Skip to content

RHACS CVE Manager

Configuration

dadav/rhacs-manager

Configuration¶

Application configuration is environment-driven via backend/app/config.py (Pydantic Settings).

Database¶

Variable	Default	Description
`APP_DB_URL`	`""`	Optional full app DB URL; overrides component fields
`APP_DB_HOST`	`localhost`	App DB host
`APP_DB_PORT`	`5432`	App DB port
`APP_DB_USER`	`postgres`	App DB user
`APP_DB_PASSWORD`	`""`	App DB password
`APP_DB_NAME`	`rhacs_manager`	App DB name
`STACKROX_DB_URL`	`""`	Optional full StackRox DB URL; overrides component fields
`STACKROX_DB_HOST`	`localhost`	StackRox host
`STACKROX_DB_PORT`	`5432`	StackRox port
`STACKROX_DB_USER`	`postgres`	StackRox user
`STACKROX_DB_PASSWORD`	`""`	StackRox password
`STACKROX_DB_NAME`	`central_active`	StackRox DB name

APP_DB_URL and STACKROX_DB_URL are optional. If either is unset, the backend builds the effective URL from the corresponding split fields.

Authentication¶

Dev Mode¶

Variable	Default	Description
`DEV_MODE`	`true`	Enable local auth bypass
`DEV_USER_ID`	`dev-user-1`	Dev user ID
`DEV_USER_NAME`	`Dev User`	Dev display name
`DEV_USER_EMAIL`	`dev@example.com`	Dev email
`DEV_USER_ROLE`	`sec_team`	`sec_team` or `team_member`
`DEV_USER_NAMESPACES`	`""`	`ns1:cluster1,ns2:cluster2` or `*` for all namespaces
`DEV_NAMESPACE_EMAILS`	`""`	`ns1:cluster1=email@company.com,...` mapping for notifications

OIDC (Production)¶

Variable	Default	Description
`OIDC_ISSUER`	`""`	OIDC issuer URL
`OIDC_CLIENT_ID`	`""`	OIDC client ID

Spoke Proxy / Group Mapping¶

Variable	Default	Description
`SPOKE_API_KEYS`	`[]`	JSON list of accepted spoke keys
`SEC_TEAM_GROUP`	`rhacs-sec-team`	Group mapped to `sec_team`

Users can also receive wildcard namespace access from the spoke by setting X-Forwarded-Namespaces: *. This keeps the user in the team_member role while granting full namespace visibility, so sec-team-only actions stay restricted and CVSS/EPSS thresholds still apply.

Auth Header Injector (Spoke Sidecar)¶

The spoke auth-header-injector reads Kubernetes namespace annotations and forwards namespace scope/email metadata to the hub backend.

Variable	Default	Description
`CLUSTER_NAME`	required	Spoke cluster name appended in forwarded namespace pairs
`NAMESPACE_ANNOTATION`	`rhacs-manager.io/users`	Annotation key for comma-separated usernames
`GROUP_ANNOTATION`	`rhacs-manager.io/groups`	Annotation key for comma-separated groups
`EMAIL_ANNOTATION`	`rhacs-manager.io/escalation-email`	Annotation key for escalation email contact
`CACHE_TTL_SECONDS`	`300`	Namespace annotation cache refresh interval
`GROUP_CACHE_TTL_SECONDS`	`60`	OpenShift user-group cache TTL
`KUBE_API_URL`	`https://kubernetes.default.svc`	OpenShift/Kubernetes API base URL
`ALL_NAMESPACES_GROUPS`	`""`	Comma-separated OpenShift groups that should receive wildcard `*` namespace access

SMTP¶

Variable	Default	Description
`SMTP_HOST`	`localhost`	SMTP host
`SMTP_PORT`	`25`	SMTP port
`SMTP_FROM`	`rhacs-manager@example.com`	Sender
`SMTP_USER`	`""`	Username
`SMTP_PASSWORD`	`""`	Password
`SMTP_TLS`	`false`	Enable implicit TLS/SMTPS (typically port 465)
`SMTP_STARTTLS`	`true`	Enable STARTTLS upgrade (typically port 587)
`SMTP_VALIDATE_CERTS`	`true`	Validate SMTP TLS certificates

Application¶

Variable	Default	Description
`APP_BASE_URL`	`http://localhost:5173`	Base URL used in links and badge URLs
`BADGE_BASE_URL`	`""`	Public base URL prepended to badge SVG paths; empty means the API returns relative badge paths
`SECRET_KEY`	`dev-secret-key-change-in-production`	App signing key
`MANAGEMENT_EMAIL`	`""`	Recipient for weekly digest
`DEFAULT_ESCALATION_EMAIL`	`""`	Fallback escalation recipient for namespaces without explicit annotation

Runtime Settings (`/api/settings`)¶

Security team users manage runtime behavior via API/UI. Values are stored in global_settings.

Setting	Default	Description
`min_cvss_score`	`0.0`	Minimum CVSS threshold
`min_epss_score`	`0.0`	Minimum EPSS threshold
`escalation_rules`	Built-in defaults	Rule set for level escalation
`escalation_warning_days`	`3`	Lead time used for upcoming escalation warnings
`digest_day`	`0`	Weekly digest day (`0` = Monday)
`management_email`	`""`	Digest recipient (runtime override)

Default Escalation Rules¶

[
  {
    "severity_min": 3,
    "epss_threshold": 0.0,
    "days_to_level1": 14,
    "days_to_level2": 21,
    "days_to_level3": 30
  },
  {
    "severity_min": 4,
    "epss_threshold": 0.0,
    "days_to_level1": 7,
    "days_to_level2": 14,
    "days_to_level3": 21
  },
  {
    "severity_min": 2,
    "epss_threshold": 0.5,
    "days_to_level1": 14,
    "days_to_level2": 21,
    "days_to_level3": 30
  }
]