Synadia Platform
Configuration
The following configuration file formats are supported:
- Files ending in
.cue- parsed as CUE - Files ending in
.json- parsed as JSON - Files ending in
.yamlor.yml- parsed as YAML
If no config file is specified, the server will attempt to load one in the current working directory named syn-cp.[cue|json|yaml|yml]
Multiple config files can be supplied with the -c or --config flag. They are merged using the merge-patch strategy in-order with the right-most file taking precedence.
Base Configuration
| Key | Type | Required | Description |
|---|---|---|---|
server | Server | No | Control Plane HTTP(S) server options. |
kms | KMS | No | KMS options for encrypting secrets. |
data_sources | Data Sources | No | External database connections. |
authentication | Authentication | No | Controls how users authenticate to Control Plane. |
authorization | Authorization | No | Controls authorization defaults, roles, and policies. |
logging | Logging | No | Controls log levels and logging destinations. |
data_dir | string | No | Location of data directory, defaults to ./data in current working directory. |
Server
| Key | Type | Required | Description |
|---|---|---|---|
url | string | No | URL where Control Plane server will be accessed, defaults to http://localhost:8080 or https://localhost:8443 if TLS is enabled. |
http_addr | string | No | HTTP interface:port to listen on, defaults to :8080 which listens on all interfaces port 8080. When tls is set, this will 301 redirect to server.url. |
https_addr | string | No | HTTPS interface:port to listen on, defaults to :8443 which listens on all interfaces port 8443. tls must be set for this to take effect. |
tls | TLS Server | No | Server TLS configuration |
extra_headers | map | No | Extra headers to add to each response, map key is the header name and value is the header value. Available since 1.4.1 |
Example (YAML):
server:
url: 'https://cp.demo.nats.io'
tls:
cert_file: '/etc/syn-cp/cert.pem'
key_file: '/etc/syn-cp/key.pem'
extra_headers:
Strict-Transport-Security: 'max-age=31536000; includeSubDomains; preload'
X-Frame-Options: 'DENY'
KMS
KMS config
| Key | Type | Required | Description |
|---|---|---|---|
key_url | string | No | Supports KMS key URLs documented here, as well as: file:///path/to/file - read the secrets keeper URL from a fileenv://ENV_VAR_NAME - read the secrets keeper URL from an Environment VariableDefault is to generate a local encryption key at <data_dir>/encryption/enc.key. |
rotated_key_urls | []string | No | List of keys that should be rotated to key_url. Same URL format as key_url. |
Data Sources
External data sources
| Key | Type | Required | Description |
|---|---|---|---|
postgres | Postgres | No | Connect to an external PostgreSQL database. |
prometheus | Prometheus | No | Connect to an external Prometheus. |
Postgres
| Key | Type | Required | Description |
|---|---|---|---|
dsn | string | Yes | Data Source Name, example - postgres://localhost:5432/mydb - all supported options. |
Prometheus
| Key | Type | Required | Description |
|---|---|---|---|
url | string | Yes | Prometheus URL, example - https://user:pass@localhost. |
tls | TLS Client | No | TLS Client options. |
basic_auth | map | No | Basic auth credentials, map format is: |
bearer_token | string | No | Bearer token. |
TLS Common
| Key | Type | Required | Description |
|---|---|---|---|
min_version | enum | No | TLS1.0, TLS1.1, TLS1.2 (default), or TLS1.3. |
TLS Server
Supports all options from TLS Common, plus:
| Key | Type | Required | Description |
|---|---|---|---|
cert_file | string | Yes | Path to PEM-encoded x509 server certificate. |
key_file | string | Yes | Path to PEM-encoded x509 server private key. |
ca_file | string | No | Path to PEM-encoded x509 CA certificate. When supplied, client certificates will be validated against this CA. |
client_auth_type | enum | No | Client certificate authentication type, valid options are:
|
TLS Client
Supports all options from TLS Common, plus:
| Key | Type | Required | Description |
|---|---|---|---|
cert_file | string | No | Path to PEM-encoded x509 client certificate. |
key_file | string | No | Path to PEM-encoded x509 client private key. |
ca_file | string | No | Path to PEM-encoded x509 CA certificate. When supplied, the server certificate will be validated against this CA certificate. |
insecure_skip_verify | boolean | No | Skip verifying server certificate, defaults to false. |