Component Configuration Documentation
Each application must document its deployment and runtime expectations. This documentation acts as the single source of truth for:
- Kubernetes NetworkPolicies (ingress & egress)
- Environment variables and secrets
- Configuration files
Every component must have its own section and follow the structure defined below.
Required Structure Per Component
1. Component Name
The official component name as used in:
- Kubernetes workloads and services
- CI/CD pipelines
- Configuration and monitoring
2. Description
A concise description explaining:
- What the component does
- Its responsibility in the system
- High-level dependencies
3. Network Policy Configuration
This section defines all network access required by the component, including:
- Inbound (Ingress) traffic to the component
- Outbound (Egress) traffic from the component
- Databases, message brokers, and external systems
- Dependencies inside and outside the Kubernetes cluster
This section is the authoritative reference for Kubernetes NetworkPolicy definitions
Inbound (Ingress) Access
Defines which components are allowed to connect to this component.
| Source Component | Port |
|---|
Rules
- If the source component is not deployed inside Kubernetes, reference it by a clear name (e.g. PostgreSQL cluster, External API Gateway).
Outbound (Egress) Access
Defines which components this component connects to.
| Target Component | Port |
|---|
Rules
- All databases and external dependencies must be explicitly listed, External systems must be referenced by descriptive names along side the port of the application they need to access.
4. Environment Variables & Secrets
All environment variables used by the component must be documented, including secrets.
| Environment Variable | Example Value | Description |
|---|
Rules
- Example values must never contain real secrets.
- Optional variables must document default behavior.
5. Configuration File (If Applicable)
If the application supports or requires a configuration file:
- An example configuration file must be provided
- The example must include all supported configuration values
- The expected path of the configuration file must be documented.
- Each field must include clear inline comments explaining:
- What the value does
- Accepted values
- Default behavior (if applicable)
Secret values must never appear in configuration files.
If a configuration value can be provided via multiple sources (for example, an environment variable and a configuration file), this must be explicitly documented.
The documentation must specify:
- All supported sources
- Which source takes precedence
- Behavior when multiple sources are provided
| Setting | Environment Variable | Config File Path | Precedence |
|---|
Example Component Documentation
Component: auth-service
Description
The Authentication Service is responsible for user authentication, token issuance, and credential validation. It relies on PostgreSQL for persistent storage and Redis for caching and session management.
Network Policy Configuration
Inbound (Ingress)
| Source Component | Port |
|---|---|
| api-gateway | 8080 |
| internal-admin-ui | 8080 |
Outbound (Egress)
| Target Component | Port |
|---|---|
| PostgreSQL cluster | 5432 |
| Redis cluster | 6379 |
| external-identity-provider | 443 |
Environment Variables & Secrets
| Environment Variable | Example Value | Description |
|---|---|---|
| SERVICE_PORT | 8080 | Port the service listens on |
| DATABASE_HOST | postgres.prod.internal | PostgreSQL hostname |
| DATABASE_PORT | 5432 | PostgreSQL port |
| DATABASE_NAME | auth_db | Database name |
| DATABASE_USER | auth_user | Database username |
| DATABASE_PASSWORD | stored in secret | Database password (secret) |
| DATABASE_SSL | true | Enables TLS for database connections |
| REDIS_HOST | redis.prod.internal | Redis hostname |
| REDIS_PORT | 6379 | Redis port |
| JWT_SIGNING_KEY | stored in secret | JWT signing key |
| TOKEN_EXPIRY_MINUTES | 60 | Token validity duration |
| LOG_LEVEL | info | Logging level |
Configuration File Example
# Server configuration
server:
# Port the service listens on
port: 8080
# Database configuration
database:
# PostgreSQL hostname
host: postgres.prod.internal
# PostgreSQL port
port: 5432
# Enables TLS for database connections
ssl: true
# Redis configuration
redis:
# Redis hostname
host: redis.prod.internal
# Redis port
port: 6379
# Authentication settings
auth:
# Token expiry duration in minutes
tokenExpiryMinutes: 60
# Logging configuration
logging:
# Supported values: debug | info | warn | error
level: infoConfiguration Source Mapping & Precedence
| Setting | Environment Variable | Config File Path | Precedence |
|---|---|---|---|
| Service port | SERVICE_PORT | server.port | Environment variable |
| Database host | DATABASE_HOST | database.host | Environment variable |
| Database port | DATABASE_PORT | database.port | Environment variable |
| Database name | DATABASE_NAME | database.name | Environment variable |
| Database SSL | DATABASE_SSL | database.ssl | Environment variable |
| Redis host | REDIS_HOST | redis.host | Environment variable |
| Redis port | REDIS_PORT | redis.port | Environment variable |
| Token expiry | TOKEN_EXPIRY_MINUTES | auth.tokenExpiryMinutes | Environment variable |
| Log level | LOG_LEVEL | logging.level | Environment variable |