Application Configuration

Configuration for Develocity Provenance Governor uses Kubernetes-native resources that are mounted into the container at startup:

  • ConfigMap 'properties' - Non-sensitive settings (URIs, public keys)

  • Secret 'secrets' - Sensitive data (access keys, tokens, private keys)

  • ConfigMap 'policies' - YAML policy definitions

Changes to these resources take effect after restarting the deployment.

Properties and Secrets Configuration

How to Configure Properties and Secrets

Develocity Provenance Governor reads configuration from two Kubernetes resources:

  • ConfigMap properties - Non-sensitive configuration (URIs, options, public keys)

  • Secret secrets - Sensitive configuration (access tokens, private signing keys)

There are two ways to structure configuration in these resources:

Each property is a separate key in the ConfigMap or Secret.

Example ConfigMap with individual properties
apiVersion: v1
kind: ConfigMap
metadata:
  name: properties
  namespace: develocity-provenance-governor
data:
  develocity.instances.prod.uri: "https://develocity.example.com"
  s3.instances.prod-bucket.region: "us-east-1"
  s3.instances.prod-bucket.bucket-name: "dpg-attestations"
Example Secret with individual properties
apiVersion: v1
kind: Secret
metadata:
  name: secrets
  namespace: develocity-provenance-governor
type: Opaque
stringData:
  develocity.instances.prod.access-key: "your-access-key-here"
  artifactory.instances.main.access-token: "your-token-here"

All properties in a single YAML file as one key.

Example ConfigMap with application.yml
apiVersion: v1
kind: ConfigMap
metadata:
  name: properties
  namespace: develocity-provenance-governor
data:
  application.yml: |
    develocity:
      instances:
        prod:
          uri: "https://develocity.example.com"
    s3:
      instances:
        prod-bucket:
          region: "us-east-1"
          bucket-name: "dpg-attestations"
Example Secret with application.yml
apiVersion: v1
kind: Secret
metadata:
  name: secrets
  namespace: develocity-provenance-governor
type: Opaque
stringData:
  application.yml: |
    develocity:
      instances:
        prod:
          access-key: "your-access-key-here"
    artifactory:
      instances:
        main:
          access-token: "your-token-here"
    signing:
      keys:
        - key: |
            -----BEGIN PRIVATE KEY-----
            MHcCAQEEIL...
            -----END PRIVATE KEY-----

Choose the approach that works best for your organization:

  • Individual keys: Easier to manage few properties, better for tools that generate ConfigMaps/Secrets

  • application.yml: Better for many properties, easier to read and maintain

Both approaches can be mixed - some properties in individual keys, others in application.yml files.

Configuration Topics

Configure Develocity Provenance Governor in the following order:

Component Description Required

Develocity Integration

Connect to Develocity instance(s) to retrieve build scan data for attestation generation

✓ Required

Attestation Storage

Configure at least one storage backend: Artifactory or S3

✓ Required (choose one or both)

Signing Keys

Generate and configure signing keys for cryptographically signing attestations

Recommended

Access Control

Define who can access which resources via Access Control policies

✓ Required

Policies

Define Policy Scan™ definitions and validation rules for evaluating packages

Optional (required for policy evaluation)

Minimum viable configuration requires:

  1. At least one Develocity instance connection

  2. At least one attestation storage backend (Artifactory and/or S3)

  3. Access Control policies to grant API access

Recommended configuration also includes:

  1. Signing keys for attestation signatures

  2. Policy definitions for Policy Scan evaluation