You are viewing **Develocity Provenance Governor 1.5**. To view the latest available version of the docs, see [1.7](https://docs.gradle.com/develocity/provenance-governor/1.7/app-config-overview/). # Application Configuration Configuration for Develocity Provenance Governor uses Kubernetes-native resources that are mounted into the container at startup: * **ConfigMap 'properties'** - Non-sensitive settings (URIs, public keys) * **Secret 'secrets'** - Sensitive data (access keys, tokens, private keys) * **ConfigMap 'policies'** - YAML policy definitions Changes to these resources take effect after restarting the deployment. ## Properties and Secrets Configuration How to Configure Properties and Secrets Develocity Provenance Governor reads configuration from two Kubernetes resources: * **ConfigMap `properties`** - Non-sensitive configuration (URIs, options, public keys) * **Secret `secrets`** - Sensitive configuration (access tokens, private signing keys) There are two ways to structure configuration in these resources: ### Option 1: Individual Property Keys (Recommended for few properties) Each property is a separate key in the ConfigMap or Secret. **Example ConfigMap with individual properties:** ``` apiVersion: v1 kind: ConfigMap metadata: name: properties namespace: develocity-provenance-governor data: develocity.instances.prod.uri: "https://develocity.example.com" s3.instances.prod-bucket.region: "us-east-1" s3.instances.prod-bucket.bucket-name: "dpg-attestations" ``` **Example Secret with individual properties:** ``` apiVersion: v1 kind: Secret metadata: name: secrets namespace: develocity-provenance-governor type: Opaque stringData: develocity.instances.prod.access-key: "ACCESS_KEY" artifactory.instances.main.access-token: "ACCESS_TOKEN" ``` ### Option 2: Single application.yml File (Recommended for many properties) All properties in a single YAML file as one key. **Example ConfigMap with application.yml:** ``` apiVersion: v1 kind: ConfigMap metadata: name: properties namespace: develocity-provenance-governor data: application.yml: | develocity: instances: prod: uri: "https://develocity.example.com" s3: instances: prod-bucket: region: "us-east-1" bucket-name: "dpg-attestations" ``` **Example Secret with application.yml:** ``` apiVersion: v1 kind: Secret metadata: name: secrets namespace: develocity-provenance-governor type: Opaque stringData: application.yml: | develocity: instances: prod: access-key: "ACCESS_KEY" artifactory: instances: main: access-token: "ACCESS_TOKEN" signing: keys: - key: | -----BEGIN PRIVATE KEY----- MHcCAQEEIL... -----END PRIVATE KEY----- ``` > [!NOTE] > Choose the approach that works best for your organization: Individual keys: Easier to manage few properties, better for tools that generate ConfigMaps/Secrets application.yml: Better for many properties, easier to read and maintain Both approaches can be mixed - some properties in individual keys, others in application.yml files. ## Configuration Topics Configure Develocity Provenance Governor in the following order: | Component | Description | Required | | --- | --- | --- | | Develocity Integration | Connect to Develocity instance(s) to retrieve build scan data for attestation generation | ✓ Required | | Attestation Storage | Configure at least one storage backend: Artifactory or S3 | ✓ Required (choose one or both) | | Signing Keys | Generate and configure signing keys for cryptographically signing attestations | Recommended | | Access Control | Define who can access which resources via Access Control policies | ✓ Required | | Policies | Define Policy Scan™ definitions and validation rules for evaluating packages | Optional (required for policy evaluation) | > [!TIP] > Minimum viable configuration requires: At least one Develocity instance connection At least one attestation storage backend (Artifactory and/or S3) Access Control policies to grant API access Recommended configuration also includes: Signing keys for attestation signatures Policy definitions for Policy Scan evaluation