Synadia Platform

Configuration

The following configuration file formats are supported:

  • Files ending in .cue - parsed as CUE
  • Files ending in .json - parsed as JSON
  • Files ending in .yaml or .yml - parsed as YAML

If no config file is specified, the server will attempt to load one in the current working directory named syn-cp.[cue|json|yaml|yml]

Multiple config files can be supplied with the -c or --config flag. They are merged using the merge-patch strategy in-order with the right-most file taking precedence.

Base Configuration

KeyTypeRequiredDescription
serverServerNoControl Plane HTTP(S) server options.
kmsKMSNoKMS options for encrypting secrets.
data_sourcesData SourcesNoExternal database connections.
authenticationAuthenticationNoControls how users authenticate to Control Plane.
authorizationAuthorizationNoControls authorization defaults, roles, and policies.
loggingLoggingNoControls log levels and logging destinations.
data_dirstringNoLocation of data directory, defaults to ./data in current working directory.

Server

KeyTypeRequiredDescription
urlstringNoURL where Control Plane server will be accessed, defaults to http://localhost:8080 or https://localhost:8443 if TLS is enabled.
http_addrstringNoHTTP interface:port to listen on, defaults to :8080 which listens on all interfaces port 8080. When tls is set, this will 301 redirect to server.url.
https_addrstringNoHTTPS interface:port to listen on, defaults to :8443 which listens on all interfaces port 8443. tls must be set for this to take effect.
tlsTLS ServerNoServer TLS configuration
extra_headersmapNoExtra headers to add to each response, map key is the header name and value is the header value. Available since 1.4.1

Example (YAML):

server:
  url: 'https://cp.demo.nats.io'
  tls:
    cert_file: '/etc/syn-cp/cert.pem'
    key_file: '/etc/syn-cp/key.pem'
  extra_headers:
    Strict-Transport-Security: 'max-age=31536000; includeSubDomains; preload'
    X-Frame-Options: 'DENY'

KMS

KMS config

KeyTypeRequiredDescription
key_urlstringNoSupports KMS key URLs documented here, as well as: file:///path/to/file - read the secrets keeper URL from a file
env://ENV_VAR_NAME - read the secrets keeper URL from an Environment Variable
Default is to generate a local encryption key at <data_dir>/encryption/enc.key.
rotated_key_urls[]stringNoList of keys that should be rotated to key_url. Same URL format as key_url.

Data Sources

External data sources

KeyTypeRequiredDescription
postgresPostgresNoConnect to an external PostgreSQL database.
prometheusPrometheusNoConnect to an external Prometheus.

Postgres

KeyTypeRequiredDescription
dsnstringYesData Source Name, example - postgres://localhost:5432/mydb - all supported options.

Prometheus

KeyTypeRequiredDescription
urlstringYesPrometheus URL, example - https://user:pass@localhost.
tlsTLS ClientNoTLS Client options.
basic_authmapNoBasic auth credentials, map format is:
username: string
password: string
bearer_tokenstringNoBearer token.

TLS Common

KeyTypeRequiredDescription
min_versionenumNoTLS1.0, TLS1.1, TLS1.2 (default), or TLS1.3.

TLS Server

Supports all options from TLS Common, plus:

KeyTypeRequiredDescription
cert_filestringYesPath to PEM-encoded x509 server certificate.
key_filestringYesPath to PEM-encoded x509 server private key.
ca_filestringNoPath to PEM-encoded x509 CA certificate. When supplied, client certificates will be validated against this CA.
client_auth_typeenumNoClient certificate authentication type, valid options are:
  • NoClientCert - do not require client certs (default when ca_file is not set)
  • RequireAndVerifyClientCert - require and validate client certs (default when ca_file is set)

TLS Client

Supports all options from TLS Common, plus:

KeyTypeRequiredDescription
cert_filestringNoPath to PEM-encoded x509 client certificate.
key_filestringNoPath to PEM-encoded x509 client private key.
ca_filestringNoPath to PEM-encoded x509 CA certificate. When supplied, the server certificate will be validated against this CA certificate.
insecure_skip_verifybooleanNoSkip verifying server certificate, defaults to false.
Previous
SBOM