- Service configuration structure
The CCM loads configuration data from a file (typically backed by a Kubernetes config map). The location of the configuration file is sourced from an environment variable. If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.
Service configuration structure
The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.
CCM uses its service instance name and replica ID for communication with other services and load balancing across replicas (for example, see 3/ISM). You can control the values with the following configuration options:
service: instance: name: <string> # Service instance name, should be unique cluster-wide. "ccm" by default. replica.id: <string> # Service instance replica ID, should be unique cluster-wide. Random string by default. graceful-shutdown: <uint> # Allowed service graceful shutdown period in seconds. 30 seconds by default.
The REST API server is controlled with the following options.
server: port: <integer> # Server port used to expose the REST API at, 80 by default.
The NATS-based Client Authentication Protocol (22/CAP) has the following configuration options:
kaa: cap: provider: basic: # Basic client authentication interface configuration. concurrency: <uint> # Request processing concurrency, 8 by default. queue-length: <uint> # Maximum allowed request queue length; 16*concurrency by default.
Data persistence interface
CCM uses PostgreSQL for persisting client credentials metadata.
The following values configure the CCM persistence:
kaa: postgresql: host: <string> # PostgreSQL host. "ccm-postgresql" by default. Also can be set with the KAA_POSTGRESQL_HOST environment variable. port: <int> # PostgreSQL port. 5432 by default. Also can be set with the KAA_POSTGRESQL_PORT environment variable. username: <string> # PostgreSQL username. "ccm" by default. Also can be set with the KAA_POSTGRESQL_USERNAME environment variable. password: <string> # PostgreSQL password. "ccm" by default. Also can be set with the KAA_POSTGRESQL_PASSWORD environment variable. database: <string> # PostgreSQL database. "ccm" by default. Also can be set with the KAA_POSTGRESQL_DATABASE environment variable. sslMode: <string> # PostgreSQL SSL mode ("disable", "require", "verify-ca", "verify-full"). "disable" by default. Also can be set with the KAA_POSTGRESQL_SSL_MODE environment variable. max-open-connections: <int> # Maximum number of open connections to PostgreSQL. 100 by default. Also can be set with the KAA_POSTGRESQL_MAX_OPEN_CONNECTIONS environment variable.
The below parameters configure CCM’s connection to NATS. Note that for security reasons NATS username and password are sourced from the environment variables.
nats: urls: <comma separated list of URL> # NATS connection URLs.
Authentication, authorization, and multi-tenancy
CCM supports two integrations for security:
- OAuth2 protocol with a UMA profile. Enabled when
- iamcore. Enabled when both
OAuth2 with UMA profile
Authentication and authorization is handled within the scope of a given Kaa tenant. Each tenant has a separate OAuth 2.0 issuer, managed by the Kaa Tenant Manager. When multi-tenancy is disabled, all authentication and authorization is conducted in the default system tenant (“kaa”).
CCM OAuth2 with UMA profile security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).
kaa: security: enabled: <boolean> # Enables authentication and authorization. False by default. issuer: public-url: <string> # OAuth 2.0 issuer public URL for the system tenant ("kaa"). private-url: <string> # OAuth 2.0 issuer private URL for the system tenant ("kaa"). client-id: <string> # Client ID for making requests in the system tenant scope. client-secret: <string> # Client secret for making requests in the system tenant scope. multitenancy: enabled: <boolean> # Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when kaa.security.enabled is set to true. False by default. tenant-manager: url: <string> # URL of the Kaa Tenant Manager that provides security configurations for tenants. "http://tenant-manager" by default.
Authentication and authorization is handled by iamcore.
CCM iamcore security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).
kaa: security: enabled: <boolean> # Enables authentication and authorization. False by default. iamcore: enabled: <boolean> # Enables iamcore integration. False by default. api-key: <string> # iamcore API KEY url: <string> # iamcore server URL. "https://cloud.iamcore.io" by default. application: <string> # iamcore application. "kaa" by default
To control the CCM management interface, use the following configuration options.
service.monitoring: disabled: <boolean> # Disables the monitoring interface entirely. False by default (enabled). port: <uint> # TCP port to expose the monitoring server on. 8080 by default.
CCM writes logs to
By default, the service only produces logs at startup, shutdown, or in case of errors.
To enable debug level logging, use the following option:
service: debug: <boolean> # Enables debug level logging, false by default (disabled).
Keep in mind that enabling debug level logging will produce significantly more log output and degrade the service performance.