Local file configuration

most configuration is set in yaml files and loaded directly by the engine this lets you integrate jumpwire into a gitops workflow or make quick changes for local testing jumpwire enterprise all configuration done through the yaml files can instead be set in the web controller we strongly recommend only using yaml files or the web controller for your source of truth, not both at once mixing these modes can lead to confusing settings and the engine may not behave the way you expect the environment variable jumpwire config path must be set to load yaml files this should be a directory accessible to the jumpwire engine when using docker, it must be mounted into the container all files ending in yml or yaml from the configured directory and any subdirectories will be parsed and merged together sections global settings that affect the global behavior of the engine required arguments none optional arguments sync boolean indicating whether to send objects loaded from the yaml configuration up the web ui for persistence default is true merge when set to all , any existing configuration is merged in with the values from this configuration directory any other value will cause the existing configuration to be overwritten merging should only be disabled if all nodes on the cluster have synchronized configuration files and no changes are made in the web ui default is all generate ids boolean indicating whether to automatically generate a uuid for any objects that don't have an id set the ids are not persisted back to the yaml file, so enabling this is only intended for testing default is false manifests connection details for both databases and api endpoints that jumpwire will act as a proxy for required arguments id a uuid to associate with this connection optional if generate ids is enabled name a human readable name for the connection root type the type of db or api this connection represents valid options are postgresql mysql optional arguments configuration a map of connection information the structure for each root type is documented below credentials a map of credentials for connecting to the db or api the structure for each root type is documented below postgresql configuration type (required) must be set to postgresql hostname (required) host or ip address of the database must be reachable from all jumpwire engine nodes database (required) database to connect to port tcp port to connect to default is 5432 ssl boolean indicating whether to require ssl for the connection from jumpwire to the database default is true schema namespace to use in the database mysql configuration type (required) must be set to mysql hostname (required) host or ip address of the database must be reachable from all jumpwire engine nodes database (required) database to connect to port tcp port to connect to default is 3306 ssl boolean indicating whether to require ssl for the connection from jumpwire to the database default is true postgresql credentials for basic authentication, the following must be set username username for connecting to the database password password for connecting to the database vault dynamic database credentials can be used by setting vault database name of database to use when dynamically generating credentials from vault vault role role to read credentials from when using dynamically generated vault credentials mysql credentials for basic authentication, the following must be set username username for connecting to the database password password for connecting to the database vault dynamic database credentials can be used by setting vault database name of database to use when dynamically generating credentials from vault vault role role to read credentials from when using dynamically generated vault credentials groups rules for group based access groups and their associated users must be configured through an sso integration in the web interface each entry is a map with the group name as the key see below for an example required arguments none optional arguments permissions a list of request attributes that are allowed for the group attributes are typically listed as 'action\ label' for example, the attribute select\ secret would allow the group to access data labeled as secret but prevent the group from being able to insert/update/delete it all actions on all labels are blocked by default policies rules about access and transformation for data being proxied required arguments id a uuid to associate with this policy optional if generate ids is enabled name a human readable name for this policy handling the action to take when the policy is applied valid values are access allow the request to occur block prevent the request drop field replace the labeled field with a null value audit generate an audit record of the request encrypt encrypt or decrypt the labeled field resolve fields replace the value of the labeled field with a different value using a kv store optional arguments version the version of the policy schema default is 2 attributes a list of groups of attributes defining when this policy is applied default is \[] apply on match when true, the policy will be applied when its attributes match the request when false, the policy will be applied to all requests that don't match its attributes default is false configuration map of additional options that must be set for some handling types see the documentation below resolve fields configuration type (required) must be set to resolve fields metastore id (required) uuid of the kv store to use for looking up field values route key (required) the field to use when determining whether this kv store should be used route values (required) a list of values for the route key field indicating that this kv store should be used proxy schemas fields and associated labels each schema is specific to a single db or api connection required arguments id a uuid to associate with this schema optional if generate ids is enabled name a human readable name for the schema manifest id the uuid of the db or api that this schema pertains to fields mapping of field names to their label fields without a label do not need to be explicitly configured optional arguments none metastores connections details for backends used as kv stores required arguments id a uuid to associate with this connection optional if generate ids is enabled name a human readable name for the connection configuration a map specific to the type of kv store being configured see the documentation below for possible structures optional arguments vault database name of database to use when dynamically generating credentials from vault if set, vault role must also be set vault role role to read credentials from when using dynamically generated vault credentials if set, vault database must also be set credentials a map of credentials for connecting to the db or api the structure for each kv type is documented below either credentials or vault database and vault role should be set, but not both postgresql kv configuration configuration to use a postgresql database as a kv store when performing lookups on proxied queries type (required) must be set to postgresql kv connection (required) hostname (required) host or ip address of the database must be reachable from all jumpwire engine nodes database (required) database to connect to port tcp port to connect to default is 5432 ssl boolean indicating whether to require ssl for the connection from jumpwire to the database default is true schema namespace to use in the database table (required) the table containing key/value information key field (required) the field in the configured table containing the lookup key value field (required) the field on the configured table containing the value for that row full example global sync true merge all groups engineers source google apps permissions \ select\ sensitive \ insert\ sensitive \ update\ sensitive \ insert\ pii manifests \ id 0779b97a c04a 48f9 9483 22e8b0487de4 name api db root type postgresql credentials username apiuser password apipassword configuration type postgresql database db ssl false hostname api db port 5432 metastores \ id cb48a801 389b 4844 89e7 2b41e88317af name eu pii db configuration type postgresql kv connection hostname pii edb port 5432 database db ssl false table pii key field key value field value credentials username piiuser password piipassword policies \ id d86448be db98 4ec5 a635 576829e05ec7 name resolve eu pii handling resolve fields label pii configuration type resolve fields metastore id cb48a801 389b 4844 89e7 2b41e88317af route key country code route values \['de', 'fr', 'ge'] proxy schemas \ id f764dd5b fb38 401a b414 edfa8230fd11 name users manifest id 0779b97a c04a 48f9 9483 22e8b0487de4 fields email pii name pii password secret \ id 618740c0 bd81 42c9 99c9 a9fe21e8c13c name countries manifest id 0779b97a c04a 48f9 9483 22e8b0487de4 fields iso code country code