Configuration

The following configuration file formats are supported:

Files ending in .cue - parsed as CUE
Files ending in .json - parsed as JSON
Files ending in .yaml or .yml - parsed as YAML

If no config file is specified, the server will attempt to load one in the current working directory named syn-cp.[cue|json|yaml|yml]

Multiple config files can be supplied with the -c or --config flag. They are merged using the merge-patch strategy in-order with the right-most file taking precedence.

Base Configuration

Key	Type	Required	Description
`server`	Server	No	Control Plane HTTP(S) server options.
`kms`	KMS	No	KMS options for encrypting secrets.
`data_sources`	Data Sources	No	External database connections.
`authentication`	Authentication	No	Controls how users authenticate to Control Plane.
`authorization`	Authorization	No	Controls authorization defaults, roles, and policies.
`logging`	Logging	No	Controls log levels and logging destinations.
`data_dir`	string	No	Location of data directory, defaults to `./data` in current working directory.

Server

Key	Type	Required	Description
`url`	string	No	URL where Control Plane server will be accessed, defaults to `http://localhost:8080` or `https://localhost:8443` if TLS is enabled.
`http_addr`	string	No	HTTP interface:port to listen on, defaults to `:8080` which listens on all interfaces port 8080. When `tls` is set, this will 301 redirect to `server.url`.
`https_addr`	string	No	HTTPS interface:port to listen on, defaults to `:8443` which listens on all interfaces port 8443. `tls` must be set for this to take effect.
`tls`	TLS Server	No	Server TLS configuration

Example (YAML):

server:
  url: 'https://cp.demo.nats.io'
  tls:
    cert_file: '/etc/syn-cp/cert.pem'
    key_file: '/etc/syn-cp/key.pem'

KMS

KMS config

Key	Type	Required	Description
`key_url`	string	No	Supports KMS key URLs documented here, as well as: `file:///path/to/file` - read the secrets keeper URL from a file `env://ENV_VAR_NAME` - read the secrets keeper URL from an Environment Variable Default is to generate a local encryption key at `<data_dir>/encryption/enc.key`.
`rotated_key_urls`	[]string	No	List of keys that should be rotated to `key_url`. Same URL format as `key_url`.

Data Sources

External data sources

Key	Type	Required	Description
`postgres`	Postgres	No	Connect to an external PostgreSQL database.
`prometheus`	Prometheus	No	Connect to an external Prometheus.

Postgres

Key	Type	Required	Description
`dsn`	string	Yes	Data Source Name, example - `postgres://localhost:5432/mydb` - all supported options.

Prometheus

Key	Type	Required	Description
`url`	string	Yes	Prometheus URL, example - `https://user:pass@localhost`.
`tls`	TLS Client	No	TLS Client options.
`basic_auth`	map	No	Basic auth credentials, map format is: `username: string password: string`
`bearer_token`	string	No	Bearer token.

TLS Common

Key	Type	Required	Description
`min_version`	enum	No	`TLS1.0`, `TLS1.1`, `TLS1.2` (default), or `TLS1.3`.

TLS Server

Supports all options from TLS Common, plus:

Key	Type	Required	Description
`cert_file`	string	Yes	Path to PEM-encoded x509 server certificate.
`key_file`	string	Yes	Path to PEM-encoded x509 server private key.
`ca_file`	string	No	Path to PEM-encoded x509 CA certificate. When supplied, client certificates will be validated against this CA.
`client_auth_type`	enum	No	Client certificate authentication type, valid options are: `NoClientCert` - do not require client certs (default when `ca_file` is not set) `RequireAndVerifyClientCert` - require and validate client certs (default when `ca_file` is set)

TLS Client

Supports all options from TLS Common, plus:

Key	Type	Required	Description
`cert_file`	string	No	Path to PEM-encoded x509 client certificate.
`key_file`	string	No	Path to PEM-encoded x509 client private key.
`ca_file`	string	No	Path to PEM-encoded x509 CA certificate. When supplied, the server certificate will be validated against this CA certificate.
`insecure_skip_verify`	boolean	No	Skip verifying server certificate, defaults to `false`.