82 lines
2.8 KiB
HCL
82 lines
2.8 KiB
HCL
|
/*
|
||
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
||
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||
|
|
*/
|
||
|
|
|
||
|
|
/*
|
||
|
|
* This is derived from Caiyeon goldfish/config/sample.hcl just for testing
|
||
|
|
* OpenGrok's HCL handling and modified arbitrarily to test other HCL syntax.
|
||
|
|
*/
|
||
|
|
|
||
|
|
# [Required] listener defines how goldfish will listen to incoming connections
|
||
|
|
listener "tcp" {
|
||
|
|
# [Required] [Format: "address", "address:port", or ":port"]
|
||
|
|
# goldfish's listening address and/or port. Simply ":443" would suffice.
|
||
|
|
address = ":8000"
|
||
|
|
|
||
|
|
# [Optional] [Default: 0] [Allowed values: 0, 1]
|
||
|
|
# set to 1 to disable tls & https
|
||
|
|
tls_disable = 1
|
||
|
|
|
||
|
|
# [Optional] [Default: 0] [Allowed values: 0, 1]
|
||
|
|
# set to 1 to redirect port 80 to 443 (hard-coded port numbers)
|
||
|
|
tls_autoredirect = 0
|
||
|
|
|
||
|
|
# Option 1: local certificate
|
||
|
|
certificate "local" {
|
||
|
|
cert_file = "/path/to/certificate.cert"
|
||
|
|
key_file = "/path/to/keyfile.pem"
|
||
|
|
}
|
||
|
|
|
||
|
|
# Option 2: using Vault's PKI backend [Requires vault_token at launch time]
|
||
|
|
# goldfish will request new certificates at half-life and hot-reload,
|
||
|
|
pki_certificate "pki" {
|
||
|
|
# [Required]
|
||
|
|
pki_path = "pki/issue/<role_name>"
|
||
|
|
common_name = "goldfish.vault.service"
|
||
|
|
|
||
|
|
# [Optional] see Vault PKI docs for what these mean
|
||
|
|
alt_names = ["goldfish.vault.srv", "ui.vault.srv"]
|
||
|
|
ip_sans = ["10.0.0.10", "127.0.0.1", "172.0.0.1"]
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
# [Required] vault defines how goldfish should bootstrap to vault
|
||
|
|
vault {
|
||
|
|
# [Required] [Format: "protocol://address:port"]
|
||
|
|
# This is vault's address. Vault must be up before goldfish is deployed!
|
||
|
|
address = "http://127.0.0.1:8200"
|
||
|
|
|
||
|
|
# [Optional] [Default: 0] [Allowed values: 0, 1]
|
||
|
|
# Set this to 1 to skip verifying the certificate of vault (e.g. self-signed certs)
|
||
|
|
tls_skip_verify = 0
|
||
|
|
|
||
|
|
# [Required] [Default: "secret/goldfish"]
|
||
|
|
# This should be a generic secret endpoint where runtime settings are stored
|
||
|
|
# See wiki for what key values are required in this
|
||
|
|
runtime_config = "secret/goldfish"
|
||
|
|
|
||
|
|
# [Optional] [Default: "auth/approle/login"]
|
||
|
|
# You can omit this, unless you mounted approle somewhere weird
|
||
|
|
approle_login = "auth/approle/login"
|
||
|
|
|
||
|
|
# [Optional] [Default: "goldfish"]
|
||
|
|
# You can omit this if you already customized the approle ID to be 'goldfish'
|
||
|
|
approle_id = "goldfish"
|
||
|
|
|
||
|
|
# [Optional] [Default: ""]
|
||
|
|
# If provided, goldfish will use this CA cert to verify Vault's certificate
|
||
|
|
# This should be a path to a PEM-encoded CA cert file
|
||
|
|
ca_cert = ""
|
||
|
|
|
||
|
|
# [Optional] [Default: ""]
|
||
|
|
# See above. This should be a path to a directory instead of a single cert
|
||
|
|
ca_path = ""
|
||
|
|
}
|
||
|
|
|
||
|
|
# [Optional] [Default: 0] [Allowed values: 0, 1]
|
||
|
|
# Set to 1 to disable mlock. Implementation is similar to vault - see vault docs for details
|
||
|
|
# This option will be ignored on unsupported platforms (e.g Windows)
|
||
|
|
disable_mlock = 0
|