Object Storage-backed Configuration and Token Store
An S3-compatible object storage service can host configuration and authentication records.
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
MANAGEMENT_PASSWORD | Yes | Password for the management web UI (required when remote management is enabled). | |
OBJECTSTORE_ENDPOINT | Yes | Object storage endpoint. Include http:// or https:// to force the protocol (omitted scheme → HTTPS). | |
OBJECTSTORE_BUCKET | Yes | Bucket that stores config/config.yaml and auths/*.json. | |
OBJECTSTORE_ACCESS_KEY | Yes | Access key ID for the object storage account. | |
OBJECTSTORE_SECRET_KEY | Yes | Secret key for the object storage account. | |
OBJECTSTORE_LOCAL_PATH | No | Current working directory | Root directory for the local mirror; the server writes to <value>/objectstore. If unset, defaults to current CWD. |
How it Works
- Startup: The endpoint is parsed (respecting any scheme prefix), a MinIO-compatible client is created in path-style mode, and the bucket is created when missing.
- Local Mirror: A writable cache at
<OBJECTSTORE_LOCAL_PATH or CWD>/objectstoremirrorsconfig/config.yamlandauths/. - Bootstrapping: When
config/config.yamlis absent in the bucket, the server copiesconfig.example.yaml, uploads it, and uses it as the initial configuration. - Sync: Changes to configuration or auth files are uploaded to the bucket, and remote updates are mirrored back to disk, keeping watchers and management APIs in sync.