Skip to main content

Configuration model

Unkey services read configuration from a TOML file passed at startup. Environment variables can be referenced with ${VAR} and are expanded before parsing. Defaults and validation run after parsing. The config schema maps to svc/krane/config.go. Krane enables the secrets RPC only when vault.url is set. Other features run without Vault. Minimal config example: 
region = "${UNKEY_REGION}.aws"
instance_id = "${POD_NAME}"
rpc_port = 8080

[control]
url = "${UNKEY_CTRL_URL}"
token = "${UNKEY_CTRL_TOKEN}"

[vault]
url = "${UNKEY_VAULT_URL}"
token = "${UNKEY_VAULT_TOKEN}"

[registry]
url = "${UNKEY_REGISTRY_URL}"
username = "${UNKEY_REGISTRY_USERNAME}"
password = "${UNKEY_REGISTRY_PASSWORD}"
instance_id
string
Instance identifier for logs and tracing.
region
string
required
Region label for routing and control plane.
rpc_port
int
default:"8070"
RPC server port.
registry
object
Registry credentials. The krane runtime does not read this config today.
vault
object
Vault connection for the secrets service.
control
object
Control plane connection.
observability
object
Tracing, logging, and metrics configuration.

Example configuration

region = "${UNKEY_REGION}.aws"
instance_id = "${POD_NAME}"
rpc_port = 8080

[control]
url = "${UNKEY_CTRL_URL}"
token = "${UNKEY_CTRL_TOKEN}"

[vault]
url = "${UNKEY_VAULT_URL}"
token = "${UNKEY_VAULT_TOKEN}"

[registry]
url = "${UNKEY_REGISTRY_URL}"
username = "${UNKEY_REGISTRY_USERNAME}"
password = "${UNKEY_REGISTRY_PASSWORD}"

[observability.tracing]
sample_rate = 0.1

[observability.logging]
sample_rate = 0.01
slow_threshold = "2s"

[observability.metrics]
prometheus_port = 9090