OCS Service Configuration
Introduction
The Infinite Scale OCS service (open collaboration services) serves mainly one purpose: it has an endpoint for signing keys which the web frontend accesses when uploading data.
Signing-Keys Endpoint
The ocs
service provides an endpoint /cloud/user/signing-key
which is accessed from the web frontend via GET to request a signing key used for uploads.
Signing-Keys Store
To authenticate presigned URLs, the proxy service needs to read the signing keys from a store that is populated by the ocs
service.
The following stores can be configured via the OCS_PRESIGNEDURL_SIGNING_KEYS_STORE
environment variable:
-
nats-js-kv
Stores data using key-value-store feature of nats jetstream. -
redis-sentinel
Stores data in a configured Redis Sentinel cluster.
|
Store specific notes:
-
When using
redis-sentinel
The Redis master to use is configured via e.g.OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES
in the form of<sentinel-host>:<sentinel-port>/<redis-master>
like10.10.0.200:26379/mymaster
. -
When using
nats-js-kv
It is recommended to setPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES
to the same value asOCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES
. That way the proxy service uses the same nats instance as the ocs service. -
When using
ocisstoreservice
TheOCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES
must be set to the service namecom.owncloud.api.store
. It does not support TTL and stores the presigning keys indefinitely. Also, the store service needs to be started.
Configuration
Environment Variables
The ocs
service is configured via the following environment variables. Read the Environment Variable Types documentation for important details. Column IV
shows with which release the environment variable has been introduced.
Name | IV | Type | Default Value | Description |
---|---|---|---|---|
|
pre5.0 |
bool |
false |
Activates tracing. |
|
pre5.0 |
string |
|
The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. |
|
pre5.0 |
string |
|
The endpoint of the tracing agent. |
|
pre5.0 |
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
pre5.0 |
string |
|
The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. |
|
pre5.0 |
bool |
false |
Activates pretty log output. |
|
pre5.0 |
bool |
false |
Activates colorized log output. |
|
pre5.0 |
string |
|
The path to the log file. Activates logging to this file if set. |
|
pre5.0 |
string |
127.0.0.1:9114 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
pre5.0 |
string |
|
Token to secure the metrics endpoint. |
|
pre5.0 |
bool |
false |
Enables pprof, which can be used for profiling. |
|
pre5.0 |
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
pre5.0 |
string |
127.0.0.1:9110 |
The bind address of the HTTP service. |
|
pre5.0 |
string |
/ocs |
Subdirectory that serves as the root for this HTTP service. |
|
pre5.0 |
[]string |
[*] |
A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. |
|
pre5.0 |
[]string |
[GET POST PUT PATCH DELETE OPTIONS] |
A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. |
|
pre5.0 |
[]string |
[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control] |
A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. |
|
pre5.0 |
bool |
true |
Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. |
|
pre5.0 |
bool |
false |
Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
|
pre5.0 |
string |
|
Path/File name of the TLS server certificate (in PEM format) for the http services. |
|
pre5.0 |
string |
|
Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |
|
5.0 |
string |
nats-js-kv |
The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details. |
|
5.0 |
[]string |
[127.0.0.1:9233] |
A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. |
|
5.0 |
Duration |
12h0m0s |
Default time to live for signing keys. See the Environment Variable Types description for more details. |
|
5.0 |
string |
|
The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |
|
5.0 |
string |
|
The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |
|
pre5.0 |
string |
|
The secret to mint and validate jwt tokens. |
YAML Example
-
Note the file shown below must be renamed and placed in the correct folder according to the Configuration File Naming conventions to be effective.
-
See the Notes for Environment Variables if you want to use environment variables in the yaml file.
# Autogenerated
# Filename: ocs-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9114
token: ""
pprof: false
zpages: false
http:
addr: 127.0.0.1:9110
root: /ocs
cors:
allow_origins:
- '*'
allow_methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
allow_headers:
- Authorization
- Origin
- Content-Type
- Accept
- X-Requested-With
- X-Request-Id
- Cache-Control
allow_credentials: true
tls:
enabled: false
cert: ""
key: ""
grpc_client_tls: null
signing_keys:
store: nats-js-kv
addresses:
- 127.0.0.1:9233
ttl: 12h0m0s
username: ""
password: ""
token_manager:
jwt_secret: ""