- Service configuration structure
- Default configuration
The Tekton loads configuration data from a file (typically backed by a Kubernetes config map). The location of the configuration file is sourced from an environment variable. If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.
Service configuration structure
The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.
Tekton uses its service instance name and replica ID for communication with other services and load balancing across replicas (for example, see 3/ISM). You can control the values with the following configuration options:
service: instance: name: <string> # Service instance name, should be unique cluster-wide. "tekton" by default. replica.id: <string> # Service instance replica ID, should be unique cluster-wide. Random string by default. graceful-shutdown: <uint> # Allowed service graceful shutdown period in seconds. 30 seconds by default.
Tekton manages configuration of service instances defined by the below option.
kaa: service-instances: <map of service instances> # Map of service instance names that receive configuration from Tekton. Required. <service-instance-name>: # Service instance name. serviceName: <string> # Service name. serviceGroup: <string> # Service group name ("Communication", "Identity management", etc.). description: <string> # Service instance description. urlPrefix: <string> # Service instance REST API URL prefix (where applicable). appConfigurationSchema: <json> # Service application-specific configuration JSON schema. appVersionConfigurationSchema: <json> # Service application version-specific configuration JSON schema.
Tekton can automatically generate application names on creation.
kaa: tekton: app-names: auto-generation: enabled: <boolean> # Enables application name auto-generation on creation via the REST API. False by default.
The REST API server is controlled with the following options.
server: port: <integer> # Server port used to expose the REST API at, 80 by default.
Data persistence interface
Tekton uses MongoDB for persisting configuration data.
kaa: mongodb: name: <string> # MongoDB database name. "tekton" by default. url: <string> # MongoDB URL. "mongodb://mongodb:27017" by default. user: <string> # MongoDB user (see note below) password: <string> # MongoDB password (see note below)
NOTE For security reasons, username and password must be sourced from the environment variables.
The below parameters configure Tekton’s connection to NATS. Note that for security reasons NATS username and password are sourced from the environment variables.
nats: urls: <comma separated list of URL> # NATS connection URLs. "nats://nats:4222" by default.
Authentication, authorization, and multi-tenancy
Tekton supports two integrations for security:
- OAuth2 protocol with a UMA profile. Enabled when
- iamcore. Enabled when both
OAuth2 with UMA profile
Authentication and authorization is handled within the scope of a given Kaa tenant. Each tenant has a separate OAuth 2.0 issuer, managed by the Kaa Tenant Manager. When multi-tenancy is disabled, all authentication and authorization is conducted in the default system tenant (“kaa”).
Tekton OAuth2 with UMA profile security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).
kaa: security: enabled: <boolean> # Enables authentication and authorization. False by default. issuer: public-url: <string> # OAuth 2.0 issuer public URL for the system tenant ("kaa"). private-url: <string> # OAuth 2.0 issuer private URL for the system tenant ("kaa"). client-id: <string> # Client ID for making requests in the system tenant scope. client-secret: <string> # Client secret for making requests in the system tenant scope. multitenancy: enabled: <boolean> # Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when kaa.security.enabled is set to true. False by default. tenant-manager: url: <string> # URL of the Kaa Tenant Manager that provides security configurations for tenants. "http://tenant-manager" by default.
Authentication and authorization is handled by iamcore.
Tekton iamcore security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).
kaa: security: enabled: <boolean> # Enables authentication and authorization. False by default. iamcore: enabled: <boolean> # Enables iamcore integration. False by default. api-key: <string> # iamcore API KEY url: <string> # iamcore server URL. "https://cloud.iamcore.io" by default. application: <string> # iamcore application. "kaa" by default accountId: <string> # iamcore account ID.
To control the Tekton management interface, use the following configuration options.
service.monitoring: disabled: <boolean> # Disables the monitoring interface entirely. False by default (enabled). port: <uint> # TCP port to expose the monitoring server on. 8080 by default.
Tekton writes logs to
By default, the service only produces logs at startup, shutdown, or in case of errors.
To enable debug level logging, use the following option:
service: debug: <boolean> # Enables debug level logging, false by default (disabled).
Keep in mind that enabling debug level logging will produce significantly more log output and degrade the service performance.
Summarizing the above, the default Tekton configuration is as follows. Note that no Kaa service instances are defined by default—you have to configure those for any specific Kaa-based solution.
service: instance: name: "tekton" replica.id: "<random string generated on boot>" graceful-shutdown: 30 monitoring: disabled: false port: 8080 debug: false server.port: 80 kaa: mongodb: name: "tekton" url: "mongodb://mongodb:27017" security.enabled: false nats.urls: "nats://nats:4222"