k8s-breakglass/config.example.yaml at main · telekom/k8s-breakglass · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
server:
  listenAddress: :8080
  tlsCertFile: /some/file.crt # optional
  tlsKeyFile: /some/file.key # optional for https
  # hardenedIDPHints controls whether identity provider names are exposed in error messages.
  # When false (default): Error messages list available IDPs to help users troubleshoot.
  # When true: Error messages are generic to prevent IDP reconnaissance attacks.
  # hardenedIDPHints: true
  allowedOrigins:
    - https://breakglass.example.com
    - https://admin.example.net
  # trustedProxies configures which IPs/CIDRs are trusted for X-Forwarded-* headers.
  # Required when running behind an ingress controller or load balancer.
  # When configured, the server will:
  # - Use X-Forwarded-For for client IP in rate limiting and logging
  # - Use X-Forwarded-Proto for HSTS header decisions
  # Leave empty if not behind a reverse proxy.
  # trustedProxies:
  #   - 10.0.0.0/8        # Kubernetes pod network
  #   - 172.16.0.0/12     # Private networks
  #   - 192.168.0.0/16    # Private networks
  #
  # HTTP server timeouts (optional). All values are Go duration strings.
  # When omitted, sensible production defaults are used.
  # timeouts:
  #   readTimeout: "30s"        # Max duration for reading request (default: 30s)
  #   readHeaderTimeout: "10s"  # Max duration for reading headers (default: 10s)
  #   writeTimeout: "60s"       # Max duration for writing response (default: 60s)
  #   idleTimeout: "120s"       # Max idle keep-alive duration (default: 120s)
  #   maxHeaderBytes: 1048576   # Max request header size in bytes (default: 1MB)
  #
  # Graceful shutdown timeout (optional). Go duration string.
  # Controls how long the server waits for in-flight requests during shutdown.
  # shutdownTimeout: "30s"
  #
  # enableActivityTracking enables recording session activity from the authorization webhook.
  # When enabled, the ActivityTracker buffers webhook hits and flushes lastActivity/activityCount
  # to BreakglassSession status every 30 seconds. Required for idle timeout (spec.idleTimeout) to work.
  # enableActivityTracking: false
frontend:
  baseURL: http://localhost:5173
  # Optional: brandingName controls the product name shown in the UI header and
  # page title. Example: "Das SCHIFF Breakglass". If omitted, the frontend will
  # display a neutral placeholder title.
  # brandingName: "Das SCHIFF Breakglass"
  # Optional: uiFlavour controls the UI theme/appearance at runtime.
  # Supported values: "oss" (default, neutral), "telekom" (branded), or "neutral".
  # This allows the UI look-and-feel to be configured server-side without requiring a rebuild.
  # uiFlavour: "telekom"
# NOTE: Mail configuration has been moved to MailProvider CRD.
# See config/samples/breakglass_v1alpha1_mailprovider.yaml for examples.
# Documentation: docs/mail-provider.md
kubernetes:
  context: "" # kubectl config context if empty default will be used
  oidcPrefixes: # List of prefixes to strip from user groups for cluster matching
    - "keycloak:"
    - "oidc:"
  # userIdentifierClaim specifies which OIDC claim to use as the user identifier for session matching.
  # This is the global default that can be overridden per-cluster in ClusterConfig.
  # Valid values: "email" (default), "preferred_username", "sub"
  # This must match the OIDC claimMappings.username.claim on spoke clusters.
  # userIdentifierClaim: "email"
  #
  # Circuit breaker for spoke cluster communication (optional).
  # When enabled, clusters that become unreachable are marked as degraded and
  # requests are rejected immediately instead of blocking on TCP timeout.
  # See docs/circuit-breaker.md for details.
  # circuitBreaker:
  #   enabled: true
  #   failureThreshold: 3     # consecutive failures before opening
  #   successThreshold: 2     # consecutive successes to close in half-open
  #   openDuration: "30s"     # wait before probing
  #   halfOpenMaxRequests: 1  # concurrent probes in half-open

# OpenTelemetry distributed tracing configuration.
# See docs/opentelemetry-tracing.md for details.
# telemetry:
#   enabled: false         # Enable tracing (default: false)
#   exporter: otlp         # Exporter type: otlp | stdout | none (default: otlp)
#   endpoint: localhost:4317  # Collector gRPC endpoint (default: localhost:4317)
#   insecure: false        # Disable TLS for the collector connection (default: false)
#   samplingRate: 1.0      # Sampling probability 0.0-1.0 (default: 1.0)