Configuration¶
Built-in Flask Environments¶
The flask-ligand
library has several pre-configured environments that can be used for production, staging, local
development and testing. This document covers each environment and the settings available in each that can be
overridden by environment variables.
Selecting which environment to use requires setting the environment variable FLASK_ENV
to one of the environments
listed below. Each environment has certain settings pre-configured with some of those settings allowed to be
overridden via environment variables. The sections below will detail the default settings applied to the underlying
libraries used to setup microservices as well as whether they can be overridden.
If a setting does need to be changed to fit the needs of your project consuming this library then it can be done via
code by passing the overrides to the create_app
as kwargs. The only restriction is that the API_TITLE
,
API_VERSION
and OPENAPI_CLIENT_NAME
client settings cannot be overridden via the kwargs.
(Note: this project does support the use of ‘.env’ files for loading environment variables)
prod¶
The ‘prod’ environment is meant to run the microservice in a production environment.
Setting |
Default |
ENV Override? |
Description |
---|---|---|---|
|
Not set (must be provided) |
Yes |
The public URL for this service. (Also used for generating OpenAPI clients) |
|
Not set (must be provided) |
Yes |
The private URL for this service. (Also used for generating OpenAPI clients) |
|
Not set (must be provided) |
Yes |
A comma separated list of user roles that are allowed for endpoint protection. (e.g. ‘user,admin’) |
|
Not set (must be provided) |
Yes |
|
|
|
No |
Verify the SSL/TLS certificate of the |
|
|
No |
Which algorithm to sign the JWT with. See PyJWT for the available algorithms. (See flask-jwt-extended for more information) |
|
|
Yes |
The string or list of audiences (aud) expected in a JWT when decoding it. Setting this will add an extra layer of security for guaranteeing that the OIDC IAM issuing the token supports the correct claims or is issuing tokens for the correct URL for a multi-microservice web app. (See flask-jwt-extended for more information) |
|
|
No |
Where to look for a JWT when processing a request. The available options are “headers”, “cookies”, “query_string” , and “json”. (See flask-jwt-extended for more information) |
|
|
No |
What header should contain the JWT in a request. (See flask-jwt-extended for more information) |
|
|
No |
What type of header the JWT is in. If this is an empty string, the header should contain nothing besides the JWT. (See flask-jwt-extended for more information) |
|
|
No |
The key for error messages in a JSON response returned by this extension. (See flask-jwt-extended for more information) |
|
Empty string |
No |
The secret key used to decode JWTs when using an asymmetric signing algorithm (such as RS* or ES*). This setting
should remain empty to allow |
|
Not set (must be provided) |
Yes |
The URI for a PostgreSQL database to use for persistent storage. (See database_configuration.rst for more information) |
|
|
No |
If set to |
|
|
No |
If set to |
|
|
No |
The directory containing the migration scripts for performing database upgrades and downgrades. (See Flask-Migrate for more information) |
|
|
No |
Sort the keys of JSON objects alphabetically. This is useful for caching because it ensures the data is serialized the same way no matter what Python’s hash seed is. While not recommended, you can disable this for a possible performance improvement at the cost of caching. (See flask for more information) |
|
Not set (must be provided) |
Yes |
The OpenAPI online generator server URL to use for creating clients. (See smorest/OpenAPI for more information) |
|
|
Yes |
Version of the OpenAPI standard used to describe the API. It should be provided as a string. (See smorest/OpenAPI documentation for more details.) |
|
|
No |
Defines the base path for both the JSON file and the UI. If None, the documentation is not served and the following parameters are ignored. (See smorest/OpenAPI documentation for more details.) |
|
|
No |
Path to the JSON file, relative to the base path. (See smorest/OpenAPI for more information) |
|
|
Yes |
Path to the Swagger UI page, relative to the base path. (See smorest/OpenAPI for more information) |
|
|
No |
URL to the Swagger UI script. Versions prior to 3.x are not supported. (See smorest/apispec for more information) |
|
|
No |
Additional root document attributes. (See smorest/apispec for more information) |
stage¶
The ‘stage’ environment is meant to run the microservice in a staging/development environment. The table below contains
only the settings that are different from the prod
environment settings.
Setting |
Default |
ENV Override? |
Description |
---|---|---|---|
|
|
No |
Verify the SSL/TLS certificate of the |
local¶
The ‘local’ environment is meant to start the microservice in a local development/testing/experiment environment. The
table below contains only the settings that are different from the prod
environment settings.
Setting |
Default |
ENV Override? |
Description |
---|---|---|---|
|
|
Yes |
The public URL for this service. (Also used for generating OpenAPI clients) |
|
|
Yes |
The private URL for this service. (Also used for generating OpenAPI clients) |
|
|
Yes |
A comma separated list of user roles that are allowed for endpoint protection. (e.g. ‘user,admin’) |
|
|
No |
Verify the SSL/TLS certificate of the |
|
|
Yes |
The URI for a PostgreSQL database to use for persistent storage. (See database_configuration.rst for more information) |
|
|
Yes |
The OpenAPI online generator server URL to use for creating clients. (See smorest/OpenAPI for more information) |
|
|
No |
Additional root document attributes. (See smorest/apispec for more information) |
testing¶
The ‘testing’ environment is meant to be used for unit testing only. The table below contains only the settings that
are different from the prod
environment settings.
Setting |
Default |
ENV Override? |
Description |
---|---|---|---|
|
|
Yes |
The public URL for this service. (Also used for generating OpenAPI clients) |
|
|
Yes |
The private URL for this service. (Also used for generating OpenAPI clients) |
|
Not set (must be provided) |
Yes |
|
|
|
No |
Verify the SSL/TLS certificate of the |
|
|
No |
How long an access token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (Integer). (See flask-jwt-extended for more information) |
|
|
No |
The secret key used to encode and decode JWTs when using a symmetric signing algorithm (such as HS*). It should be a long random string of bytes, although unicode is accepted too. For example, copy the output of this to your config. (See flask-jwt-extended for more information) |
|
|
Yes |
The URI for a PostgreSQL database to use for persistent storage. (See database_configuration.rst for more information) |
|
|
Yes |
The OpenAPI online generator server URL to use for creating clients. (See smorest/OpenAPI for more information) |
|
|
No |
Additional root document attributes. (See smorest/apispec for more information) |
Database Configuration¶
The flask-ligand
library uses the excellent Flask-SQLAlchemy project under the hood
for database management and access. The Flask-SQLAlchemy project in turn utilizes the
equally excellent SQLAlchemy for direct communication to the underlying database.
This document covers how to configure flask-ligand
to utilize the many different databases supported by
SQLAlchemy and Flask-SQLAlchemy.
Configure Database URI¶
The flask-ligand
library utilizes the SQLALCHEMY_DATABASE_URI
environment variable for configuring the connection to a
SQLAlchemy supported databases. The SQLALCHEMY_DATABASE_URI
environment variable requires that the URI begins with a
dialect+driver
identifier that specifies the database type and the associated
driver to use for communication.
Example URI
As an example, let’s consider the following database infrastructure we want to use for persistent storage:
Database Type (a.k.a dialect) |
PostgreSQL |
Database Driver |
|
Database Hostname |
|
Database Port |
|
Database User |
|
Database Password |
|
Database Name |
|
The SQLALCHEMY_DATABASE_URI
should be set to:
postgresql+pg8000://admin:password@localhost:5432/testdb
Database Drivers¶
SQLAlchemy supports many different Python drivers for each supported database type. It can be quite overwhelming when first using SQLAlchemy to know which driver to use for your desired database infrastructure (dialect). A rule of thumb for which driver to use is to consider the following constraints:
Do you need async support?
Does your build environment have GCC and all necessary headers available for compiling Python packages?
Are you using the standard CPtyhon interpreter?
Do you need Unicode support?
Which version of your desired database are you using?
OpenID Connect Configuration¶
flask-ligand
uses flask-jwt-extended for authorization and authentication
with and IAM that supports the OpenID Connect (OIDC) protocol. The OIDC_DISCOVERY_URL
environment variable is used to specify the
OIDC discovery URL. Below are links to
popular IAM solutions documentation on how to obtain the
OIDC discovery URL:
Keycloak (Realm Settings -> Endpoints -> OpenID Endpoint Configuration)