioned\n- Caching: in-memory cache (CacheManager) with configurable TTL and invalidation on updates\n- Webhooks: subscription model, HMAC-SHA256 signing, retry logic with backoff\n- Audit log: stores CREATE/UPDATE/DELETE/ROTATE events with metadata\n- API docs: Swagger available at `/api`\n- Docker: Dockerfile and docker-compose (includes PostgreSQL) for local/dev runs\n\nDatabase Migrations\n-------------------\n- Entities are set to `synchronize` when `NODE_ENV !== 'production'`.\n- For production, run migrations generated from entities.\n\nCommands\n--------\nInstall and run locally:\n```bash\ncd microservices/config-service\nnpm install\ncp .env.example .env\n# Edit .env => set ENCRYPTION_KEY and DB credentials\nnpm run migration:run # if using migrations\nnpm run start:dev\n```\n\nDocker (recommended for quick local setup):\n```bash\ncd microservices/config-service\ndocker-compose up -d\n# Access: http://localhost:3020\n```\n\nTesting\n-------\n- Unit tests: `npm test`\n- E2E tests: `npm run test:e2e`\n- Basic unit and e2e tests are included; CI should run these on PR.\n\nRollout & Migration Plan\n------------------------\n1. Deploy `config-service` to staging with production-like env vars (ensure `ENCRYPTION_KEY` is set and secure).\n2. Run DB migrations against staging database.\n3. Create initial environments (`development`, `staging`, `production`) via API or seed script.\n4. Add initial configurations and secrets required by services.\n5. For each dependent service:\n - Add `CONFIG_SERVICE_URL` and `WEBHOOK_URL` env vars.\n - Add startup logic to fetch required configs on boot (examples provided in `CONFIG_SERVICE_INTEGRATION.md`).\n - Optionally subscribe service webhook endpoints to `config-service` for real-time updates.\n6. Deploy one consumer service to staging and verify config fetch and webhook behavior.\n7. Monitor audit logs and webhook deliveries.\n\nRollback Plan\n-------------\n- If `config-service` causes issues, remove or disable webhook subscriptions from consumer services and revert consumer service config to local environment-based values.\n- Restore DB from backup prior to deploy if schema or data corruption occurs.\n- Redeploy previous version of `config-service` image.\n\nSecrets & Rotation\n------------------\n- Secrets stored encrypted (DB: `encryptedValue`, `iv`).\n- Rotation API available: `POST /secrets/:id/rotate`.\n- Rotation detection task exists (check endpoints `GET /secrets/rotation/check`).\n- Ensure `ENCRYPTION_KEY` is stored securely in production (vault, KMS).\n\nSecurity Considerations\n-----------------------\n- Do not commit `.env` or secret values.\n- Use a secure `ENCRYPTION_KEY` (32+ chars) in production and rotate as needed.\n- Webhook requests signed with HMAC-SHA256; consumers must verify signatures.\n- Audit logs store changes; restrict access to audit endpoints.\n\nTesting & Verification Checklist (for reviewer)\n-----------------------------------------------\n- [ ] Service builds successfully: `npm run build`\n- [ ] Unit tests pass: `npm test`\n- [ ] E2E tests pass: `npm run test:e2e`\n- [ ] Docker compose starts services and PostgreSQL\n- [ ] Can create environment, config, and secret via API\n- [ ] Secrets are stored encrypted (DB) and `GET /secrets/:id/value` returns decrypted value\n- [ ] Webhook delivery works and signature verification can be validated by consumer\n- [ ] Audit logs contain CREATE/UPDATE/DELETE events\n- [ ] Config caching is invalidated on update\n- [ ] Version increment endpoint works (`POST /configurations/:id/increment-version`)\n\nNotes / Known Limitations\n-------------------------\n- `synchronize` is enabled in non-production by default; production should use migrations.\n- Secret encryption uses a symmetric key from env; for stronger security consider integration with KMS (AWS KMS, HashiCorp Vault).\n- Scaling: current cache is in-memory; for multi-instance deployments use Redis-backed caching for shared cache invalidation.\n\nSuggested Reviewers\n-------------------\n- Backend/Platform: @backend-team\n- Security: @security-team\n- DevOps: @devops-team\n\nLabels\n------\n- feature\n- service\n- infra\n\nRelease Notes\n-------------\nAdds a new centralized configuration management service for the platform providing environment-scoped configs, encrypted secrets with rotation, webhooks for real-time updates, in-memory caching, audit logs, and Docker deployment.\n\nNext Steps\n----------\n- Consider adding a DB migration and seed script for initial environments.\n- Optionally integrate with a KMS for encryption key management.\n\nFile: `PR_CONFIG_SERVICE.md` created at repo root. Review and let me know if you want this copied to a GitHub PULL_REQUEST_TEMPLATE or a different format/branch ready for a PR.\n"}