CloudFoundry user-provided services vs environment variables

Question

All,

I'm looking for a way to specify environment-specific configuration values. I'm struggling to understand when to use a user-provided service vs environment variables. It seems like I can accomplish what I need either way.

Some points of comparison...

User-provided services:

• Scoped to the space
• Shared by apps in the same space
• App must explicitly bind to it
• Logically group related attributes (URL, username, password, for example)

Environment variables:

• Specific to an app

My specific use case involves connecting to MQ. Outside of CloudFoundry I would have env-specific config files with host name, queue name, etc. I think CF environment variables are a close analog, but I think the same is true for databases, yet I see a lot of examples of using user-provided services for databases.

Thanks

Answer 1

At the core, user provided services and environment variables are exactly the same thing. User provided services are just a different abstraction to use with Cloud Foundry and provide some structure to your data. Ultimately, everything is presented to your app as an environment variable though.

For me, the big question is how can I consume that information in my app. If I'm using an app framework that easily pulls configuration from environment variables then I would use environment variables. I do this for my Python/Flask apps, I hear it works well for Ruby on Rails too (although I'm not a Rails user).

I would typically go with user provided services for Java/Spring apps because they are slightly easier to consume with Spring Cloud Connector. It's kind of a toss up though, because Spring Boot makes it pretty easy to consume values from environment variables too.

I find environment variables slightly easier to work with too. In CF, there is no cli command to view a user provided services. You have to bind the service to something and then look at cf env which is awkward.

Anyway, don't stress it too much. Pick whatever is easier for your apps.

---

FYI, @poy's solution is good too. That's more work though, so you'd have to decided if you really need that for your project.

Answer 2

If you are looking to store credentials, I would recommend a service such as Cloud Foundry's Credhub or Hashicorp's Vault.

I believe the more streamlined way to do it would be Credhub as it was designed with CF in mind. It has a service broker that enables an application to fetch credentials.

Answer 3

The use case you articulated is perfect for Spring Cloud Config.

The environment specific settings would be externalized in the config repo.

Here is a good article to explain how to leverage external properties for given environment / profile - https://www.baeldung.com/spring-cloud-configuration

Your next question then will be, that you don't want to put credentials in a git repo. That is correct.

To avoid compromising creds like that, Spring Cloud Config allows integration with Vault. Vault is an encrypted credentials store from HashiCorp. You will have to install and set it up.

Check out this article from DZone on how to integrate Vault with your SC Config - https://dzone.com/articles/integrating-vault-with-spring-cloud-config-server

As to your question on User-Provided-Services, you can use a CUPS, but the better approach is a using a Service Broker. AWS, GCP, and Azure provide their own Service Broker tiles, that the Ops team can install on PCF. With that you can access any resource provided AWS / GCP / Azure in a secure fashion.

You can always write your own service broker - https://pivotal.io/open-service-broker.