Defaults Configuration#
Global settings applied across all control planes. Per-control-plane values override these defaults where applicable.
When to Configure Each Section#
Most options have sensible defaults. You only need to configure a section when you use the corresponding feature:
| Section | Configure when |
|---|---|
defaults.storage.hcv |
Any control plane uses the HCV storage backend |
defaults.storage.aws |
Any control plane uses the AWS storage backend |
defaults.pki.hcv |
Any control plane uses auth_type = "pki_client_certs" with create_certificate = true |
defaults.controlPlanes |
You want to change the default auth_type or storage_backend for all control planes |
Example#
A setup using HashiCorp Vault for both storage and PKI:
kontfix.defaults = {
storage.hcv = {
address = "https://vault.example.com";
auth_method = "approle"; # uses vault_role_id / vault_secret_id Terraform variables
};
pki.hcv.address = "https://vault.example.com";
controlPlanes = {
auth_type = "pki_client_certs";
storage_backend = [ "hcv" ];
labels = {
managed-by = "kontfix";
};
};
system_account_tokens = {
validity_period = 30; # days
renewal_before_expiry = 7; # days
};
};
Configuration Areas#
- Storage — Connection details and path prefixes for each backend (AWS Secrets Manager, HashiCorp Vault, local filesystem)
- PKI — Vault connection used to issue client certificates; required when
create_certificate = true - Control Planes — Default
auth_type,storage_backend, andlabelsapplied to every control plane unless overridden - Self-Signed Certificates — Validity period and auto-renewal window for self-signed certificates
- System Account Tokens — Token validity period and auto-renewal window
- Provider Versions — Override pinned Terraform provider versions