Configuration - engineering

Configuration model

Unkey services read configuration from a TOML file passed at startup. Environment variables can be referenced with ${VAR} and are expanded before parsing. Defaults and validation run after parsing. The config schema maps to svc/frontline/config.go. Minimal config example:

http_port = 7070
https_port = 7443
region = "${UNKEY_REGION}.aws"
instance_id = "${POD_NAME}"
apex_domain = "${UNKEY_APEX_DOMAIN}"
max_hops = 10
ctrl_addr = "${UNKEY_CTRL_ADDR}"
prometheus_port = 9090

[database]
primary = "${UNKEY_DATABASE_PRIMARY}"
readonly_replica = "${UNKEY_DATABASE_REPLICA}"

[vault]
url = "${UNKEY_VAULT_URL}"
token = "${UNKEY_VAULT_TOKEN}"

instance_id

string

Instance identifier for logs and tracing.

http_port

int

default:"7070"

Plain-HTTP listener port. Serves ACME HTTP-01 challenges and 308-redirects everything else to https://.

https_port

int

default:"7443"

HTTPS listener port. Terminates TLS and forwards customer traffic to the sentinel.

region

string

required

Region label for routing.

apex_domain

string

default:"unkey.cloud"

Apex domain for regional routing.

max_hops

int

default:"10"

Maximum number of routing hops.

ctrl_addr

string

default:"localhost:8080"

Control API address.

prometheus_port

int

Prometheus metrics port. Set to 0 to disable.

tls

object

TLS settings for HTTPS.

Show Fields

tls.disabled

bool

Disable TLS when true.

tls.cert_file

string

Path to TLS certificate.

tls.key_file

string

Path to TLS key.

database

object

MySQL configuration.

Show Fields

database.primary

string

required

Primary DSN.

database.readonly_replica

string

Optional read replica DSN.

vault

object

Vault connection.

Show Fields

vault.url

string

Vault URL.

vault.token

string

Vault token.

observability

object

Tracing and logging configuration.

Show Fields

observability.tracing.sample_rate

float

default:"0.25"

Trace sampling rate.

observability.logging.sample_rate

float

default:"1.0"

Log sampling rate.

observability.logging.slow_threshold

duration

default:"1s"

Slow log threshold.

Environment variables

The Helm chart provides these variables for the default config template:

UNKEY_REGION

env

required

Region label.

UNKEY_APEX_DOMAIN

env

Apex domain for routing.

UNKEY_CTRL_ADDR

env

Control API address.

UNKEY_VAULT_URL

env

Vault URL.

UNKEY_VAULT_TOKEN

env

Vault token.

UNKEY_DATABASE_PRIMARY

env

required

MySQL primary DSN.

UNKEY_DATABASE_REPLICA

env

MySQL read replica DSN.

Example configuration

http_port = 7070
https_port = 7443
region = "${UNKEY_REGION}.aws"
instance_id = "${POD_NAME}"
apex_domain = "${UNKEY_APEX_DOMAIN}"
max_hops = 10
ctrl_addr = "${UNKEY_CTRL_ADDR}"
prometheus_port = 9090

[database]
primary = "${UNKEY_DATABASE_PRIMARY}"
readonly_replica = "${UNKEY_DATABASE_REPLICA}"

[vault]
url = "${UNKEY_VAULT_URL}"
token = "${UNKEY_VAULT_TOKEN}"

[observability.tracing]
sample_rate = 0.1

[observability.logging]
sample_rate = 0.01
slow_threshold = "2s"

Overview

​Configuration model

​Environment variables

​Example configuration

​Related docs

Configuration model

Environment variables

Example configuration

Related docs