Skip to content
SARC

Configuration

SARC’s configuration lives in four places:

  1. .envrc (or equivalent) — workstation + CI secrets (cloud creds, Kosli token, ServiceNow OAuth, GitHub/GitLab/ADO PATs)
  2. Helm values — cluster-side install knobs (chart at apps/karc-portal/)
  3. TenantConfig rows in the portal DB — per-tenant runtime config (set via the portal’s Settings pages)
  4. Per-tenant feature flags — JSON column on TenantConfig.aiFeatureFlags

1. Secrets and credentials (.envrc)

Section titled “1. Secrets and credentials (.envrc)”

The repo ships .envrc.example (gitignored; copy to .envrc and populate). Key variables:

Terminal window
# Cloud
export TARGET_CLOUD=aws                          # aws | azure | gcp | k3d
export AWS_REGION=eu-west-2


# Kosli
export KOSLI_API_TOKEN=<token>
export KOSLI_ORG=<org-name>
export KOSLI_HOST=https://app.kosli.com         # or your on-prem host


# ServiceNow
export SERVICENOW_URL=https://<instance>.service-now.com
export SERVICENOW_USER=<user>
export SERVICENOW_PASSWORD=<password>


# Git providers (per CI)
export GITLAB_TOKEN=glpat-...
export GITHUB_TOKEN=ghp_...
export AZDO_PAT=<token>
export AZURE_DEVOPS_EXT_PAT=$AZDO_PAT            # az devops CLI alias


# Portal admin (initial)
export PORTAL_ADMIN_EMAIL=admin@karc.local
export PORTAL_ADMIN_PASSWORD=<set-on-first-install>

These get pushed to GitLab CI/CD variables, mirrored to GitHub Secrets + ADO Variable Groups when those CIs are in scope.

2. Helm values (cluster install)

Section titled “2. Helm values (cluster install)”

Chart path: apps/karc-portal/ (in the repo). Per-cloud overlays:

  • values.yaml — defaults
  • values-aws.yaml, values-azure.yaml, values-gcp.yaml, values-k3d.yaml — per-cloud
  • envs/<env>/image-tag.yaml — image bump per environment (managed by GitOps promote workflows; usually not edited by hand)

Key knobs:

ValueDefaultNotes
replicaCount2Portal Deployment replicas
envVars.MCP_GITHUB_SERVER_URL(unset)Set on values-aws.yaml when mcp.github.enabled=true
mcp.github.enabledfalseDeploy the github-mcp-server sidecar
mcp.github.image.tagv1.0.4Pinned; verify ghcr.io availability before bumping
networkPolicy.enabledfalseTrue in prod overlays
postgresql.enabledtrueFalse to use external RDS / Cloud SQL / Postgres Flexible
redis.enabledtrueFalse to use external ElastiCache / Azure Cache for Redis / Memorystore

The full set lives in apps/karc-portal/values.yaml — read the comments in that file for every knob.

3. TenantConfig (per-tenant)

Section titled “3. TenantConfig (per-tenant)”

Set via the portal’s /t/<tenant>/settings/* pages by an ADMIN user. All credential fields are encrypted at rest using the portal’s master key.

Settings pageWhat it configures
/settings/gitlabGitLab instance URL + PAT + project (for the pipelines feed)
/settings/githubGitHub OIDC / PAT + repo
/settings/azuredevopsAzure DevOps PAT + org + project
/settings/servicenowServiceNow instance URL + OAuth2 client + secret
/settings/kosliKosli API token + org + flow + host
/settings/argocdPer-cluster ArgoCD URL + token (5 clusters: AWS, Azure, GCP, k3d, OpenShift)
/settings/tektonPer-cluster Tekton host + ServiceAccount token (same 5 clusters)
/settings/wizWiz OAuth2 client credentials
/settings/security-platformsSonarQube, Snyk, GitGuardian aggregator
/settings/costsAWS Cost Explorer / Azure Cost Management / GCP Billing / Kubecost endpoints
/settings/jenkinsJenkins host + API token
/settings/openshiftOpenShift API URL + ServiceAccount bearer token (read-only observability)
/settings/aiMulti-provider LLM config (Anthropic, Azure OpenAI, Bedrock, Vertex, on-prem)
/settings/agent-dispatchAgentRecipeBinding rows per CI platform
/settings/mcp-oauthPortal OAuth 2.1 against Okta / Azure AD / Google Workspace / Keycloak
/settings/api-tokensPersonal access tokens for the MCP server (external AI clients)
/settings/business-mappingMap Kubernetes workloads to ServiceNow business services
/settings/tenant-scopeServiceNow scoping mode (strict allowlist vs permissive)
/settings/calendar-syncMicrosoft 365 + Google Workspace calendar sync for change windows
/settings/notificationsSlack + MS Teams + email + webhook notification rules
/settings/auditorsAUDITOR magic-link invites

4. Per-tenant feature flags

Section titled “4. Per-tenant feature flags”

The TenantConfig.aiFeatureFlags JSONB column holds per-feature toggles. Default: all enabled. Toggle via /t/<tenant>/settings/ai-control-tower (AI kill-switch matrix).

Currently-defined flag keys:

  • askai.vuln, askai.cr, askai.deploy, askai.trail, askai.problem
  • nl-search
  • mcp — read-only MCP server surface
  • mcp.gateway — MCP-Client Gateway (write path)
  • agent.vuln-auto-fix, agent.missing-scorecard-test, agent.missing-sbom, agent.broken-kosli-attestation, agent.right-sizing-apply, agent.problem-investigate-fix

Each cell carries: enabled, region (data-residency pin), guardrails, redactionVersion.

Additionally on TenantConfig:

  • agentDispatchEnabled (boolean) — per-tenant master switch for agent dispatch + MCP gateway
  • agentDispatchRateLimit (int, default 5/min) — per-tenant rate limit
  • changeWindowEnforcedEnvs (string[]) — envs where deploys are blocked during freeze windows

See also

Section titled “See also”