Configuration¶
Ampora is configured through standard ASP.NET Core configuration sources, in this order of precedence (later wins):
appsettings.jsonbaked into the image (defaults).appsettings.{Environment}.json(e.g.Production).- Environment variables with the
__separator (Authentication__Oidc__Authority). - Command-line arguments (rarely useful in container deployments).
Settings layer per key, not per file: defining OpAmp__HeartbeatWindowSeconds in an env var only overrides that key, the rest still come from the JSON files.
Where to put settings¶
| Setting kind | Where it goes |
|---|---|
| Non-secret (log levels, capability flags, OTLP endpoint) | ConfigMap (k8s) or ampora.env (binary) |
| Secret (DB password, OIDC secret, master key, peer secrets) | Secret + secret backend (External Secrets, sealed-secrets, SOPS, Vault) |
| Tenant-specific cosmetic (theme, login wall) | Tenant settings UI (stored in the database) |
| Lint and policy rules | Lint / Policy UI (stored in the database) |
A rule of thumb: anything that is not a secret and is not tenant-specific goes in source control. Anything secret goes in your secret manager. Anything tenant-specific goes in the database via the UI so it is auditable.
Pages in this section¶
| Page | What it covers |
|---|---|
| Settings reference | Every key, its default and what it does |
| Database & migrations | Postgres provisioning, migration strategy |
| OIDC authentication | Provider setup, claim mapping, role mapping |
| mTLS & PKI | The persisted CA, agent cert issuance, trust bundle |
| Bootstrap tokens | Token issuance, single-use semantics, pools |
| Dispatch backplane | InProcess vs Postgres LISTEN/NOTIFY vs Redis |
| Tenant theming | Per-tenant brand and login wall |
If you are looking for a specific environment variable, jump straight to Reference → Environment variables.