#FastAPI Pydantic Settings多环境配置完全指南
📂 所属阶段:第五阶段 — 工程化与部署(实战篇)
🔗 相关章节:FastAPI依赖注入系统 · FastAPI安全认证
#目录
- 环境配置管理概述
- Pydantic Settings基础
- 多环境配置策略
- 配置验证与类型安全
- 敏感信息安全管理
- Docker与云原生配置
- 配置热重载与监控
- 生产部署最佳实践
- 配置性能优化
- 与其他配置框架对比
- 总结
#环境配置管理概述
#为什么需要环境配置管理?
在现代Web应用开发中,不同环境(开发、测试、生产)需要不同的配置参数。硬编码配置不仅难以维护,还容易导致安全漏洞和部署错误。
#常见配置管理问题
# ❌ 错误示例:硬编码配置
class BadConfig:
DATABASE_URL = "postgresql://localhost:5432/mydb_dev" # 开发数据库
SECRET_KEY = "dev-secret-key" # 开发密钥
DEBUG = True # 开发模式
REDIS_URL = "redis://localhost:6379/0" # 本地Redis
# 上线时手动修改?容易遗漏或错误!
# 安全风险:敏感信息暴露在代码中
# 维护困难:多个环境配置混杂#正确的配置管理策略
# ✅ 正确示例:环境驱动的配置管理
"""
开发环境 (.env.development) 测试环境 (.env.test) 生产环境 (.env.production)
──────────────────────────── ──────────────────────── ────────────────────────────
DATABASE_URL=sqlite://... DATABASE_URL=sqlite://... DATABASE_URL=postgresql://...
SECRET_KEY=dev-key SECRET_KEY=test-key SECRET_KEY=production-key
DEBUG=true DEBUG=false DEBUG=false
LOG_LEVEL=debug LOG_LEVEL=info LOG_LEVEL=warning
REDIS_URL=redis://... REDIS_URL=redis://... REDIS_URL=redis://cluster...
"""#配置管理核心原则
- 环境隔离:不同环境使用不同配置文件
- 敏感信息保护:密钥、密码等不在代码中存储
- 类型安全:配置参数有明确的类型定义
- 验证机制:配置参数有验证规则
- 单一职责:配置只在一处定义
- 可扩展性:易于添加新配置项
#12-Factor App配置原则
12-Factor App是现代应用配置管理的标准:
- 基准代码:一份基准代码,多份部署
- 依赖:显式声明和隔离依赖
- 配置:在环境中存储配置
- 后端服务:把后端服务当作附加资源
- 构建、发布、运行:严格分离构建和运行
- 进程:应用进程是无状态的
- 绑定端口:通过端口绑定提供服务
- 并发:通过进程模型进行扩展
- 易处理:快速启动和优雅终止
- 开发与线上等价:尽可能的保持开发、预发布、线上环境相同
- 日志:把日志当作事件流
- 管理进程:后台管理任务当作一次性进程运行
#Pydantic Settings基础
#Pydantic Settings安装与配置
# 安装Pydantic Settings
pip install pydantic-settings
# 或者如果使用Pydantic v2,它已经内置了Settings功能
pip install pydantic[email]#基础配置类定义
# config/base.py
from pydantic_settings import BaseSettings, SettingsConfigDict
from pydantic import Field, validator, field_validator
from typing import List, Optional
from pathlib import Path
import os
class BaseConfig(BaseSettings):
"""基础配置类 - 所有环境配置的基类"""
model_config = SettingsConfigDict(
env_file=".env", # 默认读取 .env 文件
env_file_encoding="utf-8", # 文件编码
case_sensitive=False, # 环境变量大小写不敏感
extra="forbid", # 禁止额外字段
protected_namespaces=("settings_",) # 保护命名空间
)
# 应用基本信息
app_name: str = Field(
default="FastAPI Application",
description="应用名称",
min_length=1,
max_length=100
)
app_version: str = Field(
default="1.0.0",
description="应用版本号"
)
environment: str = Field(
default="development",
description="运行环境",
pattern=r"^(development|testing|staging|production)$"
)
# 调试与开发
debug: bool = Field(
default=False,
description="是否启用调试模式"
)
reload: bool = Field(
default=False,
description="是否启用热重载(开发环境)"
)
# 服务器配置
host: str = Field(
default="127.0.0.1",
description="服务器主机地址"
)
port: int = Field(
default=8000,
ge=1, # 大于等于1
le=65535, # 小于等于65535
description="服务器端口号"
)
# CORS配置
cors_allow_origins: List[str] = Field(
default_factory=list,
description="允许的CORS来源"
)
cors_allow_credentials: bool = Field(
default=True,
description="是否允许CORS凭据"
)
cors_allow_methods: List[str] = Field(
default_factory=lambda: ["*"],
description="允许的CORS方法"
)
cors_allow_headers: List[str] = Field(
default_factory=lambda: ["*"],
description="允许的CORS头部"
)
# 日志配置
log_level: str = Field(
default="INFO",
description="日志级别",
pattern=r"^(DEBUG|INFO|WARNING|ERROR|CRITICAL)$"
)
log_format: str = Field(
default="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
description="日志格式"
)
# 会话配置
session_secret_key: str = Field(
default="change-me-in-production",
description="会话密钥",
min_length=32
)
@field_validator('cors_allow_origins', mode='before')
@classmethod
def parse_cors_origins(cls, v):
"""解析CORS来源列表"""
if isinstance(v, str):
return [origin.strip() for origin in v.split(',')]
return v
@field_validator('log_level')
@classmethod
def validate_log_level(cls, v):
"""验证日志级别"""
import logging
valid_levels = ['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL']
if v.upper() not in valid_levels:
raise ValueError(f"Invalid log level: {v}. Must be one of {valid_levels}")
return v.upper()
@property
def is_development(self) -> bool:
"""是否为开发环境"""
return self.environment.lower() == "development"
@property
def is_testing(self) -> bool:
"""是否为测试环境"""
return self.environment.lower() == "testing"
@property
def is_production(self) -> bool:
"""是否为生产环境"""
return self.environment.lower() == "production"
@property
def is_staging(self) -> bool:
"""是否为预发布环境"""
return self.environment.lower() == "staging"
# 使用示例
if __name__ == "__main__":
config = BaseConfig()
print(f"App: {config.app_name} v{config.app_version}")
print(f"Environment: {config.environment}")
print(f"Debug: {config.debug}")
print(f"Host: {config.host}:{config.port}")#环境特定配置类
# config/environments.py
from .base import BaseConfig
from pydantic import Field, PostgresDsn, RedisDsn
from typing import Optional
import os
class DevelopmentConfig(BaseConfig):
"""开发环境配置"""
environment: str = "development"
debug: bool = True
reload: bool = True
log_level: str = "DEBUG"
# 数据库配置
database_url: str = Field(
default="sqlite+aiosqlite:///./dev_database.db",
description="开发环境数据库URL"
)
# Redis配置
redis_url: str = Field(
default="redis://localhost:6379/0",
description="开发环境Redis URL"
)
# CORS配置 - 开发环境允许所有来源
cors_allow_origins: list = Field(
default_factory=lambda: ["http://localhost:3000", "http://127.0.0.1:3000", "*"]
)
# 会话配置
session_secret_key: str = Field(
default="dev-session-secret-key-change-in-production",
min_length=32
)
# 邮件配置
smtp_server: str = Field(default="localhost")
smtp_port: int = Field(default=1025) # 开发邮件服务器端口
smtp_username: str = Field(default="")
smtp_password: str = Field(default="")
class TestingConfig(BaseConfig):
"""测试环境配置"""
environment: str = "testing"
debug: bool = True
testing: bool = True
log_level: str = "WARNING"
# 测试数据库
database_url: str = Field(
default="sqlite+aiosqlite:///./test_database.db",
description="测试环境数据库URL"
)
# 测试Redis
redis_url: str = Field(
default="redis://localhost:6379/1",
description="测试环境Redis URL"
)
# 测试时的CORS配置
cors_allow_origins: list = Field(
default_factory=lambda: ["http://localhost:3000"]
)
# 禁用邮件发送
smtp_enabled: bool = Field(default=False)
# 测试特定配置
test_database_cleanup: bool = Field(default=True)
test_data_seeding: bool = Field(default=True)
class StagingConfig(BaseConfig):
"""预发布环境配置"""
environment: str = "staging"
debug: bool = False
log_level: str = "INFO"
# 预发布数据库
database_url: str = Field(
default="postgresql+asyncpg://user:pass@staging-db:5432/staging_app",
description="预发布环境数据库URL"
)
# 预发布Redis
redis_url: str = Field(
default="redis://staging-redis:6379/0",
description="预发布环境Redis URL"
)
# 预发布CORS配置
cors_allow_origins: list = Field(
default_factory=lambda: ["https://staging.yourapp.com"]
)
# 安全配置
session_secret_key: str = Field(min_length=32)
csrf_enabled: bool = Field(default=True)
class ProductionConfig(BaseConfig):
"""生产环境配置"""
environment: str = "production"
debug: bool = False
reload: bool = False
log_level: str = "WARNING"
# 生产数据库 - 必须通过环境变量提供
database_url: str = Field(
description="生产环境数据库URL",
min_length=10
)
# 生产Redis
redis_url: str = Field(
description="生产环境Redis URL",
min_length=10
)
# 生产CORS配置 - 严格的域名限制
cors_allow_origins: list = Field(
default_factory=lambda: ["https://yourapp.com", "https://www.yourapp.com"]
)
# 生产安全配置
session_secret_key: str = Field(min_length=64)
csrf_enabled: bool = Field(default=True)
rate_limit_enabled: bool = Field(default=True)
rate_limit_requests: int = Field(default=100)
rate_limit_window: int = Field(default=60) # 60秒窗口
# 监控和告警
sentry_dsn: Optional[str] = Field(default=None)
monitoring_enabled: bool = Field(default=True)
# SSL/TLS配置
ssl_enabled: bool = Field(default=True)
force_https_redirects: bool = Field(default=True)
@field_validator('database_url')
@classmethod
def validate_production_database_url(cls, v):
"""验证生产环境数据库URL"""
if not v or v == "sqlite+aiosqlite:///./prod_database.db":
raise ValueError("Production environment must use a proper database URL, not SQLite")
return v
# 配置工厂函数
def get_config() -> BaseConfig:
"""根据环境变量获取相应的配置"""
env = os.getenv("ENVIRONMENT", os.getenv("FLASK_ENV", "development")).lower()
config_map = {
"development": DevelopmentConfig,
"testing": TestingConfig,
"staging": StagingConfig,
"production": ProductionConfig,
}
config_class = config_map.get(env, DevelopmentConfig)
return config_class()
# 使用示例
config = get_config()
print(f"Running in {config.environment} mode")
print(f"Database URL: {config.database_url}")#配置管理器类
# config/manager.py
from .environments import get_config, BaseConfig
from functools import lru_cache
import logging
from typing import Dict, Any
import json
class ConfigManager:
"""配置管理器 - 提供配置的统一访问接口"""
def __init__(self):
self._config = None
self._logger = logging.getLogger(__name__)
@property
def config(self) -> BaseConfig:
"""获取配置实例(单例模式)"""
if self._config is None:
self._config = get_config()
self._logger.info(f"Loaded {self._config.environment} configuration")
return self._config
def get(self, key: str, default: Any = None) -> Any:
"""获取配置值"""
try:
return getattr(self.config, key, default)
except AttributeError:
return default
def set(self, key: str, value: Any) -> None:
"""设置配置值(仅在开发环境允许)"""
if self.config.is_development:
setattr(self.config, key, value)
else:
raise RuntimeError("Cannot modify configuration in non-development environments")
def reload(self) -> None:
"""重新加载配置"""
self._config = get_config()
self._logger.info("Configuration reloaded")
def dump(self) -> Dict[str, Any]:
"""导出配置(过滤敏感信息)"""
config_dict = self.config.model_dump()
# 过滤敏感字段
sensitive_fields = [
'session_secret_key', 'smtp_password', 'database_url',
'redis_url', 'sentry_dsn'
]
for field in sensitive_fields:
if field in config_dict:
config_dict[field] = "***REDACTED***"
return config_dict
def validate(self) -> bool:
"""验证配置完整性"""
try:
# 尝试重新创建配置实例以验证
temp_config = get_config()
return True
except Exception as e:
self._logger.error(f"Configuration validation failed: {e}")
return False
# 全局配置管理器实例
config_manager = ConfigManager()
# 使用装饰器缓存配置
@lru_cache(maxsize=1)
def get_cached_config() -> BaseConfig:
"""获取缓存的配置实例"""
return get_config()
# 在FastAPI应用中使用
"""
from fastapi import FastAPI
from config.manager import config_manager
app = FastAPI(
title=config_manager.config.app_name,
version=config_manager.config.app_version,
debug=config_manager.config.debug
)
@app.get("/health/config")
async def get_config_info():
return {
"environment": config_manager.config.environment,
"debug": config_manager.config.debug,
"database_url_set": bool(config_manager.config.database_url),
"redis_url_set": bool(config_manager.config.redis_url)
}
"""#多环境配置策略
#环境变量优先级策略
Pydantic Settings遵循以下优先级顺序(从高到低):
- 传递给设置类的参数
- 环境变量
- Python-dotenv (.env) 文件
- 字段的默认值
# config/priority_example.py
import os
from pydantic_settings import BaseSettings, SettingsConfigDict
class PriorityConfig(BaseSettings):
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8"
)
app_name: str = "Default App Name" # 最低优先级:默认值
debug: bool = False # 最低优先级:默认值
custom_setting: str = "default_value" # 最低优先级:默认值
# 设置环境变量(第二高优先级)
os.environ['APP_NAME'] = 'Env Variable App'
# 创建配置实例时传入参数(最高优先级)
config = PriorityConfig(
app_name="Parameter App", # 最高优先级:直接传递参数
debug=True # 最高优先级:直接传递参数
)
print(f"App Name: {config.app_name}") # 输出: Parameter App
print(f"Debug: {config.debug}") # 输出: True
print(f"Custom Setting: {config.custom_setting}") # 输出: default_value (来自.env或默认值)#环境特定配置文件管理
# config/file_loader.py
import os
from pathlib import Path
from typing import Optional
from pydantic_settings import BaseSettings, SettingsConfigDict
class EnvironmentSpecificConfig(BaseSettings):
"""环境特定配置加载器"""
@classmethod
def settings_customise_sources(
cls,
settings_cls: type["EnvironmentSpecificConfig"],
init_settings,
env_settings,
dotenv_settings,
file_secret_settings,
):
"""自定义配置源加载顺序"""
environment = os.getenv("ENVIRONMENT", "development")
# 定义配置文件路径
config_files = [
f".env.{environment}", # 环境特定的 .env 文件
".env", # 默认 .env 文件
f"config/{environment}.json", # 环境特定JSON配置
"config/default.json", # 默认JSON配置
]
# 过滤存在的文件
existing_files = [
file_path for file_path in config_files
if Path(file_path).exists()
]
# 自定义加载顺序:环境特定 > 默认 > 环境变量 > 初始化设置
return (
init_settings, # 直接传递的参数(最高优先级)
env_settings, # 环境变量
*(dotenv_settings for _ in existing_files if _.endswith('.env')), # .env 文件
*(lambda: load_json_file(f) for f in existing_files if f.endswith('.json')), # JSON 文件
file_secret_settings, # 密钥文件
)
def load_json_file(file_path: str) -> dict:
"""加载JSON配置文件"""
import json
try:
with open(file_path, 'r', encoding='utf-8') as f:
return json.load(f)
except FileNotFoundError:
return {}
# 使用示例
"""
# 项目结构
project/
├── .env.development
├── .env.production
├── config/
│ ├── development.json
│ ├── production.json
│ └── default.json
└── app.py
"""#Docker多环境配置
# Dockerfile
FROM python:3.11-slim
WORKDIR /app
# 安装依赖
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
# 复制应用代码
COPY . .
# 创建非root用户
RUN useradd --create-home --shell /bin/bash app
USER app
# 默认启动命令
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]# docker-compose.yml
version: '3.8'
services:
app-dev:
build: .
environment:
- ENVIRONMENT=development
- DEBUG=true
- DATABASE_URL=postgresql+asyncpg://user:pass@db:5432/app_dev
env_file:
- .env.development
ports:
- "8000:8000"
volumes:
- .:/app
command: uvicorn main:app --reload --host 0.0.0.0 --port 8000
app-test:
build: .
environment:
- ENVIRONMENT=testing
- DEBUG=false
- DATABASE_URL=postgresql+asyncpg://user:pass@db:5432/app_test
env_file:
- .env.testing
depends_on:
- db
command: pytest tests/
app-prod:
build: .
environment:
- ENVIRONMENT=production
- DEBUG=false
- DATABASE_URL=${PROD_DATABASE_URL}
env_file:
- .env.production
ports:
- "80:8000"
depends_on:
- db
restart: unless-stopped
db:
image: postgres:15
environment:
- POSTGRES_DB=app
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
volumes:
- postgres_data:/var/lib/postgresql/data
ports:
- "5432:5432"
volumes:
postgres_data:#Kubernetes配置管理
# k8s/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: fastapi-config
data:
ENVIRONMENT: "production"
APP_NAME: "My FastAPI App"
LOG_LEVEL: "INFO"
CORS_ALLOW_ORIGINS: "https://myapp.com,https://www.myapp.com"
---
apiVersion: v1
kind: Secret
metadata:
name: fastapi-secrets
type: Opaque
data:
# 注意:这些值应该是base64编码的
DATABASE_URL: <base64-encoded-database-url>
REDIS_URL: <base64-encoded-redis-url>
SESSION_SECRET_KEY: <base64-encoded-secret-key># k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: fastapi-app
spec:
replicas: 3
selector:
matchLabels:
app: fastapi
template:
metadata:
labels:
app: fastapi
spec:
containers:
- name: fastapi
image: my-fastapi-app:latest
ports:
- containerPort: 8000
envFrom:
- configMapRef:
name: fastapi-config
- secretRef:
name: fastapi-secrets
env:
- name: PORT
value: "8000"
- name: HOST
value: "0.0.0.0"
livenessProbe:
httpGet:
path: /health
port: 8000
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8000
initialDelaySeconds: 5
periodSeconds: 5#配置验证与类型安全
#高级验证规则
# config/validation.py
from pydantic_settings import BaseSettings, SettingsConfigDict
from pydantic import Field, validator, field_validator, model_validator
from typing import List, Optional, Union
from urllib.parse import urlparse
import re
class ValidatedConfig(BaseSettings):
"""带高级验证的配置类"""
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8"
)
# 应用配置
app_name: str = Field(
default="FastAPI App",
min_length=3,
max_length=50,
pattern=r'^[a-zA-Z0-9_-]+$',
description="应用名称,只能包含字母、数字、下划线和连字符"
)
# 版本验证
app_version: str = Field(
default="1.0.0",
pattern=r'^\d+\.\d+\.\d+(-[a-zA-Z0-9]+)?$',
description="语义化版本号,格式: major.minor.patch[-suffix]"
)
# 环境验证
environment: str = Field(
default="development",
pattern=r'^(development|testing|staging|production)$',
description="运行环境"
)
# 数据库URL验证
database_url: str = Field(
description="数据库连接URL",
min_length=10
)
# Redis URL验证
redis_url: str = Field(
default="redis://localhost:6379/0",
description="Redis连接URL"
)
# 端口验证
port: int = Field(
default=8000,
ge=1,
le=65535,
description="服务器端口"
)
# CORS来源验证
cors_allow_origins: List[str] = Field(
default_factory=list,
description="允许的CORS来源"
)
# 超时验证
request_timeout: int = Field(
default=30,
ge=1,
le=300,
description="请求超时时间(秒)"
)
# 缓存大小验证
cache_max_items: int = Field(
default=1000,
ge=1,
le=100000,
description="缓存最大项目数"
)
# 密钥长度验证
session_secret_key: str = Field(
description="会话密钥",
min_length=32
)
# 自定义字段验证器
@field_validator('database_url')
@classmethod
def validate_database_url(cls, v):
"""验证数据库URL格式"""
if not v:
raise ValueError('Database URL cannot be empty')
parsed = urlparse(v)
valid_schemes = [
'sqlite', 'postgresql', 'mysql', 'oracle',
'mssql', 'postgresql+asyncpg', 'mysql+pymysql'
]
if parsed.scheme not in valid_schemes:
raise ValueError(f'Invalid database scheme: {parsed.scheme}')
return v
@field_validator('redis_url')
@classmethod
def validate_redis_url(cls, v):
"""验证Redis URL格式"""
if not v:
raise ValueError('Redis URL cannot be empty')
parsed = urlparse(v)
if parsed.scheme != 'redis':
raise ValueError(f'Invalid Redis scheme: {parsed.scheme}')
return v
@field_validator('cors_allow_origins', mode='before')
@classmethod
def validate_cors_origins(cls, v):
"""验证CORS来源列表"""
if isinstance(v, str):
origins = [origin.strip() for origin in v.split(',') if origin.strip()]
elif isinstance(v, list):
origins = v
else:
origins = []
# 验证每个来源URL
for origin in origins:
if origin != "*" and not cls._is_valid_url(origin):
raise ValueError(f'Invalid CORS origin: {origin}')
return origins
@field_validator('session_secret_key')
@classmethod
def validate_secret_key_strength(cls, v):
"""验证密钥强度"""
if len(v) < 32:
raise ValueError('Session secret key must be at least 32 characters long')
# 检查密钥复杂度(生产环境)
if len(v) < 64:
import warnings
warnings.warn(
"Session secret key should be at least 64 characters long for production",
UserWarning
)
return v
@model_validator(mode='after')
def validate_production_constraints(self):
"""验证生产环境约束"""
if self.environment == 'production':
# 生产环境不能使用SQLite
if 'sqlite' in self.database_url.lower():
raise ValueError('Production environment cannot use SQLite database')
# 生产环境必须启用HTTPS
https_origins = [origin for origin in self.cors_allow_origins if origin.startswith('https://')]
if len(https_origins) != len(self.cors_allow_origins) and '*' not in self.cors_allow_origins:
raise ValueError('Production environment should only allow HTTPS origins')
return self
@staticmethod
def _is_valid_url(url: str) -> bool:
"""验证URL格式"""
pattern = re.compile(
r'^https?://' # http:// or https://
r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' # domain...
r'localhost|' # localhost...
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip
r'(?::\d+)?' # optional port
r'(?:/?|[/?]\S+)$', re.IGNORECASE)
return pattern.match(url) is not None
# 使用示例和测试
def test_validation():
"""测试配置验证"""
try:
# 有效配置
valid_config = ValidatedConfig(
app_name="MyApp",
app_version="1.0.0",
environment="development",
database_url="sqlite:///./test.db",
session_secret_key="a_very_long_secret_key_that_meets_the_minimum_length_requirement"
)
print("✓ Valid configuration created successfully")
# 验证配置
print(f"App: {valid_config.app_name}")
print(f"Environment: {valid_config.environment}")
print(f"Database: {valid_config.database_url}")
except Exception as e:
print(f"✗ Configuration validation failed: {e}")
if __name__ == "__main__":
test_validation()#配置类型安全
# config/typesafe.py
from pydantic_settings import BaseSettings, SettingsConfigDict
from pydantic import Field, TypeAdapter
from typing import Literal, Union, Optional
from enum import Enum
import ipaddress
from datetime import timedelta
# 定义枚举类型
class EnvironmentEnum(str, Enum):
DEVELOPMENT = "development"
TESTING = "testing"
STAGING = "staging"
PRODUCTION = "production"
class LogLevelEnum(str, Enum):
DEBUG = "DEBUG"
INFO = "INFO"
WARNING = "WARNING"
ERROR = "ERROR"
CRITICAL = "CRITICAL"
class DatabaseDriverEnum(str, Enum):
SQLITE = "sqlite"
POSTGRESQL = "postgresql"
MYSQL = "mysql"
ORACLE = "oracle"
class RateLimitStrategyEnum(str, Enum):
FIXED_WINDOW = "fixed_window"
SLIDING_WINDOW = "sliding_window"
TOKEN_BUCKET = "token_bucket"
class TypeSafeConfig(BaseSettings):
"""类型安全的配置类"""
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8"
)
# 使用枚举类型的环境配置
environment: EnvironmentEnum = Field(
default=EnvironmentEnum.DEVELOPMENT,
description="运行环境"
)
# 使用枚举类型的日志级别
log_level: LogLevelEnum = Field(
default=LogLevelEnum.INFO,
description="日志级别"
)
# 使用字面量类型的数据库驱动
database_driver: DatabaseDriverEnum = Field(
default=DatabaseDriverEnum.SQLITE,
description="数据库驱动类型"
)
# 使用联合类型的数据库URL
database_url: Union[
str, # 传统字符串URL
] = Field(
description="数据库连接URL"
)
# 使用字面量类型的限流策略
rate_limit_strategy: RateLimitStrategyEnum = Field(
default=RateLimitStrategyEnum.FIXED_WINDOW,
description="限流策略"
)
# 使用timedelta类型的超时配置
request_timeout: timedelta = Field(
default=timedelta(seconds=30),
description="请求超时时间"
)
# 使用IP地址类型的允许列表
allowed_ips: Optional[str] = Field(
default=None,
description="允许的IP地址列表(逗号分隔)"
)
# 使用字面量类型的缓存策略
cache_strategy: Literal["memory", "redis", "memcached"] = Field(
default="memory",
description="缓存策略"
)
# 使用泛型类型的自定义配置
custom_settings: Optional[dict] = Field(
default=None,
description="自定义配置字典"
)
@property
def is_debug_mode(self) -> bool:
"""是否为调试模式"""
return self.log_level in [LogLevelEnum.DEBUG, LogLevelEnum.INFO]
@property
def database_host(self) -> Optional[str]:
"""从数据库URL中提取主机"""
import re
match = re.search(r'@([^:/]+)', self.database_url)
return match.group(1) if match else None
@property
def database_port(self) -> Optional[int]:
"""从数据库URL中提取端口"""
import re
match = re.search(r':(\d+)', self.database_url)
return int(match.group(1)) if match else None
# 配置适配器 - 用于运行时类型转换
DatabaseUrlAdapter = TypeAdapter(Union[str])
def get_typed_config() -> TypeSafeConfig:
"""获取类型安全的配置实例"""
return TypeSafeConfig()
# 使用示例
def demonstrate_type_safety():
"""演示类型安全"""
config = TypeSafeConfig(
environment=EnvironmentEnum.PRODUCTION,
log_level=LogLevelEnum.WARNING,
database_driver=DatabaseDriverEnum.POSTGRESQL,
database_url="postgresql://user:pass@localhost:5432/mydb",
rate_limit_strategy=RateLimitStrategyEnum.SLIDING_WINDOW,
request_timeout=timedelta(minutes=1),
cache_strategy="redis"
)
print(f"Environment: {config.environment.value}")
print(f"Log Level: {config.log_level.value}")
print(f"Database Driver: {config.database_driver.value}")
print(f"Rate Limit Strategy: {config.rate_limit_strategy.value}")
print(f"Request Timeout: {config.request_timeout}")
print(f"Is Debug Mode: {config.is_debug_mode}")
print(f"Database Host: {config.database_host}")
print(f"Database Port: {config.database_port}")
if __name__ == "__main__":
demonstrate_type_safety()#敏感信息安全管理
#密钥管理最佳实践
# config/secrets.py
import os
import secrets
import hashlib
import base64
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from typing import Optional
import json
from pathlib import Path
class SecretManager:
"""敏感信息安全管理器"""
def __init__(self, master_password: Optional[str] = None):
self.master_password = master_password or os.getenv('MASTER_PASSWORD')
self._fernet = None
self.secrets_dir = Path("secrets")
self.secrets_dir.mkdir(exist_ok=True)
@property
def fernet(self) -> Fernet:
"""获取加密器实例"""
if self._fernet is None:
if not self.master_password:
raise ValueError("Master password not provided")
self._fernet = self._create_fernet_instance()
return self._fernet
def _create_fernet_instance(self) -> Fernet:
"""创建Fernet加密实例"""
password = self.master_password.encode()
salt = b'secret_salt_for_fernet' # 在实际应用中应该从安全的地方获取
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=100000,
)
key = base64.urlsafe_b64encode(kdf.derive(password))
return Fernet(key)
def encrypt_secret(self, secret: str) -> str:
"""加密敏感信息"""
encrypted_bytes = self.fernet.encrypt(secret.encode())
return base64.b64encode(encrypted_bytes).decode()
def decrypt_secret(self, encrypted_secret: str) -> str:
"""解密敏感信息"""
encrypted_bytes = base64.b64decode(encrypted_secret.encode())
decrypted_bytes = self.fernet.decrypt(encrypted_bytes)
return decrypted_bytes.decode()
def store_secret(self, key: str, secret: str, encrypt: bool = True) -> Path:
"""存储敏感信息"""
file_path = self.secrets_dir / f"{key}.secret"
if encrypt:
secret = self.encrypt_secret(secret)
with open(file_path, 'w') as f:
f.write(secret)
# 设置安全的文件权限
os.chmod(file_path, 0o600) # 只有所有者可读写
return file_path
def load_secret(self, key: str, decrypt: bool = True) -> Optional[str]:
"""加载敏感信息"""
file_path = self.secrets_dir / f"{key}.secret"
if not file_path.exists():
return None
with open(file_path, 'r') as f:
secret = f.read().strip()
if decrypt:
secret = self.decrypt_secret(secret)
return secret
def generate_secure_token(self, length: int = 32) -> str:
"""生成安全的随机令牌"""
return secrets.token_urlsafe(length)
def generate_strong_password(self, length: int = 64) -> str:
"""生成强密码"""
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*"
return ''.join(secrets.choice(alphabet) for _ in range(length))
# 全局密钥管理器实例
secret_manager = SecretManager()
# 使用示例
"""
# 存储数据库密码
db_password = "my_secure_db_password"
secret_manager.store_secret("database_password", db_password)
# 加载数据库密码
stored_password = secret_manager.load_secret("database_password")
print(f"Stored password: {stored_password}")
"""#环境变量安全处理
# config/env_security.py
import os
import re
from typing import Dict, List, Optional
import logging
class EnvironmentSecurityManager:
"""环境变量安全管理器"""
def __init__(self):
self.logger = logging.getLogger(__name__)
self.sensitive_keys = {
'PASSWORD', 'SECRET', 'TOKEN', 'KEY', 'AUTH', 'CREDENTIAL',
'PRIVATE', 'CLIENT_ID', 'CLIENT_SECRET', 'API_KEY', 'JWT_SECRET'
}
self.required_keys = set()
self.optional_keys = set()
def register_required_vars(self, *keys: str) -> None:
"""注册必需的环境变量"""
self.required_keys.update(keys)
def register_optional_vars(self, *keys: str) -> None:
"""注册可选的环境变量"""
self.optional_keys.update(keys)
def validate_environment_vars(self) -> List[str]:
"""验证环境变量"""
errors = []
# 检查必需变量
for key in self.required_keys:
if not os.getenv(key):
errors.append(f"Required environment variable '{key}' is not set")
# 检查敏感变量的强度
for key in os.environ:
if self._is_sensitive_key(key):
value = os.getenv(key, "")
if value and not self._is_value_secure(value):
errors.append(f"Environment variable '{key}' does not meet security requirements")
return errors
def mask_sensitive_values(self, data: Dict) -> Dict:
"""屏蔽敏感信息"""
masked_data = {}
for key, value in data.items():
if self._is_sensitive_key(key):
masked_data[key] = "***REDACTED***"
else:
masked_data[key] = value
return masked_data
def get_secure_env_var(self, key: str, default: str = "", min_length: int = 0) -> str:
"""安全获取环境变量"""
value = os.getenv(key, default)
if min_length > 0 and len(value) < min_length:
raise ValueError(f"Environment variable '{key}' must be at least {min_length} characters long")
if self._is_sensitive_key(key) and not self._is_value_secure(value):
self.logger.warning(f"Sensitive environment variable '{key}' may not meet security requirements")
return value
def _is_sensitive_key(self, key: str) -> bool:
"""检查是否为敏感键"""
key_upper = key.upper()
return any(sensitive in key_upper for sensitive in self.sensitive_keys)
def _is_value_secure(self, value: str) -> bool:
"""检查值是否安全"""
if not value:
return True # 空值被认为是安全的
# 检查最小长度
if len(value) < 8:
return False
# 检查是否为常见弱密码
weak_patterns = [
r'^(password|admin|123456|qwerty)$',
r'^(secret|key|token)$',
r'^(change|default|test)$'
]
for pattern in weak_patterns:
if re.match(pattern, value.lower()):
return False
# 检查复杂度(如果有要求)
has_lower = any(c.islower() for c in value)
has_upper = any(c.isupper() for c in value)
has_digit = any(c.isdigit() for c in value)
has_special = any(c in "!@#$%^&*()_+-=[]{}|;:,.<>?" for c in value)
complexity_score = sum([has_lower, has_upper, has_digit, has_special])
return complexity_score >= 3 # 至少3种不同类型字符
# 全局环境安全管理器
env_security_manager = EnvironmentSecurityManager()
# 在配置类中使用
"""
class SecureConfig(BaseSettings):
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8"
)
database_url: str
jwt_secret: str = Field(min_length=32)
def __init__(self, **kwargs):
# 验证环境变量
errors = env_security_manager.validate_environment_vars()
if errors:
raise ValueError(f"Environment validation failed: {errors}")
super().__init__(**kwargs)
@field_validator('jwt_secret')
@classmethod
def validate_jwt_secret(cls, v):
if not env_security_manager._is_value_secure(v):
raise ValueError("JWT secret does not meet security requirements")
return v
"""#Docker Secrets集成
# config/docker_secrets.py
import os
from pathlib import Path
from typing import Optional
import json
class DockerSecretsManager:
"""Docker Secrets管理器"""
def __init__(self, secrets_dir: str = "/run/secrets"):
self.secrets_dir = Path(secrets_dir)
self._cache = {}
def get_secret(self, name: str, default: Optional[str] = None) -> Optional[str]:
"""从Docker Secrets获取值"""
if name in self._cache:
return self._cache[name]
secret_path = self.secrets_dir / name
if secret_path.exists():
try:
with open(secret_path, 'r') as f:
value = f.read().strip()
self._cache[name] = value
return value
except IOError:
pass
# 如果在Kubernetes中,可能需要从环境变量获取
env_var_name = f"{name.upper()}_FILE"
file_path = os.getenv(env_var_name)
if file_path:
try:
with open(file_path, 'r') as f:
value = f.read().strip()
self._cache[name] = value
return value
except IOError:
pass
return default
def get_secret_as_json(self, name: str, default: Optional[dict] = None) -> Optional[dict]:
"""将Docker Secret作为JSON获取"""
secret_content = self.get_secret(name)
if secret_content:
try:
return json.loads(secret_content)
except json.JSONDecodeError:
raise ValueError(f"Docker secret '{name}' is not valid JSON")
return default
def get_secret_as_int(self, name: str, default: Optional[int] = None) -> Optional[int]:
"""将Docker Secret作为整数获取"""
secret_content = self.get_secret(name)
if secret_content:
try:
return int(secret_content)
except ValueError:
raise ValueError(f"Docker secret '{name}' is not a valid integer")
return default
def get_secret_as_bool(self, name: str, default: Optional[bool] = None) -> Optional[bool]:
"""将Docker Secret作为布尔值获取"""
secret_content = self.get_secret(name)
if secret_content:
return secret_content.lower() in ('true', '1', 'yes', 'on')
return default
# 全局Docker Secrets管理器
docker_secrets_manager = DockerSecretsManager()
# 在配置中使用Docker Secrets
"""
class DockerConfig(BaseSettings):
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8"
)
# 从Docker Secrets获取数据库密码
database_password: Optional[str] = None
jwt_secret: Optional[str] = None
def __init__(self, **kwargs):
# 如果没有通过环境变量设置,则尝试从Docker Secrets获取
if 'database_password' not in kwargs:
kwargs['database_password'] = docker_secrets_manager.get_secret('db_password')
if 'jwt_secret' not in kwargs:
kwargs['jwt_secret'] = docker_secrets_manager.get_secret('jwt_secret')
super().__init__(**kwargs)
"""#Docker与云原生配置
#Docker最佳实践配置
# Dockerfile.optimized
# 使用官方Python基础镜像
FROM python:3.11-slim AS base
# 设置工作目录
WORKDIR /app
# 安装系统依赖
RUN apt-get update && apt-get install -y --no-install-recommends \
gcc \
&& rm -rf /var/lib/apt/lists/*
# 为生产环境创建非root用户
RUN useradd --create-home --shell /bin/bash app
USER app
# 复制依赖文件
COPY --chown=app:app requirements.txt .
# 安装Python依赖
RUN pip install --user --no-cache-dir -r requirements.txt
# 复制应用代码
COPY --chown=app:app . .
# 健康检查
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8000/health || exit 1
# 启动命令
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]# Dockerfile.multi-stage
# 构建阶段
FROM python:3.11-slim AS builder
WORKDIR /app
# 安装构建依赖
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
&& rm -rf /var/lib/apt/lists/*
# 复制并安装依赖
COPY requirements.txt .
RUN pip wheel --no-cache-dir --no-deps --wheel-dir /app/wheels -r requirements.txt
# 生产阶段
FROM python:3.11-slim AS production
WORKDIR /app
# 安装运行时依赖
RUN apt-get update && apt-get install -y --no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
&& useradd --create-home --shell /bin/bash app \
&& chown -R app:app /app
USER app
# 复制wheel文件并安装
COPY --from=builder /app/wheels /wheels
COPY --from=builder /app/requirements.txt .
RUN pip install --no-cache /wheels/* && rm -rf /wheels
# 复制应用代码
COPY --chown=app:app . .
EXPOSE 8000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8000/health || exit 1
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]#Docker Compose多环境配置
# docker-compose.base.yml
version: '3.8'
services:
app-base:
build: .
environment:
- PYTHONPATH=/app
volumes:
- ./logs:/app/logs
networks:
- app-network
restart: unless-stopped
db:
image: postgres:15
environment:
- POSTGRES_DB=app
- POSTGRES_USER=user
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
volumes:
- postgres_data:/var/lib/postgresql/data
- ./init-scripts:/docker-entrypoint-initdb.d
networks:
- app-network
secrets:
- db_password
restart: unless-stopped
redis:
image: redis:7-alpine
command: redis-server --appendonly yes
volumes:
- redis_data:/data
networks:
- app-network
restart: unless-stopped
networks:
app-network:
driver: bridge
volumes:
postgres_data:
redis_data:
secrets:
db_password:
file: ./secrets/db_password.txt# docker-compose.dev.yml
version: '3.8'
services:
app:
extends:
file: docker-compose.base.yml
service: app-base
environment:
- ENVIRONMENT=development
- DEBUG=true
- DATABASE_URL=postgresql+asyncpg://user:password@db:5432/app_dev
- REDIS_URL=redis://redis:6379/0
ports:
- "8000:8000"
volumes:
- .:/app # 开发时挂载代码卷
depends_on:
- db
- redis
command: uvicorn main:app --reload --host 0.0.0.0 --port 8000
db:
environment:
- POSTGRES_DB=app_dev
ports:
- "5432:5432" # 开发时暴露端口# docker-compose.prod.yml
version: '3.8'
services:
app:
extends:
file: docker-compose.base.yml
service: app-base
environment:
- ENVIRONMENT=production
- DEBUG=false
- DATABASE_URL=postgresql+asyncpg://user:password@db:5432/app_prod
- REDIS_URL=redis://redis:6379/0
ports:
- "80:8000"
depends_on:
- db
- redis
deploy:
replicas: 3
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
update_config:
parallelism: 1
delay: 10s
failure_action: rollback
monitor: 60s
max_failure_ratio: 0.3
order: start-first
rollback_config:
parallelism: 1
delay: 10s
failure_action: pause
monitor: 60s
max_failure_ratio: 0.3
order: stop-first
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./ssl:/etc/nginx/ssl
depends_on:
- app
restart: unless-stopped#Kubernetes配置管理
# k8s/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: fastapi-app
labels:
name: fastapi-app
---
# k8s/resource-quotas.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: fastapi-quota
namespace: fastapi-app
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
persistentvolumeclaims: "4"
services.nodeports: "0"
services.loadbalancers: "1"# k8s/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: fastapi-secrets
namespace: fastapi-app
type: Opaque
data:
# 这些值应该是base64编码的实际密钥
db-password: <base64-encoded-password>
jwt-secret: <base64-encoded-jwt-secret>
session-secret: <base64-encoded-session-secret>
---
apiVersion: v1
kind: Secret
metadata:
name: ssl-certs
namespace: fastapi-app
type: kubernetes.io/tls
data:
tls.crt: <base64-encoded-cert>
tls.key: <base64-encoded-key># k8s/configmaps.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: fastapi-config
namespace: fastapi-app
data:
ENVIRONMENT: "production"
APP_NAME: "My FastAPI Application"
DEBUG: "false"
LOG_LEVEL: "INFO"
CORS_ALLOW_ORIGINS: "https://myapp.com,https://www.myapp.com"
REQUEST_TIMEOUT: "30"
CACHE_MAX_ITEMS: "1000"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: fastapi-app
data:
nginx.conf: |
events {
worker_connections 1024;
}
http {
upstream fastapi {
server fastapi-service:8000;
}
server {
listen 80;
server_name myapp.com www.myapp.com;
location / {
proxy_pass http://fastapi;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /static/ {
alias /app/static/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
}# k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: fastapi-deployment
namespace: fastapi-app
labels:
app: fastapi
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
selector:
matchLabels:
app: fastapi
template:
metadata:
labels:
app: fastapi
spec:
containers:
- name: fastapi
image: my-fastapi-app:latest
ports:
- containerPort: 8000
envFrom:
- configMapRef:
name: fastapi-config
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: fastapi-secrets
key: db-password
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: fastapi-secrets
key: jwt-secret
- name: SESSION_SECRET_KEY
valueFrom:
secretKeyRef:
name: fastapi-secrets
key: session-secret
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 8000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8000
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
volumeMounts:
- name: logs-volume
mountPath: /app/logs
volumes:
- name: logs-volume
emptyDir: {}
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
---
apiVersion: v1
kind: Service
metadata:
name: fastapi-service
namespace: fastapi-app
spec:
selector:
app: fastapi
ports:
- protocol: TCP
port: 8000
targetPort: 8000
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: fastapi-ingress
namespace: fastapi-app
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- myapp.com
- www.myapp.com
secretName: tls-secret
rules:
- host: myapp.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: fastapi-service
port:
number: 8000
- host: www.myapp.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: fastapi-service
port:
number: 8000#配置热重载与监控
#配置热重载实现
# config/hot_reload.py
import asyncio
import threading
from pathlib import Path
from typing import Callable, Dict, Any, Optional
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler
import json
import time
from functools import wraps
class ConfigReloadHandler(FileSystemEventHandler):
"""配置文件变更处理器"""
def __init__(self, callback: Callable):
self.callback = callback
super().__init__()
def on_modified(self, event):
if event.is_directory:
return
file_path = Path(event.src_path)
if file_path.suffix in ['.env', '.json', '.yaml', '.yml']:
print(f"Configuration file {file_path} changed, reloading...")
self.callback(file_path)
class HotReloadConfigManager:
"""支持热重载的配置管理器"""
def __init__(self, config_callback: Callable, watch_dirs: Optional[list] = None):
self.config_callback = config_callback
self.watch_dirs = watch_dirs or ['./', './config/']
self.observer = Observer()
self.event_handlers = []
self.running = False
self.last_reload_time = 0
self.reload_cooldown = 1.0 # 1秒冷却时间,防止频繁重载
# 设置文件监视器
self._setup_watchers()
def _setup_watchers(self):
"""设置文件监视器"""
for watch_dir in self.watch_dirs:
dir_path = Path(watch_dir)
if dir_path.exists():
handler = ConfigReloadHandler(self._handle_reload)
self.observer.schedule(handler, str(dir_path), recursive=True)
self.event_handlers.append(handler)
def _handle_reload(self, file_path: Path):
"""处理配置重载"""
current_time = time.time()
if current_time - self.last_reload_time < self.reload_cooldown:
return # 冷却时间内忽略
self.last_reload_time = current_time
try:
# 异步执行重载(避免阻塞文件监视器)
asyncio.create_task(self._async_reload_config())
except Exception as e:
print(f"Error scheduling config reload: {e}")
async def _async_reload_config(self):
"""异步重载配置"""
try:
print("Reloading configuration...")
await self.config_callback()
print("Configuration reloaded successfully")
except Exception as e:
print(f"Error reloading configuration: {e}")
def start_watching(self):
"""开始监视配置文件"""
if not self.running:
self.observer.start()
self.running = True
print("Started watching configuration files for changes...")
def stop_watching(self):
"""停止监视配置文件"""
if self.running:
self.observer.stop()
self.observer.join()
self.running = False
print("Stopped watching configuration files")
# 使用装饰器实现配置热重载
def with_hot_reload(watch_dirs: Optional[list] = None):
"""配置热重载装饰器"""
def decorator(func: Callable):
manager = HotReloadConfigManager(
config_callback=lambda: func(),
watch_dirs=watch_dirs
)
@wraps(func)
def wrapper(*args, **kwargs):
# 启动配置监视
manager.start_watching()
try:
result = func(*args, **kwargs)
return result
finally:
# 确保在退出时停止监视
import atexit
atexit.register(manager.stop_watching)
wrapper.hot_reload_manager = manager
return wrapper
return decorator
# 配置变更通知系统
class ConfigChangeNotifier:
"""配置变更通知系统"""
def __init__(self):
self.subscribers = []
self.config_snapshot = {}
def subscribe(self, callback: Callable[[Dict[str, Any]], None]):
"""订阅配置变更"""
self.subscribers.append(callback)
def notify_changes(self, old_config: Dict[str, Any], new_config: Dict[str, Any]):
"""通知配置变更"""
changes = self._detect_changes(old_config, new_config)
if changes:
for subscriber in self.subscribers:
try:
subscriber(changes)
except Exception as e:
print(f"Error notifying subscriber: {e}")
def _detect_changes(self, old_config: Dict[str, Any], new_config: Dict[str, Any]) -> Dict[str, Any]:
"""检测配置变更"""
changes = {}
all_keys = set(old_config.keys()) | set(new_config.keys())
for key in all_keys:
old_value = old_config.get(key)
new_value = new_config.get(key)
if old_value != new_value:
changes[key] = {
'old': old_value,
'new': new_value
}
return changes
# 全局配置变更通知器
config_notifier = ConfigChangeNotifier()
# 使用示例
"""
def on_config_change(changes):
print(f"Configuration changed: {changes}")
# 可以在这里执行重新初始化服务等操作
config_notifier.subscribe(on_config_change)
"""#配置监控与健康检查
# config/monitoring.py
from typing import Dict, List, Optional
import time
from dataclasses import dataclass
from enum import Enum
class ConfigHealthStatus(Enum):
HEALTHY = "healthy"
WARNING = "warning"
ERROR = "error"
@dataclass
class ConfigHealthCheck:
"""配置健康检查结果"""
name: str
status: ConfigHealthStatus
message: str
timestamp: float = time.time()
class ConfigMonitor:
"""配置监控器"""
def __init__(self):
self.health_checks: List[ConfigHealthCheck] = []
self.last_check_time = 0
self.check_interval = 300 # 5分钟检查一次
def run_health_checks(self) -> List[ConfigHealthCheck]:
"""运行配置健康检查"""
checks = []
# 检查数据库连接
db_check = self._check_database_connection()
checks.append(db_check)
# 检查Redis连接
redis_check = self._check_redis_connection()
checks.append(redis_check)
# 检查敏感配置
secret_check = self._check_sensitive_configs()
checks.append(secret_check)
# 检查配置一致性
consistency_check = self._check_config_consistency()
checks.append(consistency_check)
self.health_checks = checks
self.last_check_time = time.time()
return checks
def _check_database_connection(self) -> ConfigHealthCheck:
"""检查数据库连接"""
try:
# 这里应该实际连接数据库进行检查
# from config.manager import config_manager
# db_url = config_manager.config.database_url
# 实际实现中应该尝试连接数据库
return ConfigHealthCheck(
name="database_connection",
status=ConfigHealthStatus.HEALTHY,
message="Database connection is healthy"
)
except Exception as e:
return ConfigHealthCheck(
name="database_connection",
status=ConfigHealthStatus.ERROR,
message=f"Database connection failed: {str(e)}"
)
def _check_redis_connection(self) -> ConfigHealthCheck:
"""检查Redis连接"""
try:
# 实际实现中应该尝试连接Redis
return ConfigHealthCheck(
name="redis_connection",
status=ConfigHealthStatus.HEALTHY,
message="Redis connection is healthy"
)
except Exception as e:
return ConfigHealthCheck(
name="redis_connection",
status=ConfigHealthStatus.WARNING,
message=f"Redis connection issue: {str(e)}"
)
def _check_sensitive_configs(self) -> ConfigHealthCheck:
"""检查敏感配置"""
try:
# from config.manager import config_manager
# config = config_manager.config
issues = []
# 检查JWT密钥长度
# if len(config.jwt_secret) < 32:
# issues.append("JWT secret is too short")
# 检查会话密钥
# if config.session_secret_key == "change-me-in-production":
# issues.append("Default session secret key detected")
if issues:
return ConfigHealthCheck(
name="sensitive_configs",
status=ConfigHealthStatus.WARNING,
message=f"Sensitivity issues found: {', '.join(issues)}"
)
return ConfigHealthCheck(
name="sensitive_configs",
status=ConfigHealthStatus.HEALTHY,
message="All sensitive configurations are secure"
)
except Exception as e:
return ConfigHealthCheck(
name="sensitive_configs",
status=ConfigHealthStatus.ERROR,
message=f"Failed to check sensitive configs: {str(e)}"
)
def _check_config_consistency(self) -> ConfigHealthCheck:
"""检查配置一致性"""
try:
# 检查配置之间的逻辑一致性
issues = []
# 例如:生产环境不应该开启调试模式
# if config.is_production and config.debug:
# issues.append("Debug mode enabled in production")
if issues:
return ConfigHealthCheck(
name="config_consistency",
status=ConfigHealthStatus.WARNING,
message=f"Inconsistencies found: {', '.join(issues)}"
)
return ConfigHealthCheck(
name="config_consistency",
status=ConfigHealthStatus.HEALTHY,
message="All configurations are consistent"
)
except Exception as e:
return ConfigHealthCheck(
name="config_consistency",
status=ConfigHealthStatus.ERROR,
message=f"Failed to check config consistency: {str(e)}"
)
def get_overall_health(self) -> ConfigHealthStatus:
"""获取整体健康状况"""
if not self.health_checks:
return ConfigHealthStatus.WARNING
statuses = [check.status for check in self.health_checks]
if ConfigHealthStatus.ERROR in statuses:
return ConfigHealthStatus.ERROR
elif ConfigHealthStatus.WARNING in statuses:
return ConfigHealthStatus.WARNING
else:
return ConfigHealthStatus.HEALTHY
def get_health_report(self) -> Dict[str, Any]:
"""获取健康报告"""
return {
"overall_status": self.get_overall_health().value,
"checks": [
{
"name": check.name,
"status": check.status.value,
"message": check.message,
"timestamp": check.timestamp
}
for check in self.health_checks
],
"last_check": self.last_check_time
}
# 全局配置监控器
config_monitor = ConfigMonitor()
# 在FastAPI中使用
"""
from fastapi import FastAPI
from config.monitoring import config_monitor
@app.get("/health/config")
async def config_health():
checks = config_monitor.run_health_checks()
return config_monitor.get_health_report()
"""#生产部署最佳实践
#安全配置检查清单
"""
生产环境配置安全检查清单:
✅ 基础安全
- [ ] 禁用调试模式 (debug=False)
- [ ] 使用强密钥 (至少64字符)
- [ ] 配置适当的日志级别
- [ ] 设置CORS策略限制域名
- [ ] 启用CSRF保护
- [ ] 配置安全头 (HSTS, CSP等)
✅ 数据库安全
- [ ] 使用PostgreSQL/MySQL而非SQLite
- [ ] 配置连接池
- [ ] 启用SSL连接
- [ ] 设置连接超时
✅ 认证安全
- [ ] JWT令牌有效期合理
- [ ] 密钥轮换策略
- [ ] 密码哈希算法强度
- [ ] 会话管理安全
✅ 网络安全
- [ ] 限制API速率
- [ ] IP白名单配置
- [ ] HTTPS强制重定向
- [ ] SSL证书配置
✅ 监控安全
- [ ] 错误不暴露敏感信息
- [ ] 访问日志记录
- [ ] 安全事件监控
- [ ] 健康检查端点保护
"""
# 生产配置验证器
class ProductionConfigValidator:
"""生产环境配置验证器"""
def __init__(self):
self.errors = []
self.warnings = []
def validate(self, config) -> tuple[list, list]:
"""验证生产配置"""
self.errors = []
self.warnings = []
self._validate_basic_security(config)
self._validate_database_security(config)
self._validate_auth_security(config)
self._validate_network_security(config)
return self.errors, self.warnings
def _validate_basic_security(self, config):
"""验证基础安全配置"""
if config.debug:
self.errors.append("Debug mode should be disabled in production")
if config.log_level.upper() not in ['WARNING', 'ERROR', 'CRITICAL']:
self.warnings.append("Log level should be WARNING or higher in production")
if len(config.session_secret_key) < 64:
self.errors.append("Session secret key should be at least 64 characters long")
if config.session_secret_key == "change-me-in-production":
self.errors.append("Default session secret key detected")
def _validate_database_security(self, config):
"""验证数据库安全配置"""
if 'sqlite' in config.database_url.lower():
self.errors.append("SQLite should not be used in production")
if 'localhost' in config.database_url or '127.0.0.1' in config.database_url:
self.warnings.append("Database should not be on localhost in production")
if 'sslmode=require' not in config.database_url.lower():
self.warnings.append("SSL should be enabled for database connections")
def _validate_auth_security(self, config):
"""验证认证安全配置"""
if len(config.jwt_secret) < 32:
self.errors.append("JWT secret should be at least 32 characters long")
if config.jwt_expire_minutes > 1440: # 24 hours
self.warnings.append("JWT expiration time is too long")
def _validate_network_security(self, config):
"""验证网络安全配置"""
if '*' in config.cors_allow_origins:
self.errors.append("Wildcard CORS origins should not be used in production")
if not any(origin.startswith('https://') for origin in config.cors_allow_origins if origin != '*'):
self.warnings.append("Production should only allow HTTPS origins")
# 使用示例
"""
validator = ProductionConfigValidator()
errors, warnings = validator.validate(config_manager.config)
if errors:
print(f"Production configuration errors: {errors}")
raise ValueError("Production configuration validation failed")
if warnings:
print(f"Production configuration warnings: {warnings}")
"""#部署脚本示例
#!/bin/bash
# deploy.sh - 生产环境部署脚本
set -e # 遇到错误立即退出
echo "🚀 Starting production deployment..."
# 验证必需的环境变量
REQUIRED_VARS=(
"PROD_DATABASE_URL"
"PROD_JWT_SECRET"
"PROD_SESSION_SECRET"
"SENTRY_DSN"
)
for var in "${REQUIRED_VARS[@]}"; do
if [ -z "${!var}" ]; then
echo "❌ Error: Required environment variable $var is not set"
exit 1
fi
done
echo "✅ Environment variables validated"
# 构建Docker镜像
echo "🔨 Building Docker image..."
docker build -t my-fastapi-app:latest .
# 运行配置验证
echo "🔍 Running configuration validation..."
docker run --rm \
-e ENVIRONMENT=production \
-e DATABASE_URL="$PROD_DATABASE_URL" \
-e JWT_SECRET="$PROD_JWT_SECRET" \
-e SESSION_SECRET_KEY="$PROD_SESSION_SECRET" \
my-fastapi-app:latest \
python -c "from config.environments import get_config; config=get_config(); print(f'Config loaded: {config.environment}')"
echo "✅ Configuration validation passed"
# 启动应用
echo "🐳 Starting application with Docker Compose..."
docker-compose -f docker-compose.prod.yml up -d
echo "✅ Application started successfully"
echo "📈 Monitoring application health..."
# 等待应用启动
sleep 10
# 检查健康状态
for i in {1..30}; do
if curl -f http://localhost/health >/dev/null 2>&1; then
echo "✅ Application is healthy"
exit 0
fi
echo "⏳ Waiting for application to become healthy... ($i/30)"
sleep 10
done
echo "❌ Application failed to become healthy"
exit 1#Kubernetes部署最佳实践
# k8s/hpa.yaml - 水平Pod自动伸缩
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: fastapi-hpa
namespace: fastapi-app
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: fastapi-deployment
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
---
# k8s/network-policy.yaml - 网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: fastapi-network-policy
namespace: fastapi-app
spec:
podSelector:
matchLabels:
app: fastapi
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx # 允许来自Ingress控制器的流量
ports:
- protocol: TCP
port: 8000
egress:
- to: # 允许访问数据库和Redis
- podSelector:
matchLabels:
app: postgres
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 5432 # PostgreSQL
- protocol: TCP
port: 6379 # Redis
---
# k8s/pod-disruption-budget.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: fastapi-pdb
namespace: fastapi-app
spec:
minAvailable: 1
selector:
matchLabels:
app: fastapi#配置性能优化
#配置缓存策略
# config/caching.py
import time
from functools import wraps
from typing import Any, Callable
import threading
class ConfigCache:
"""配置缓存管理器"""
def __init__(self, ttl: int = 300): # 5分钟TTL
self.cache = {}
self.timestamps = {}
self.ttl = ttl
self.lock = threading.RLock() # 线程安全锁
def get(self, key: str) -> Any:
"""获取缓存的配置值"""
with self.lock:
if key in self.cache:
timestamp = self.timestamps[key]
if time.time() - timestamp < self.ttl:
return self.cache[key]
else:
# TTL过期,删除缓存
del self.cache[key]
del self.timestamps[key]
return None
def set(self, key: str, value: Any):
"""设置缓存的配置值"""
with self.lock:
self.cache[key] = value
self.timestamps[key] = time.time()
def invalidate(self, key: str = None):
"""使缓存失效"""
with self.lock:
if key:
if key in self.cache:
del self.cache[key]
del self.timestamps[key]
else:
self.cache.clear()
self.timestamps.clear()
def clear_expired(self):
"""清理过期缓存"""
with self.lock:
current_time = time.time()
expired_keys = [
key for key, timestamp in self.timestamps.items()
if current_time - timestamp >= self.ttl
]
for key in expired_keys:
del self.cache[key]
del self.timestamps[key]
# 全局配置缓存
config_cache = ConfigCache()
def cached_config_property(func: Callable) -> property:
"""配置属性缓存装饰器"""
attr_name = f'_cached_{func.__name__}'
ttl_attr = f'_cached_{func.__name__}_time'
@property
def wrapper(self):
current_time = time.time()
cached_time = getattr(self, ttl_attr, 0)
if current_time - cached_time > config_cache.ttl:
value = func(self)
setattr(self, attr_name, value)
setattr(self, ttl_attr, current_time)
else:
value = getattr(self, attr_name, None)
return value
return wrapper
# 使用示例
"""
class OptimizedConfig(BaseConfig):
@cached_config_property
def parsed_database_url(self):
# 解析数据库URL的昂贵操作
from urllib.parse import urlparse
return urlparse(self.database_url)
@cached_config_property
def cors_origin_list(self):
# 解析CORS来源列表的昂贵操作
return [origin.strip() for origin in self.cors_allow_origins if origin.strip()]
"""#配置懒加载
# config/lazy_loading.py
from typing import Any
import weakref
class LazyConfigLoader:
"""配置懒加载器"""
def __init__(self, config_class):
self.config_class = config_class
self._instance = None
self._lock = threading.Lock()
def get_config(self):
"""获取配置实例(单例+懒加载)"""
if self._instance is None:
with self._lock:
if self._instance is None:
self._instance = self.config_class()
return self._instance
# 使用__slots__优化内存使用
class MemoryOptimizedConfig(BaseConfig):
"""内存优化的配置类"""
__slots__ = (
'_app_name', '_app_version', '_environment', '_debug', '_reload',
'_host', '_port', '_cors_allow_origins', '_cors_allow_credentials',
'_cors_allow_methods', '_cors_allow_headers', '_log_level',
'_session_secret_key', '_database_url', '_redis_url'
)
def __init__(self, **kwargs):
# 初始化slots中的属性
for key, value in kwargs.items():
setattr(self, f'_{key}', value)
# 设置默认值
defaults = {
'app_name': 'FastAPI Application',
'app_version': '1.0.0',
'environment': 'development',
'debug': False,
'reload': False,
'host': '127.0.0.1',
'port': 8000,
'cors_allow_origins': [],
'cors_allow_credentials': True,
'cors_allow_methods': ['*'],
'cors_allow_headers': ['*'],
'log_level': 'INFO',
'session_secret_key': 'change-me-in-production',
}
for key, default_value in defaults.items():
if not hasattr(self, f'_{key}'):
setattr(self, f'_{key}', default_value)
# 配置预热器
class ConfigWarmer:
"""配置预热器 - 预加载常用配置"""
def __init__(self, config_getter):
self.config_getter = config_getter
self.warmed_up = False
def warmup(self):
"""预加载配置"""
if not self.warmed_up:
config = self.config_getter()
# 预计算常用的派生配置
_ = config.is_production
_ = config.is_development
_ = config.database_host
_ = config.database_port
self.warmed_up = True
print("✅ Configuration warmed up")
# 全局配置预热器
config_warmer = ConfigWarmer(lambda: get_config())
# 在应用启动时调用
"""
if __name__ == "__main__":
config_warmer.warmup()
"""#与其他配置框架对比
| 特性 | Pydantic Settings | Python-Decouple | Dynaconf | Decouple | Environ |
|---|---|---|---|---|---|
| 类型安全 | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐ | ⭐⭐ | ⭐⭐ |
| 验证机制 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ |
| 环境隔离 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ |
| 性能 | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| 易用性 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| 扩展性 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ |
| 社区支持 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ |
#框架选择建议
"""
选择配置框架的决策树:
1. 如果使用FastAPI/Pydantic生态 → Pydantic Settings (推荐)
2. 如果需要简单快速的配置 → Python-Decouple
3. 如果需要复杂配置管理 → Dynaconf
4. 如果已有decouple使用习惯 → Python-Decouple
5. 如果需要环境变量管理 → Environ
Pydantic Settings优势:
- 与FastAPI完美集成
- 强大的类型验证
- 自动文档生成
- IDE友好的类型提示
- 灵活的配置源
- 企业级功能支持
"""#总结
FastAPI中的Pydantic Settings提供了完整的配置管理解决方案:
- 环境隔离:支持开发、测试、生产环境
- 类型安全:完整的类型验证和提示
- 验证机制:多层次配置验证
- 安全保护:敏感信息管理
- 云原生:Docker/Kubernetes友好
- 性能优化:缓存和懒加载
- 监控集成:健康检查和监控
正确实施配置管理能够:
- 提高应用安全性
- 简化部署流程
- 增强系统可靠性
- 支持多环境部署
💡 关键要点:配置管理是应用的基础,投资在配置管理上的时间会带来长期收益。使用Pydantic Settings可以确保配置的安全性、可靠性和可维护性。
🔗 扩展阅读