Deployment and Operations

Cloudentity Platform Configuration Reference

Regardless of the deployment type you run, the Cloudentity platform shares common configuration reference that can be used to adjust the platform settings to any business need.

 # logging
logging:
    level: info # logging level (panic, fatal, error, warn, info, debug, trace)
# http server
server:
    system_tenant: system # name of the system tenant
    url: https://localhost:8443 # server url template
    mtls_url: "" # mtls server url template
    vanity_url_template: "" # vanity url template (https://{{vanityID}}.vanity.cloudentity.io)
    assets_url: "" # url template to cdn with static files
    grpc_url: localhost:9443 # grpc url
    port: 8443 # http server port
    grpc_port: 9443 # grpc server port
    do_not_print_audit_logs_for_static_files: true # do not print audit logs for static files
    timeout: 10s # http server timeout
    etag_backoff: 200ms # etag backoff duration
    etag_retries: 25 # max number of etag retries
    audit_logs: true # enable audit logs
    http_logs: false # enable http request and response logging
    max_size_bytes: 1048576 # max size of http request body
    dangerous_disable_tls: false # disable tls
    disable_cache: false # disable cache
    disable_gzip: true # disable http gzip encoding
    disable_csrf: false # disable csrf protection
    disable_security: false # disable security middleware
    client_auth_type: RequestClientCert # mtls http server client auth type
    # http server tls
    certificate:
        password: "" # key passphrase
        cert_path: ./certs/srv/cert.pem # path to the certificate PEM file
        key_path: ./certs/srv/cert-key.pem # path to the key PEM file
        cert: "" # base64 encoded cert PEM
        key: "" # base64 encoded key PEM
        generated_key_type: rsa # type for generated key if cert and key are not provided (rsa or ecda)
    disable_monitoring: false # disable /metrics endpoint
    http_metrics_per_tenant: false # enable http metrics per tenant
    disable_async_processing: false # disable async processing (streams,queue)
    # http security configuration (github.com/unrolled/secure)
    security:
        browserxssfilter: true
        contenttypenosniff: true
        forcestsheader: false
        framedeny: true
        isdevelopment: false
        sslredirect: true
        sslforcehost: false
        ssltemporaryredirect: false
        stsincludesubdomains: true
        stspreload: true
        contentsecuritypolicy: |
            default-src 'self';
            script-src 'self' $NONCE 'unsafe-eval';
            worker-src 'self' 'strict-dynamic' $NONCE;
            style-src 'self' 'unsafe-inline' https:;
            font-src 'self' https:;
            img-src 'self' data: https:;
            connect-src 'self' wss:;
            frame-src 'self' https://www.google.com;
        contentsecuritypolicyreportonly: ""
        custombrowserxssvalue: ""
        customframeoptionsvalue: SAMEORIGIN
        publickey: ""
        referrerpolicy: same-origin
        featurepolicy: ""
        permissionspolicy: ""
        crossoriginopenerpolicy: ""
        sslhost: ""
        allowedhosts: []
        allowedhostsareregex: false
        hostsproxyheaders:
            - X-Forwarded-Host
        sslhostfunc: null
        sslproxyheaders:
            X-Forwarded-Proto: https
        stsseconds: 31536000
        expectctheader: ""
        securecontextkey: ""
    # cors configuration
    cors:
        allowedorigins:
            - '*'
        allowedheaders:
            - Content-Type
            - Authorization
        allowedmethods:
            - GET
            - POST
            - PUT
            - DELETE
    # gateway authorizer packages
    packages:
        apigeeedge:
            file: /enforcement/apigee-edge-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        apigeex:
            file: /enforcement/apigee-x-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        aws:
            file: /enforcement/cloudentity-mp-aws-gw-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        istio:
            file: /enforcement/istio-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        kong:
            file: /enforcement/kong-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        kusk:
            file: /enforcement/standalone-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        pyron:
            file: /enforcement/pyron-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        standalone:
            file: /enforcement/standalone-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
    # openbanking packages
    openbanking_packages:
        br:
            file: /packages/openbanking/openbanking-quickstart-br.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        cdr:
            file: /packages/openbanking/openbanking-quickstart-cdr.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        fdx:
            file: /packages/openbanking/openbanking-quickstart-fdx.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        uk:
            file: /packages/openbanking/openbanking-quickstart-uk.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
    templates_dir: ./web/templates # path to dir with templates
    static_dir: ./web/static # path to the dir with static files for templates
    app_static_dir: ./web/app/build/static # path to the dir with static files for react frontend app
    app_dir: ./web/app/build # path to the dir with react frontend app for acp
    swagger_dir: ./web/swagger # path to the dir with swagger ui
    swagger_path_template: ./api/handler/{{module}}.yaml # path to the swagger-{{module}}.yaml
    redirect_to_default_tenant: false # enable redirection to default tenant
    client_certificate_header: "" # default client http TLS certificate header name
    client_certificate_format_header: X-SSL-CERT-FORMAT # format of tls certificate injected as a header
    region: default # The name of the region in which this node is running
    # public path prefix for openbanking brazil endpoints
    obbr_base_paths: []
    # external integrations configuration e.g. hubspot
    integrations:
        # hubspot configuration
        hubspot:
            enabled: false # enabled
            script_src: "" # script source
        # Google Analytics configuration
        google_analytics:
            enabled: false # enabled
            measurement_id: "" # measurement id
# sql encryption secret
secrets:
    - id: "1" # secret id
      key: FmIQrzqf7dT57SjVH3g52SEVx45WH9pE # secret key
# pbkdf2 secret hashing configuration
hashing:
    number_of_iterations: 4096 # number of iterations
    key_length: 128 # key length
    salt: WuD0izLakS24Uyft65JP # salt (at least 8 characters)
    function: SHA-512 # SHA-1, SHA-224, SHA-256, SHA-384 or SHA-512
# system tenant
system:
    secret: n8HF35qzZkmsukHJzzz9LnN8m9Mf97uq # system client secret
# limits
limits:
    max_number_of_client_rotated_secrets: 1 # max number of client rotated secrets
    # send otp per address global limit
    send_otp_limit:
        enabled: true # enable rate limiter
        period: 1m0s # period
        rate: 2 # rate
        burst: 1 # max burst
    # limits for admin websocket notifications
    notifications:
        audit_event: 3s
        scope_grants: 3s
    batch_size: 1000
# brute force limits
brute_force_limits:
    enabled: true
    mfa:
        max_attempts: 5
        block_duration: 1m0s
    client_authentication:
        max_attempts: 5
        block_duration: 1m0s
    device_handling:
        max_attempts: 5
        block_duration: 1m0s
    identity_code_inspect:
        max_attempts: 5
        block_duration: 1m0s
    identity_code_verify:
        max_attempts: 5
        block_duration: 1m0s
    identity_change_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_confirm_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_verify_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_registration:
        max_attempts: 5
        block_duration: 1m0s
    identity_set_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_self_register:
        max_attempts: 5
        block_duration: 1m0s
    identity_activate_self_registered:
        max_attempts: 5
        block_duration: 1m0s
    identity_activate_with_extended_code:
        max_attempts: 5
        block_duration: 1m0s
    identity_self_activation:
        max_attempts: 5
        block_duration: 1m0s
    identity_self_change_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_authentication:
        max_attempts: 5
        block_duration: 1m0s
# feature flags
features:
    planet_scale_authorization: false # enable planet scale authorization
    planet_scale_identity: false # enable planet scale identity
    block_non_vanity_domain_access: false # block access to tenant for traffic not originated from the vanity domain
    initialize_demo_workspace: false # when enabled and the display_workspace_wizard feature flag is set to true, a demo workspace with a set of preconfigured IDPs is created and no welcome screen is displayed (tenant)
    integration_endpoints: false # enable global import and export configuration endpoints (system)
    admin_workspace_access: true # enable admin workspace access (tenant)
    system_workspace_access: true # enable admin workspace access (tenant)
    dev_mode: false # realod templates and adds local redirects urls to frontend apps (system)
    demo_app: false # enable demo app endpoints (system)
    swagger_ui: false # enable swagger ui (system)
    script_transformer: false # enable the javascript transformer (tenant)
    pyron_on_prem: false # enable when ACP is running on-prem and Pyron is used as a gateway (tenant)
    client_secrets_stored_as_one_way_hash: false # store client secrets as a one way hash (tenant)
    login_with_select_account: true # enable login with select_account param (tenant)
    ciba: false # enable ciba (system)
    quick_access: false # enable quick access functionality on UI (system)
    token_exchange: false # enable Token Exchange (system)
    token_exchange_delegation: false # enable Token Exchange Delegation (tenant)
    scope_transient_otp: false # enable scope transient_otp (tenant)
    extended_audit_events_retention: false # extended audit events retention
    insecure_disable_csrf: false # INSECURE disable csrf (tenant)
    insecure_token_exchange_public_clients: false # enable insecure token exchange public clients (tenant)
    cloudentity_idp: false # enable Cloudentity IDP (tenant)
    openbanking_brasil_consents_v2: false # enable consents v2 apis for open banking brasil
    themes: false # enable Custom Branding Themes (tenant)
    saml: false # enable SAML (tenant)
    permissions: false # enable permissions
    cdr_disable_unique_software_id: false # disable unique software id for CDR
# http client
client:
    timeout: 5s # http client timeout
    retry_wait_min: 10ms # minimum time to wait between retries
    retry_wait_max: 100ms # maximum time to wait between retries
    retry_max: 2 # maximum number of retries
    root_ca: "" # root ca that this client should trust (defaults to system root ca)
    insecure_skip_verify: false # disable cert verification
    disable_follow_redirects: false # disable follow redirects
    disable_retry: false # disable retry
# sql client
sql:
    url: postgres://root@crdb:26257/defaultdb?sslmode=disable # sql connection url
    type: "" # sql db type cockroachdb or postgresql
    # urls to replicas in master/slave mode
    replicas: []
    max_open_conns: 8 # max number of open connection
    max_idle_conns: 0 # max number of idle connection
    # migrations configuration
    migrations:
        disable: false # disable migrations
        path: ./migrations # path to the migrations
        timeout: 1m0s # timeout for running migrations
        down: false # DANGEROUS run all migrations down (removes all data from the database)
    with_cockroachdb_enterprise: false # turn on cockroachdb enterprise features
    # garbage collection ttl per table (default 24h)
    gc:
        audit_events: 1h6m40s
        refresh_tokens: 1h6m40s
# timescale client
timescale:
    enabled: false # enable timescaledb
    url: postgres://postgres:password@timescale/acp?sslmode=disable # sql connection url
    # urls to replicas in master/slave mode
    replicas: []
    max_open_conns: 8 # max number of open connection
    max_idle_conns: 0 # max number of idle connection
    # migrations configuration
    migrations:
        disable: false # disable migrations
        path: ./migrations/timescale # path to the migrations
        timeout: 1m0s # timeout for running migrations
        down: false # DANGEROUS run all migrations down (removes all data from the database)
# spicedb client
spicedb:
    enabled: false # enable spicedb
    url: spicedb:50051 # spicedb endpoint url
    token: secret # bearer token
    ca: "" # path to the root ca
    insecure_skip_verify: false # skip tls verification
# redis client
redis:
    id: redis # redis database id
    region: local # region id
    redis_search: true # enable redis search
    redis_time_series: false # redis time series
    scan_count: 100 # Number of entries fetched using SCAN
    push_limit: 1024 # at-least-once delivery queue push limit
    number_of_workers: 8 # number of workers for stream handlers
    # Either a single address or a seed list of host:port addresses
    addrs:
        - 127.0.0.1:6379
    db: 0 # Database to be selected after connecting to the server.
    master_name: "" # The sentinel master name.
    username: "" # username
    password: "" # password
    sentinel_password: "" # sentinel password
    max_retries: 3 # max retires
    min_retry_backoff: 0s # min retry backoff
    max_retry_backoff: 0s # max retry backoff
    dial_timeout: 0s # dial timeout
    read_timeout: 0s # read timeout
    write_timeout: 0s # write timeout
    pool_size: 0 # pool size
    min_idle_conns: 0 # min idle connections
    max_conn_age: 0s # max connection age
    pool_timeout: 0s # pool timeout
    idle_timeout: 0s # idle timeout
    idle_check_frequency: 0s # idle check frequency
    max_redirects: 0 # max redirects
    read_only: false # read only
    route_by_latency: false # route by latency
    route_randomly: false # route randomly
    redis_search_index_name: default-index # redis search index name
    # redis search tags for index
    redis_search_tags:
        - tenant_id
        - server_id
        - token_type
        - client_id
        - subject
        - consent_id
        - consent_type
        - collection
        - customer_id
    # redis streams configuration
    streams:
        max_length: 100000 # max length for streams
        count: 50 # number of events to read from a stream
        block: 10ms # duration until timeout
        handler_timeout: 30s # stream handler timeout
        stats_interval: 10s # streams stats interval
        # streams auto claim count
        auto_claim:
            interval: 1s # streams auto claim interval
            min_idle: 30s # streams auto claim min idle
            count: 300 # streams auto claim count
        sleep: 100ms # sleep between reads
        max_retries: 10 # max number of retries
        prefix: "" # redis stream name prefix
        auto_ack: false # automatically ack all messages when there is no error
        # etags configuration
        etag:
            duration: 1m0s # max duration to wait for confirmation
            size: 10000 # max size of confirmations queue
    # redis tls configuration
    tls:
        enabled: false # enable tls
        cert: "" # path to the public key cert PEM file
        key: "" # path to the private key PEM file
        ca: "" # path to the root ca PEM file
        insecure_skip_verify: false # skip host name verification
    max_backoff_retries: 5 # constant backoff max number of retries
    backoff_duration: 10ms # constant backoff duration
    # consumer group configuration - option to override global settings for a given consumer group
    consumer_groups:
        audit_logs_timescale:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 200 # count of messages in a singe batch, 0 for default size
        gateway:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 100 # count of messages in a singe batch, 0 for default size
# optional local redis client (uses redis client configuration if addrs is empty)
local_redis:
    id: local-redis # redis database id
    region: local # region id
    redis_search: true # enable redis search
    redis_time_series: false # redis time series
    scan_count: 100 # Number of entries fetched using SCAN
    push_limit: 1024 # at-least-once delivery queue push limit
    number_of_workers: 8 # number of workers for stream handlers
    # Either a single address or a seed list of host:port addresses
    addrs: []
    db: 0 # Database to be selected after connecting to the server.
    master_name: "" # The sentinel master name.
    username: "" # username
    password: "" # password
    sentinel_password: "" # sentinel password
    max_retries: 3 # max retires
    min_retry_backoff: 0s # min retry backoff
    max_retry_backoff: 0s # max retry backoff
    dial_timeout: 0s # dial timeout
    read_timeout: 0s # read timeout
    write_timeout: 0s # write timeout
    pool_size: 0 # pool size
    min_idle_conns: 0 # min idle connections
    max_conn_age: 0s # max connection age
    pool_timeout: 0s # pool timeout
    idle_timeout: 0s # idle timeout
    idle_check_frequency: 0s # idle check frequency
    max_redirects: 0 # max redirects
    read_only: false # read only
    route_by_latency: false # route by latency
    route_randomly: false # route randomly
    redis_search_index_name: default-index # redis search index name
    # redis search tags for index
    redis_search_tags:
        - tenant_id
        - server_id
        - token_type
        - client_id
        - subject
        - consent_id
        - consent_type
        - collection
        - customer_id
    # redis streams configuration
    streams:
        max_length: 100000 # max length for streams
        count: 50 # number of events to read from a stream
        block: 10ms # duration until timeout
        handler_timeout: 30s # stream handler timeout
        stats_interval: 10s # streams stats interval
        # streams auto claim count
        auto_claim:
            interval: 1s # streams auto claim interval
            min_idle: 30s # streams auto claim min idle
            count: 300 # streams auto claim count
        sleep: 100ms # sleep between reads
        max_retries: 10 # max number of retries
        prefix: "" # redis stream name prefix
        auto_ack: false # automatically ack all messages when there is no error
        # etags configuration
        etag:
            duration: 1m0s # max duration to wait for confirmation
            size: 10000 # max size of confirmations queue
    # redis tls configuration
    tls:
        enabled: false # enable tls
        cert: "" # path to the public key cert PEM file
        key: "" # path to the private key PEM file
        ca: "" # path to the root ca PEM file
        insecure_skip_verify: false # skip host name verification
    max_backoff_retries: 5 # constant backoff max number of retries
    backoff_duration: 10ms # constant backoff duration
    # consumer group configuration - option to override global settings for a given consumer group
    consumer_groups:
        audit_logs_timescale:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 200 # count of messages in a singe batch, 0 for default size
        gateway:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 100 # count of messages in a singe batch, 0 for default size
# sql queue
queue:
    disabled: false # disable queue worker pool
    tenant_id: "" # Limit sql queue handler to a single tenant
    count: 1 # number of pool workers
    limit: 10 # poll limit
    heartbeat_interval: 30s # heartbeat interval
    expiration_interval: 1m0s # expiration interval
    polling_interval: 10s # polling interval
    max_backoff: 10s # max backoff
    error_limit: 0.1 # error rate limit
# storage config
storage:
    # refresh tokens storage configuration
    refresh_tokens:
        enabled: true # enable storing refresh tokens in sql, stored in kv if false
        batch_limit: 1000 # refresh token batch delete limit
    # expired consents storage configuration
    consents:
        batch_limit: 1000 # expired consents batch delete limit
    # audit events strorage configuration
    audit_events:
        enabled: true # enable storing audit events in sql
        # audit events retention config
        retention:
            enabled: true # enable audit events retention
            global: true # when true, audit events retention is executed globally, not per tenant
            batch_limit: 1000 # audit events retention batch delete limit
            max_age: 168h0m0s # remove audit events older than max age
            extended_max_age: 2160h0m0s # remove audit events older than max age - used when feature flag extended retention is true
# recurring jobs
jobs:
    auditEventsRetention:
        tenant_id: system # tenant id
        id: auditEventsRetention # job id
        queue: execute_retention # queue name
        cron: 15 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    cdrExpiredArrangements:
        tenant_id: system # tenant id
        id: cdrExpiredArrangements # job id
        queue: openbanking_set_expired_cdr_arrangements # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    cdrSyncRegisters:
        tenant_id: system # tenant id
        id: cdrSyncRegisters # job id
        queue: openbanking_cdr_sync_registers # queue name
        cron: '*/4 * * * *' # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    cibaSimulatorExpiredAuthentications:
        tenant_id: system # tenant id
        id: cibaSimulatorExpiredAuthentications # job id
        queue: ciba_simulator_remove_expired_authentications # queue name
        cron: '*/1 * * * *' # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    expiredTokens:
        tenant_id: system # tenant id
        id: expiredTokens # job id
        queue: remove_expired_refresh_tokens # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    fdxExpiredConsents:
        tenant_id: system # tenant id
        id: fdxExpiredConsents # job id
        queue: openbanking_set_expired_fdx_consents # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    openbankingExpiredConsents:
        tenant_id: system # tenant id
        id: openbankingExpiredConsents # job id
        queue: openbanking_remove_expired_consents # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    openbankingOrphanedConsents:
        tenant_id: system # tenant id
        id: openbankingOrphanedConsents # job id
        queue: openbanking_remove_orphaned_consents # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    openbankingRejectExpiredConsents:
        tenant_id: system # tenant id
        id: openbankingRejectExpiredConsents # job id
        queue: openbanking_reject_expired_consents # queue name
        cron: '*/10 * * * *' # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    openbankingRejectOrphanedConsents:
        tenant_id: system # tenant id
        id: openbankingRejectOrphanedConsents # job id
        queue: openbanking_reject_orphaned_consents # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
# lru cache
cache:
    redis_ttl: 10m0s
    local_ttl: 1m0s
    local_max_size: 1000
    disabled: false
# stats cache
stats:
    redis_ttl: 1m0s
    local_ttl: 10s
    local_max_size: 1000
    disabled: false
# demo apps
demo:
    client:
        root_ca: /certs/ca.pem
        cert: /certs/cid2/cert.pem
        key: /certs/cid2/cert-key.pem
        client_id: cid2
        client_secret: xYA0YnXldHNNjgWBjXGr5xBzIjf8PW-jXWkdZZ_l0WB
        scopes:
            - introspect_openbanking_tokens
    directory:
        redirect_uris:
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValueMtlsAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValueMtlsAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedMtlsAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedMtlsAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
# faas provider
faas:
    provider: ""
# fission function as a service provider
fission:
    namespace: acp-faas # Kubernetes namespace where functions should be created
    # Runtime configuration for runtime v1
    envs:
        js: nodejs # Name of the fission environment for JS
        rego: rego # Name of the fission environment for Rego
    # Runtime configuration for runtime v2
    envs_v2:
        js: nodejs-v2 # Name of the fission environment for JS
        rego: rego-v2 # Name of the fission environment for Rego
    url: http://router.fission # URL to the fission router
    max_backoff_retries: 3 # Max backoff retries in case of 404 error
    package_template: |- # k8s package template
        apiVersion: fission.io/v1
        kind: Package
        metadata:
          name: {{ .ID }}
          namespace: {{ .Namespace }}
        spec:
          deployment:
            literal: {{ .Base64EncodedBody }}
            type: literal
          environment:
            name: {{ .Env }}
            namespace: {{ .Namespace }}
        status:
          buildstatus: succeeded
    function_template: |- # k8s function template
        apiVersion: fission.io/v1
        kind: Function
        metadata:
          name: {{ .ID  }}
          namespace: {{ .Namespace }}
        spec:
          InvokeStrategy:
            ExecutionStrategy:
              ExecutorType: poolmgr
              SpecializationTimeout: 30
            StrategyType: execution
          concurrency:  {{ .MaxPodsCount }}
          requestsPerPod: {{ .MaxRequestsPerPod }}
          environment:
            name: {{ .Env }}
            namespace: {{ .Namespace }}
          functionTimeout:  {{ .ExecutionTimeout }}
          idletimeout: {{ .IdleTimeout }}
          package:
            packageref:
              name: {{ .ID }}
              namespace: {{ .Namespace }}
              resourceversion: "{{ .ResourceVersion }}"
    # kube config
    kube:
        timeout: 0s
        kubeconfig: ""
    max_pod_age: 0s # max pod age - set 0 to unlimited
    # function settings
    function_settings:
        execution_timeout: 30s # max function execution time
        idle_timeout: 1m0s # max function idle duration
        max_pods_count: 2 # maximum pod count number
        max_requests_per_pod: 5000 # maximum numer of requests per pod
    # fission resource watcher configuration
    resource_watcher:
        interval: 1m0s # how often check for aged resources
        timeout: 10s # check timeout
# docker function as a service provider
docker:
    node_url: http://node-env:8888 # node env url
    rego_url: http://rego-env:8888 # rego env url
# opentelemetry configuration
otel:
    service_name: acp # service name
    exporter: jaeger # opentelemetry exporter (jaeger or otlp)
    # enabled propagators (b3, baggage, tracecontext, ottrace, jaeger)
    propagators:
        - jaeger
    # jaeger opentelemetry exporter
    jaeger:
        agent_host: localhost # agent host
        agent_port: "6831" # agent port
        header: uber-trace-id # header name
    # opentelemetry protocol exporter
    otlp:
        endpoint: localhost:4318 # otlp endpoint
        path: /v1/traces # otlp path
        root_ca: "" # otlp root ca
        insecure_skip_verify: false # disable cert verification
# consul client https://github.com/hashicorp/consul/blob/master/api/api.go
consul:
    address: 127.0.0.1:8500
    scheme: http
    datacenter: ""
    transport: null
    httpclient: null
    httpauth: null
    waittime: 0s
    token: ""
    tokenfile: ""
    namespace: ""
    partition: ""
    tlsconfig:
        address: ""
        cafile: ""
        capath: ""
        capem: []
        certfile: ""
        certpem: []
        keyfile: ""
        keypem: []
        insecureskipverify: false
# vault client
vault:
    address: "" # Address is the address of the Vault server.
    agent_address: "" # AgentAddress is the address of the local Vault agent.
    max_retries: 0 # MaxRetries controls the maximum number of times to retry when a 5xx error occurs.
    timeout: 0s # Timeout is for setting custom timeout parameter in the HttpClient
    token: "" # Access token
    # TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.
    tls:
        cacert: ""
        capath: ""
        clientcert: ""
        clientkey: ""
        tlsservername: ""
        insecure: false
    # Authentication
    auth:
        approle:
            roleid: ""
            secretid: ""
# embedded smtp gateway configuration
email:
    from: Cloudentity  # From address
    username: "" # Username
    password: "" # Password
    auth: PLAIN
    host: smtp.gmail.com # SMTP server host
    port: 25 # SMTP server port
    timeout: 10s # Timeout
    start_tls: false # Send an email over TLS using STARTTLS
    server_name: "" # The server name used to verify the hostname on the TLS certificate
    insecure_skip_verify: false # Skip TLS cert verification
# embedded twilio gateway configuration
sms:
    from: Cloudentity # From number
    sid: "" # The Twilio Account SID
    auth_token: "" # The Twilio Auth Token
# messaging config
messaging:
    # email templates
    emails:
        # verify otp
        otp:
            subject: OTP # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: Dear Customer, [[otp]] is your single-use verification code. # Text template used if tile template is not set
            message_template: | # Default message template
                
Your verification code
Your verification code is:
[[otp]]
If you didn’t request this email — don’t worry, you can safely ignore it.
# Email's attachments attachments: - ./web/emails/logo.png # activate account with code activate_account_with_code: subject: Account activation # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template
Account activation
Your activation code is:
[[code]]
If you didn’t request this email — don’t worry, you can safely ignore it.
# Email's attachments attachments: - ./web/emails/logo.png # activate account with link activate_account_with_link: subject: Account activation # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template
Account activation
Your account is almost ready.
Click the following link to activate your account:
If you didn’t request this email — don’t worry, you can safely ignore it.
# Email's attachments attachments: - ./web/emails/logo.png # reset password with code reset_password_with_code: subject: Password reset # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template
Password reset
We've received a request to reset your passsword.
Your password reset code is:
[[code]]
If you didn’t request this email — don’t worry, you can safely ignore it.
# Email's attachments attachments: - ./web/emails/logo.png # reset password with link reset_password_with_link: subject: Password reset # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template
Password reset
We've received a request to reset your password.
Click the following link to reset your password:
If you didn’t request this email — don’t worry, you can safely ignore it.
# Email's attachments attachments: - ./web/emails/logo.png # identifier used identifier_used: subject: Account already exists # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template
Account already exists
The email you provided is already registered with an account.
If you didn’t request this email — don’t worry, you can safely ignore it.
# Email's attachments attachments: - ./web/emails/logo.png # sms templates smses: # verify otp otp: message_template: Dear Customer, [[otp]] is your single-use verification code. # Message template # activate account with code activate_account_with_code: message_template: Dear Customer, use [[code]] to activate your account. # Message template # activate account with code activate_account_with_link: message_template: 'Dear Customer, use the link to activate your account: [[link]]' # Message template # reset password with code reset_password_with_code: message_template: Dear Customer, use [[code]] to reset your password. # Message template # reset password with code reset_password_with_link: message_template: 'Dear Customer, use the link to reset your password: [[link]]' # Message template # identifier used identifier_used: message_template: Dear Customer, this number is associated with an existing account. # Message template # embedded IDPs embedded_idps: cookie_domain: "" # cookie domain # github idp github: client_id: "" # client id client_secret: "" # client secret # google idp google: client_id: "" # client id client_secret: "" # client secret # global rate limits rate_limits: oauth2: enabled: false # enable rate limiter period: 1m0s # period rate: 60 # rate burst: 10 # max burst # rate limits cache rate_limits_cache: redis_ttl: 1h0m0s local_ttl: 10m0s local_max_size: 1000 disabled: false # token exchange verifier token_exchange_verifier: idp_client_timeout: 5s # http client timeout when calling IDP endpoints # subject config subject: default_format: legacy # subject default format for new workspaces # identity pools captcha configuration captcha: enabled: false site_key: 6LdPYcYeAAAAAF5f6K9Pv5jkPEDFsOtfkwxP2a5k secret_key: 6LdPYcYeAAAAACiRY1ZG2iSPsHXOhYSaqTO_Ycqz whitelist: []