Config Orchestration

The project in a Convier instance can be configured by another Convier instance. A typical use case for this, is to have the User Acceptance Testing environment manage the Production environment, to make sure testing occurs in a relaistic scenario. Below is a list of steps needed to set up Config Orchestration when running with Azure/Entra ID, followed by some information security considerations

  • On instance One (orchestrating instance), create project A (orchestrating project)
  • On instance Two (orchestrated instance), create project B (orchestrated project)
  • In the app registration used by Two, add app role Task.Orchestrate. Set that only applications can be given access.
  • In the app registration used by One, add the create role as an application permission and grant admin consent
  • In project A, go to Config, Manage project and add acess Orchestrate to role Task.Orchestrate
  • On instance One, make sure environment variable ORCHESTRATION_ENABLED is set to true (otherwise you will not see the button mentioned in the next step)
  • From the instance home page (project list) on One go to Orchestration
  • Click add, fill in source project A, the URL of Two (with /convier at the end), app scope (application id of app registration used by Two), click “Get instance projects”, select B and click add.
  • Done, you should now be able to deploy main config of A to B

Security considerations

  • The project role Orchestrate is able see and change the configuration of the project, but is not allowed to access any data. It is technically allowed to perform normal requests like search and load, but it is prohibited from connecting to any data sources. This means that any search or load request will return an empty result, or an error message. Any such requests will be logged as normal in the audit logs.
  • The mechanism that sends configuration to an orchestrated instance will not include any credentials. On the first deploy with a new data source, additional configuration is required on B (disable auto merge, go to created branch, add auth, merge). The deploy mechanism will also try to avoid overwriting instance specific config, like base URLs to APIs