-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
config.sample.yaml
161 lines (136 loc) · 6.29 KB
/
config.sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
## azureClientId (string)
## Description:
## Client ID of the Azure AD application
## Required
azureClientId:
## azureTenantId (string)
## Description:
## Tenant ID of the Azure AD application.
## Required
azureTenantId:
## webhookUrl (string)
## Description:
## Endpoint of the webhook, where notifications are sent to.
## Required
webhookUrl:
## webhookFormat (string)
## Description:
## The format for the webhook.
## Currently, these values are supported:
##
## - `plain`: sends a webhook with content type `text/plain`, where the request's body is the entire message
## - `slack`: for usage with Slack or Slack-compatible endpoints
## - `discord`: for usage with Discord (sends Slack-compatible messages)
## Default: "plain"
#webhookFormat:
## webhookKey (string)
## Description:
## Value for the Authorization header send with the webhook request. Set this if your webhook requires it.
#webhookKey:
## baseUrl (string)
## Description:
## The URL your application can be reached at. This is used in the links that are sent in webhook notifications.
## This is optional, but recommended.
## Default: `https://localhost:<port>` if TLS is enabled, or `http://localhost:<port>` otherwise
#baseUrl:
## port (number)
## Description:
## Port to bind to.
## Default: 8080
#port:
## bind (string)
## Description:
## Address/interface to bind to.
## Default: "0.0.0.0"
#bind:
## tlsPath (string)
## Description:
## Path where to load TLS certificates from. Within the folder, the files must be named `tls-cert.pem` and `tls-key.pem`. Revaulter watches for changes in this folder and automatically reloads the TLS certificates when they're updated.
## If empty, certificates are loaded from the same folder where the loaded `config.yaml` is located.
## Default: the same folder as the `config.yaml` file
#tlsPath:
## tlsCertPEM (string)
## Description:
## Full, PEM-encoded TLS certificate. Using `tlsCertPEM` and `tlsKeyPEM` is an alternative method of passing TLS certificates than using `tlsPath`.
#tlsCertPEM:
## tlsKeyPEM (string)
## Description:
## Full, PEM-encoded TLS key. Using `tlsCertPEM` and `tlsKeyPEM` is an alternative method of passing TLS certificates than using `tlsPath`.
#tlsKeyPEM:
## allowedIps (list of strings)
## Description:
## If set, allows connections to the APIs only from the IPs or ranges set here. You can set individual IP addresses (IPv4 or IPv6) or ranges in the CIDR notation, and you can add multiple values separated by commas. For example, to allow connections from localhost and IPs in the `10.x.x.x` range only, set this to: `127.0.0.1,10.0.0.0/8`.
## Note that this value is used to restrict connections to the `/request` endpoints only. It does not restrict the endpoints used by administrators to confirm (or deny) requests.
#allowedIps:
## requestKey (string)
## Description:
## If set, clients need to provide this shared key in calls made to the `/request` endpoints, in the `Authorization` header.
## Note that this option only applies to calls to the `/request` endpoints. It does not apply to the endpoints used by administrators to confirm (or deny) requests.
#requestKey:
## origins (list of strings)
## Description:
## Lists of origins that are allowed for CORS. This should be a list of all URLs admins can access Revaulter at. Alternatively, set this to `*` to allow any origin (not recommended).
## Default: equal to the value of `baseUrl`
#origins:
## sessionTimeout (duration)
## Description:
## Timeout for sessions before having to authenticate again, as a Go duration. This cannot be more than 1 hour.
## Default: 5m
#sessionTimeout:
## requestTimeout (duration)
## Description:
## Default timeout for wrap and unwrap requests, as a Go duration. This is the default value, and can be overridden in each request.
## Default: 5m
#requestTimeout:
## enableMetrics (boolean)
## Description:
## Enable the metrics server which exposes a Prometheus-compatible endpoint `/metrics`.
## Default: false
#enableMetrics:
## metricsPort (number)
## Description:
## Port for the metrics server to bind to.
## Default: 2112
#metricsPort:
## metricsBind (string)
## Description:
## Address/interface for the metrics server to bind to.
## Default: "0.0.0.0"
#metricsBind:
## omitHealthCheckLogs (boolean)
## Description:
## If true, calls to the healthcheck endpoint (`/healthz`) are not included in the logs.
## Default: false
#omitHealthCheckLogs:
## tokenSigningKey (string)
## Description:
## String used as key to sign state tokens. If left empty, it will be randomly generated every time the app starts (recommended, unless you need user sessions to persist after the application is restarted).
## Default: randomly-generated when the application starts
#tokenSigningKey:
## cookieEncryptionKey (string)
## Description:
## String used as key to encrypt cookies. If left empty, it will be randomly generated every time the app starts (recommended, unless you need user sessions to persist after the application is restarted).
## Default: randomly-generated when the application starts
#cookieEncryptionKey:
## trustedRequestIdHeader (string)
## Description:
## String with the name of a header to trust as ID of each request. The ID is included in logs and in responses as `X-Request-ID` header.
## Common values can include:
##
## - `X-Request-ID`: a [de-facto standard](https://http.dev/x-request-id ) that's vendor agnostic
## - `CF-Ray`: when the application is served by a [Cloudflare CDN](https://developers.cloudflare.com/fundamentals/get-started/reference/cloudflare-ray-id/)
##
## If this option is empty, or if it contains the name of a header that is not found in an incoming request, a random UUID is generated as request ID.
#trustedRequestIdHeader:
## forceSecureCookies (boolean)
## Description:
## If true, forces all cookies to be set with the "secure" option, so they are only sent by clients on HTTPS requests.
## When false (the default), cookies are set as "secure" only if the current request being served is using HTTPS.
## When Revaulter is running behind a proxy that performs TLS termination, this option should normally be set to true.
## Default: false
#forceSecureCookies:
## logLevel (string)
## Description:
## Controls log level and verbosity. Supported values: `debug`, `info` (default), `warn`, `error`.
## Default: "info"
#logLevel: