Application Configuration

Configuration for Develocity Provenance Governor is provided through files mounted into the container at startup. The application reads from three configuration directories:

  • properties - Non-sensitive settings (URIs, public keys)

  • secrets - Sensitive data (access keys, tokens, private keys)

  • policies - YAML policy definitions

Changes to these configuration files take effect after restarting the container (or restarting the Kubernetes deployment).

Kubernetes deployments use ConfigMaps and Secrets to populate these directories. See Kubernetes Deployment.

Docker deployments use bind-mounted host directories. See Docker Deployment.

Properties and Secrets Configuration

How to Configure Properties and Secrets

Develocity Provenance Governor reads configuration from two sources:

  • properties - Non-sensitive configuration (URIs, options, public keys)

  • secrets - Sensitive configuration (access tokens, private signing keys)

There are two ways to structure configuration in these resources:

Each property is a separate key (Kubernetes) or a separate file (Docker).

  • Kubernetes

  • Docker

Example ConfigMap with individual properties
apiVersion: v1
kind: ConfigMap
metadata:
  name: properties
  namespace: develocity-provenance-governor
data:
  develocity.instances.prod.uri: "https://develocity.example.com"
  s3.instances.prod-bucket.region: "us-east-1"
  s3.instances.prod-bucket.bucket-name: "dpg-attestations"
Example Secret with individual properties
apiVersion: v1
kind: Secret
metadata:
  name: secrets
  namespace: develocity-provenance-governor
type: Opaque
stringData:
  develocity.instances.prod.access-key: "your-access-key-here"
  artifactory.instances.main.access-token: "your-token-here"
Example: individual property files in the properties directory
echo "https://develocity.example.com" > ./dpg-config/properties/develocity.instances.prod.uri
echo "us-east-1" > ./dpg-config/properties/s3.instances.prod-bucket.region
echo "dpg-attestations" > ./dpg-config/properties/s3.instances.prod-bucket.bucket-name
Example: individual property files in the secrets directory
echo "your-access-key-here" > ./dpg-config/secrets/develocity.instances.prod.access-key
echo "your-token-here" > ./dpg-config/secrets/artifactory.instances.main.access-token

All properties in a single YAML file.

  • Kubernetes

  • Docker

Example ConfigMap with application.yml
apiVersion: v1
kind: ConfigMap
metadata:
  name: properties
  namespace: develocity-provenance-governor
data:
  application.yml: |
    develocity:
      instances:
        prod:
          uri: "https://develocity.example.com"
    s3:
      instances:
        prod-bucket:
          region: "us-east-1"
          bucket-name: "dpg-attestations"
Example Secret with application.yml
apiVersion: v1
kind: Secret
metadata:
  name: secrets
  namespace: develocity-provenance-governor
type: Opaque
stringData:
  application.yml: |
    develocity:
      instances:
        prod:
          access-key: "your-access-key-here"
    artifactory:
      instances:
        main:
          access-token: "your-token-here"
    signing:
      keys:
        - key: |
            -----BEGIN PRIVATE KEY-----
            MHcCAQEEIL...
            -----END PRIVATE KEY-----
Example: ./dpg-config/properties/application.yml
develocity:
  instances:
    prod:
      uri: "https://develocity.example.com"
s3:
  instances:
    prod-bucket:
      region: "us-east-1"
      bucket-name: "dpg-attestations"
Example: ./dpg-config/secrets/application.yml
develocity:
  instances:
    prod:
      access-key: "your-access-key-here"
artifactory:
  instances:
    main:
      access-token: "your-token-here"
signing:
  keys:
    - key: |
        -----BEGIN PRIVATE KEY-----
        MHcCAQEEIL...
        -----END PRIVATE KEY-----

Choose the approach that works best for your organization:

  • Individual keys/files: Easier to manage few properties, better for tools that generate ConfigMaps/Secrets

  • application.yml: Better for many properties, easier to read and maintain

Both approaches can be mixed - some properties in individual keys/files, others in application.yml files.

Configuration Topics

Configure Develocity Provenance Governor in the following order:

Component Description Required

Develocity Integration

Connect to Develocity instance(s) to retrieve build scan data for attestation generation

✓ Required

Attestation Storage

Configure at least one storage backend: Artifactory or S3

✓ Required (choose one or both)

Signing Keys

Generate and configure signing keys for cryptographically signing attestations

Recommended

Access Control

Define who can access which resources via Access Control policies

✓ Required

Presigned Access

Configure HMAC-signed presigned URLs for credential-free, time-limited access to package attestation data

Optional

Policies

Define Policy Scan™ definitions and validation rules for evaluating packages

Optional (required for policy evaluation)

External APIs

Tune retry, concurrency, and resilience for OSV and OSI API communication

Optional

Minimum viable configuration requires:

  1. At least one Develocity instance connection

  2. At least one attestation storage backend (Artifactory and/or S3)

  3. Access Control policies to grant API access

Recommended configuration also includes:

  1. Signing keys for attestation signatures

  2. Policy definitions for Policy Scan evaluation