Vendor Bridge

The Vendor Bridge Docker container includes health check endpoints and some configuration options. We also have recommended starting points for computing resources and examples of deployment files that may be helpful in creating your own deployments.

Installation

The overview includes instructions for obtaining the Docker container image, obtaining the required configuration, and getting it running in a Kubernetes environment or locally in Docker.

Configuration

  • RUST_LOG. Default: INFO. Level of logging from the Vendor Bridge. Possible values in decreasing severity: ERROR, WARN, INFO, DEBUG, and TRACE.
  • VAB_REQUEST_TIMEOUT. Default: 30,000 ms. Maximum time (in milliseconds) to wait for a single request. If the time is exceeded, the request will be canceled.

Health and Liveness Checks

The Docker container also exposes endpoints for checking liveness and health of the container. The checks are implemented based on the Kubernetes lifecycle concepts. Both the /health and /live endpoints return a 200 status code if the Vendor Bridge is online and ready to receive requests.

Horizontal Scaling

This container is stateless and can be scaled horizontally.

Failure Modes

Configuration Broker Down

The Vendor Bridge exchanges KMS configurations for tenants with the Configuration Broker (CB). If the CB is inaccessible or down these things will be true:
  • New Vendor Bridge instances will not be able to start up until they can reach the CB to get service account metadata.
  • Any running Vendor Bridge will be unable to communicate with the CB.

Example Kubernetes Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
    name: vendor-bridge
spec:
    selector:
        matchLabels:
            app: vendor-bridge
    template:
        metadata:
            labels:
                app: vendor-bridge
        spec:
            securityContext:
                runAsUser: 2 # Any non-root user will do.
                runAsGroup: 2
                fsGroup: 2
                runAsNonRoot: true
            containers:
                - name: vendor-bridge
                  image: gcr.io/ironcore-images/vendor-bridge:{CHOSEN_TAG}
                  resources:
                      # See https://ironcorelabs.com/docs/saas-shield/vendor-api/overview/#startup
                      requests:
                          cpu: 2
                          memory: 512Mi
                      limits:
                          cpu: 2
                          memory: 512Mi
                  envFrom:
                      - secretRef:
                            # See https://ironcorelabs.com/docs/saas-shield/vendor-api/overview/#startup
                            name: vendor-bridge-secrets
                  env:
                      - name: RUST_LOG
                        value: info # Values are trace, debug, info, warn, error
                  ports:
                      - containerPort: 3000
                        name: http
                  livenessProbe:
                      httpGet:
                          path: /live
                          port: http
                  readinessProbe:
                      httpGet:
                          path: /ready
                          port: http
                  securityContext:
                      allowPrivilegeEscalation: false