Skip to content

Kontfix

Defaults Options

liyangau/kontfix

Defaults Options

kontfix.defaults.enable_id_admin#

Whether to always create the id_admin Konnect provider for managing system accounts. This prevents Provider configuration not present errors when removing all system accounts and groups. Set to true if you need the id_admin provider to persist when no system accounts or groups are currently configured.

Type: boolean

Default: false

Declared by: - defaults/options.nix

kontfix.defaults.controlPlanes.auth_type#

Default authentication type for control planes

Type: one of “pki_client_certs”, “pinned_client_certs”

Default: "pinned_client_certs"

Declared by: - defaults/options.nix

kontfix.defaults.controlPlanes.labels#

Default labels applied to all control planes

Type: attribute set of string

Default: { }

Declared by: - defaults/options.nix

kontfix.defaults.controlPlanes.pki_backend#

Default pki backend to generate certificate for control planes using pki_client_certs auth type

Type: value “hcv” (singular enum)

Default: "hcv"

Declared by: - defaults/options.nix

kontfix.defaults.controlPlanes.storage_backend#

Default storage backend options for control planes

Type: list of (one of “local”, “hcv”, “aws”)

Default:

[
  "local"
]

Declared by: - defaults/options.nix

kontfix.defaults.pki.hcv.address#

HashiCorp Vault address (required if using HCV storage backend)

Type: string

Default: ""

Declared by: - defaults/options.nix

kontfix.defaults.pki.hcv.auth_method#

Vault authentication for PKI handling: When the approle method is used, the module injects vault_pki_role_id and vault_pki_secret_id into the provider configuration. When the token method is used, the module instead use vault_pki_token variable.

Type: one of “token”, “approle”

Default: "token"

Declared by: - defaults/options.nix

kontfix.defaults.pki.hcv.auth_path#

Vault authentication path (only used for approle auth)

Type: string

Default: "auth/approle/login"

Declared by: - defaults/options.nix

kontfix.defaults.pki_ca_certificate#

Default PKI CA certificate used for pki_client_certs authentication. Can be provided as string content or read from a file (e.g., builtins.readFile ./pki-ca/ca.pem;).

Type: null or string

Default: null

Declared by: - defaults/options.nix

kontfix.defaults.provider_versions.aws#

Version of the HashiCorp AWS provider

Type: string

Default: "6.17.0"

Declared by: - defaults/options.nix

kontfix.defaults.provider_versions.konnect#

Version of the Kong Konnect provider

Type: string

Default: "3.3.0"

Declared by: - defaults/options.nix

kontfix.defaults.provider_versions.local#

Version of the HashiCorp Local provider

Type: string

Default: "2.5.3"

Declared by: - defaults/options.nix

kontfix.defaults.provider_versions.null#

Version of the HashiCorp Null provider

Type: string

Default: "3.2.4"

Declared by: - defaults/options.nix

kontfix.defaults.provider_versions.time#

Version of the HashiCorp Time provider

Type: string

Default: "0.13.1"

Declared by: - defaults/options.nix

kontfix.defaults.provider_versions.tls#

Version of the HashiCorp TLS provider

Type: string

Default: "4.1.0"

Declared by: - defaults/options.nix

kontfix.defaults.provider_versions.vault#

Version of the HashiCorp Vault provider

Type: string

Default: "5.3.0"

Declared by: - defaults/options.nix

kontfix.defaults.self_signed_cert.renewal_before_expiry#

Number of days before certificate expiry to trigger renewal. Default is 15 days before expiry.

Type: signed integer

Default: 15

Declared by: - defaults/options.nix

kontfix.defaults.self_signed_cert.validity_period#

The validity period of self-signed certificates in days. Default is 90 days.

Type: signed integer

Default: 90

Declared by: - defaults/options.nix

kontfix.defaults.storage.aws.cp_prefix#

Default prefix for AWS Secrets Manager secret paths for individual control planes

Type: string

Default: "konnect"

Declared by: - defaults/options.nix

kontfix.defaults.storage.aws.group_prefix#

Default prefix for AWS Secrets Manager secret paths for group system accounts

Type: string

Default: "konnect"

Declared by: - defaults/options.nix

kontfix.defaults.storage.aws.profile#

Default AWS profile (creates aws_profile variable with this default if provided)

Type: string

Default: ""

Declared by: - defaults/options.nix

kontfix.defaults.storage.aws.region#

Default AWS region (creates aws_region variable with this default if provided)

Type: string

Default: ""

Declared by: - defaults/options.nix

kontfix.defaults.storage.hcv.address#

HashiCorp Vault address (required if using HCV storage backend)

Type: string

Default: ""

Declared by: - defaults/options.nix

kontfix.defaults.storage.hcv.auth_method#

Vault authentication for storage handling: When the approle method is used, the module injects vault_role_id and vault_secret_id into the provider configuration. When the token method is used, the module instead use vault_token variable.

Type: one of “token”, “approle”

Default: "token"

Declared by: - defaults/options.nix

kontfix.defaults.storage.hcv.auth_path#

Vault authentication path (only used for approle auth)

Type: string

Default: "auth/approle/login"

Declared by: - defaults/options.nix

kontfix.defaults.storage.hcv.cp_prefix#

Default mount point for HashiCorp Vault storage for individual control planes

Type: string

Default: "konnect"

Declared by: - defaults/options.nix

kontfix.defaults.storage.hcv.group_prefix#

Default mount point for HashiCorp Vault storage for group system accounts

Type: string

Default: "konnect"

Declared by: - defaults/options.nix

kontfix.defaults.system_account_tokens.renewal_before_expiry#

Number of days before token expiry to trigger renewal. Default is 7 days before expiry.

Type: signed integer

Default: 7

Declared by: - defaults/options.nix

kontfix.defaults.system_account_tokens.validity_period#

The validity period of system account access tokens in days. Default is 30 days.

Type: signed integer

Default: 30

Declared by: - defaults/options.nix

kontfix.defaults.vault_pki.auto_renew#

Whether to auto-renew certificates

Type: boolean

Default: true

Declared by: - defaults/options.nix

kontfix.defaults.vault_pki.backend#

Vault PKI backend name

Type: string

Default: "rsa"

Declared by: - defaults/options.nix

kontfix.defaults.vault_pki.min_seconds_remaining#

Minimum seconds remaining before renewal. Default is 604800 seconds (7 days).

Type: signed integer

Default: 604800

Declared by: - defaults/options.nix

kontfix.defaults.vault_pki.role_name#

Vault PKI role name

Type: string

Default: "client-cert"

Declared by: - defaults/options.nix

kontfix.defaults.vault_pki.ttl#

Certificate TTL (90 days default)

Type: string

Default: "2160h"

Declared by: - defaults/options.nix