Configuration¶
Application configuration is environment-driven via backend/app/config.py (Pydantic Settings).
Database¶
| Variable | Default | Description |
|---|---|---|
APP_DB_URL |
"" |
Optional full app DB URL; overrides component fields |
APP_DB_HOST |
localhost |
App DB host |
APP_DB_PORT |
5432 |
App DB port |
APP_DB_USER |
postgres |
App DB user |
APP_DB_PASSWORD |
"" |
App DB password |
APP_DB_NAME |
rhacs_manager |
App DB name |
STACKROX_DB_URL |
"" |
Optional full StackRox DB URL; overrides component fields |
STACKROX_DB_HOST |
localhost |
StackRox host |
STACKROX_DB_PORT |
5432 |
StackRox port |
STACKROX_DB_USER |
postgres |
StackRox user |
STACKROX_DB_PASSWORD |
"" |
StackRox password |
STACKROX_DB_NAME |
central_active |
StackRox DB name |
APP_DB_URL and STACKROX_DB_URL are optional. If either is unset, the backend builds the effective URL from the corresponding split fields.
Authentication¶
Dev Mode¶
| Variable | Default | Description |
|---|---|---|
DEV_MODE |
true |
Enable local auth bypass |
DEV_USER_ID |
dev-user-1 |
Dev user ID |
DEV_USER_NAME |
Dev User |
Dev display name |
DEV_USER_EMAIL |
dev@example.com |
Dev email |
DEV_USER_ROLE |
sec_team |
sec_team or team_member |
DEV_USER_NAMESPACES |
"" |
ns1:cluster1,ns2:cluster2 or * for all namespaces |
DEV_NAMESPACE_EMAILS |
"" |
ns1:cluster1=email@company.com,... mapping for notifications |
OIDC (Production)¶
| Variable | Default | Description |
|---|---|---|
OIDC_ISSUER |
"" |
OIDC issuer URL |
OIDC_CLIENT_ID |
"" |
OIDC client ID |
Spoke Proxy / Group Mapping¶
| Variable | Default | Description |
|---|---|---|
SPOKE_API_KEYS |
[] |
JSON list of accepted spoke keys |
SEC_TEAM_GROUP |
rhacs-sec-team |
Group mapped to sec_team |
Users can also receive wildcard namespace access from the spoke by setting X-Forwarded-Namespaces: *. This keeps the user in the team_member role while granting full namespace visibility, so sec-team-only actions stay restricted and CVSS/EPSS thresholds still apply.
Auth Header Injector (Spoke Sidecar)¶
The spoke auth-header-injector reads Kubernetes namespace annotations and forwards namespace scope/email metadata to the hub backend.
| Variable | Default | Description |
|---|---|---|
CLUSTER_NAME |
required | Spoke cluster name appended in forwarded namespace pairs |
NAMESPACE_ANNOTATION |
rhacs-manager.io/users |
Annotation key for comma-separated usernames |
GROUP_ANNOTATION |
rhacs-manager.io/groups |
Annotation key for comma-separated groups |
EMAIL_ANNOTATION |
rhacs-manager.io/escalation-email |
Annotation key for escalation email contact |
CACHE_TTL_SECONDS |
300 |
Namespace annotation cache refresh interval |
GROUP_CACHE_TTL_SECONDS |
60 |
OpenShift user-group cache TTL |
KUBE_API_URL |
https://kubernetes.default.svc |
OpenShift/Kubernetes API base URL |
ALL_NAMESPACES_GROUPS |
"" |
Comma-separated OpenShift groups that should receive wildcard * namespace access |
SMTP¶
| Variable | Default | Description |
|---|---|---|
SMTP_HOST |
localhost |
SMTP host |
SMTP_PORT |
25 |
SMTP port |
SMTP_FROM |
rhacs-manager@example.com |
Sender |
SMTP_USER |
"" |
Username |
SMTP_PASSWORD |
"" |
Password |
SMTP_TLS |
false |
Enable implicit TLS/SMTPS (typically port 465) |
SMTP_STARTTLS |
true |
Enable STARTTLS upgrade (typically port 587) |
SMTP_VALIDATE_CERTS |
true |
Validate SMTP TLS certificates |
Application¶
| Variable | Default | Description |
|---|---|---|
APP_BASE_URL |
http://localhost:5173 |
Base URL used in links and badge URLs |
BADGE_BASE_URL |
"" |
Public base URL prepended to badge SVG paths; empty means the API returns relative badge paths |
SECRET_KEY |
dev-secret-key-change-in-production |
App signing key |
MANAGEMENT_EMAIL |
"" |
Recipient for weekly digest |
DEFAULT_ESCALATION_EMAIL |
"" |
Fallback escalation recipient for namespaces without explicit annotation |
SCHEDULER_ENABLED |
true |
Run the background job scheduler in this process. See Background Scheduler. |
Background Scheduler¶
SCHEDULER_ENABLED toggles the in-process APScheduler job runner. It is read once at startup:
true— the scheduler starts and an escalation check runs immediately on boot.false— no background jobs run; the process serves HTTP only and logsScheduler disabled (SCHEDULER_ENABLED=false).
The scheduled jobs (all times UTC):
| Job | Time | Purpose |
|---|---|---|
expiry_check |
01:00 | Mark approved risk acceptances as expired once past their expiry date |
weekly_digest |
07:00 | Send the management digest email (only on the configured digest_day) |
expiry_warning |
07:30 | Email risk-acceptance creators 7 days before expiry |
escalation_warning |
07:45 | Email namespace contacts before a CVE escalates (within escalation_warning_days) |
escalation_check |
08:00 | Create and clean up escalations and send escalation emails |
remediation_overdue_check |
08:30 | Notify owners of overdue remediations |
remediation_auto_resolve |
09:00 | Auto-resolve remediations when the CVE is no longer reported in the namespace |
Deployment: one worker, never the API¶
The Helm chart runs the backend image as two deployments split by this flag:
- The API/backend deployment sets
SCHEDULER_ENABLED=falseand only serves HTTP. It can be scaled to multiple replicas safely. - The worker deployment sets
SCHEDULER_ENABLED=trueand runs the jobs above.
Run the scheduler in exactly one process
The scheduler has no distributed locking. If more than one running process has SCHEDULER_ENABLED=true, every process fires the jobs independently, producing duplicate escalation emails, digests, and expiry notifications. Keep the worker at a single replica and leave SCHEDULER_ENABLED=false everywhere else.
If escalation, digest, expiry, or auto-resolution behavior is missing in a cluster, confirm the worker deployment is running, not just the backend. The config default of true exists only for the single-process local dev workflow (just dev).
Observability¶
| Variable | Default | Description |
|---|---|---|
METRICS_ENABLED |
true |
Expose unauthenticated Prometheus metrics at /metrics on the API port. See Monitoring & Metrics. |
Runtime Settings (/api/settings)¶
Security team users manage runtime behavior via API/UI. Values are stored in global_settings.
| Setting | Default | Description |
|---|---|---|
min_cvss_score |
0.0 |
Minimum CVSS threshold |
min_epss_score |
0.0 |
Minimum EPSS threshold |
escalation_rules |
Built-in defaults | Rule set for level escalation |
escalation_warning_days |
3 |
Lead time for the upcoming-escalation preview and pre-escalation warning emails |
digest_day |
0 |
Weekly digest day (0 = Monday) |
management_email |
"" |
Digest recipient (runtime override) |
Default Escalation Rules¶
[
{
"severity_min": 3,
"epss_threshold": 0.0,
"days_to_level1": 14,
"days_to_level2": 21,
"days_to_level3": 30
},
{
"severity_min": 4,
"epss_threshold": 0.0,
"days_to_level1": 7,
"days_to_level2": 14,
"days_to_level3": 21
},
{
"severity_min": 2,
"epss_threshold": 0.5,
"days_to_level1": 14,
"days_to_level2": 21,
"days_to_level3": 30
}
]