---
component: provenance-governor
version: "1.7"
slug: provenance-governor/app-config-overview
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/app-config-overview/"
title: "Application Configuration"
description: "Overview of application configuration concepts for Develocity Provenance Governor."
keywords:
- "attestation"
- "configuration"
- "Kubernetes"
status: current
---
# Application Configuration
Configuration for Develocity Provenance Governor is provided through files mounted into the container at startup. The application reads from three configuration directories:
* **`properties`** - Non-sensitive settings (URIs, public keys)
* **`secrets`** - Sensitive data (access keys, tokens, private keys)
* **`policies`** - YAML policy definitions
Changes to these configuration files take effect after restarting the container (or restarting the Kubernetes deployment).
> [!NOTE]
> Kubernetes deployments use ConfigMaps and Secrets to populate these directories. See Kubernetes Deployment. Docker deployments use bind-mounted host directories. See Docker Deployment.
## Properties and Secrets Configuration
How to Configure Properties and Secrets
Develocity Provenance Governor reads configuration from two sources:
* **`properties`** - Non-sensitive configuration (URIs, options, public keys)
* **`secrets`** - Sensitive configuration (access tokens, private signing keys)
There are two ways to structure configuration in these resources:
### Option 1: Individual Property Keys (Recommended for few properties)
Each property is a separate key (Kubernetes) or a separate file (Docker).
*
Kubernetes
*
Docker
**Example ConfigMap with individual properties:**
```
apiVersion: v1
kind: ConfigMap
metadata:
name: properties
namespace: develocity-provenance-governor
data:
develocity.instances.prod.uri: "https://develocity.example.com"
s3.instances.prod-bucket.region: "us-east-1"
s3.instances.prod-bucket.bucket-name: "dpg-attestations"
```
**Example Secret with individual properties:**
```
apiVersion: v1
kind: Secret
metadata:
name: secrets
namespace: develocity-provenance-governor
type: Opaque
stringData:
develocity.instances.prod.access-key: "ACCESS_KEY"
artifactory.instances.main.access-token: "ACCESS_TOKEN"
```
**Example: individual property files in the properties directory:**
```
echo "https://develocity.example.com" > ./dpg-config/properties/develocity.instances.prod.uri
echo "us-east-1" > ./dpg-config/properties/s3.instances.prod-bucket.region
echo "dpg-attestations" > ./dpg-config/properties/s3.instances.prod-bucket.bucket-name
```
**Example: individual property files in the secrets directory:**
```
echo "ACCESS_KEY" > ./dpg-config/secrets/develocity.instances.prod.access-key
echo "ACCESS_TOKEN" > ./dpg-config/secrets/artifactory.instances.main.access-token
```
### Option 2: Single application.yml File (Recommended for many properties)
All properties in a single YAML file.
*
Kubernetes
*
Docker
**Example ConfigMap with application.yml:**
```
apiVersion: v1
kind: ConfigMap
metadata:
name: properties
namespace: develocity-provenance-governor
data:
application.yml: |
develocity:
instances:
prod:
uri: "https://develocity.example.com"
s3:
instances:
prod-bucket:
region: "us-east-1"
bucket-name: "dpg-attestations"
```
**Example Secret with application.yml:**
```
apiVersion: v1
kind: Secret
metadata:
name: secrets
namespace: develocity-provenance-governor
type: Opaque
stringData:
application.yml: |
develocity:
instances:
prod:
access-key: "ACCESS_KEY"
artifactory:
instances:
main:
access-token: "ACCESS_TOKEN"
signing:
keys:
- key: |
-----BEGIN PRIVATE KEY-----
MHcCAQEEIL...
-----END PRIVATE KEY-----
```
**Example: ./dpg-config/properties/application.yml:**
```
develocity:
instances:
prod:
uri: "https://develocity.example.com"
s3:
instances:
prod-bucket:
region: "us-east-1"
bucket-name: "dpg-attestations"
```
**Example: ./dpg-config/secrets/application.yml:**
```
develocity:
instances:
prod:
access-key: "ACCESS_KEY"
artifactory:
instances:
main:
access-token: "ACCESS_TOKEN"
signing:
keys:
- key: |
-----BEGIN PRIVATE KEY-----
MHcCAQEEIL...
-----END PRIVATE KEY-----
```
> [!NOTE]
> Choose the approach that works best for your organization: Individual keys/files: Easier to manage few properties, better for tools that generate ConfigMaps/Secrets application.yml: Better for many properties, easier to read and maintain Both approaches can be mixed - some properties in individual keys/files, others in application.yml files.
## Configuration Topics
Configure Develocity Provenance Governor in the following order:
| Component | Description | Required |
| --- | --- | --- |
| Develocity Integration | Connect to Develocity instance(s) to retrieve build scan data for attestation generation | ✓ Required |
| Attestation Storage | Configure at least one storage backend: Artifactory or S3 | ✓ Required (choose one or both) |
| Signing Keys | Generate and configure signing keys for cryptographically signing attestations | Recommended |
| Access Control | Define who can access which resources via Access Control policies | ✓ Required |
| Presigned Access | Configure HMAC-signed presigned URLs for credential-free, time-limited access to package attestation data | Optional |
| Policies | Define Policy Scan™ definitions and validation rules for evaluating packages | Optional (required for policy evaluation) |
| External APIs | Tune retry, concurrency, and resilience for OSV and OSI API communication | Optional |
> [!TIP]
> Minimum viable configuration requires: At least one Develocity instance connection At least one attestation storage backend (Artifactory and/or S3) Access Control policies to grant API access Recommended configuration also includes: Signing keys for attestation signatures Policy definitions for Policy Scan evaluation