diff --git a/docs/_static/env-vars/activitylog.yaml b/docs/_static/env-vars/activitylog.yaml
index 4227cda1..62c1ba3c 100644
--- a/docs/_static/env-vars/activitylog.yaml
+++ b/docs/_static/env-vars/activitylog.yaml
@@ -20,10 +20,12 @@ store:
nodes:
- 127.0.0.1:9233
database: activitylog
- table: ""
ttl: 0s
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
reva_gateway: eu.opencloud.api.gateway
grpc_client_tls: null
http:
diff --git a/docs/_static/env-vars/activitylog_configvars.md b/docs/_static/env-vars/activitylog_configvars.md
index efc1a7d2..22d45b0b 100644
--- a/docs/_static/env-vars/activitylog_configvars.md
+++ b/docs/_static/env-vars/activitylog_configvars.md
@@ -17,10 +17,12 @@
|`OC_PERSISTENT_STORE`
`ACTIVITYLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`|
|`OC_PERSISTENT_STORE_NODES`
`ACTIVITYLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
|`ACTIVITYLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`activitylog`|
-|`ACTIVITYLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
|`OC_PERSISTENT_STORE_TTL`
`ACTIVITYLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`0s`|
|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`ACTIVITYLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`ACTIVITYLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`
`ACTIVITYLOG_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`ACTIVITYLOG_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false.`|``|
|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
|`ACTIVITYLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9195`|
|`ACTIVITYLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
diff --git a/docs/_static/env-vars/collaboration.yaml b/docs/_static/env-vars/collaboration.yaml
index bb26ea05..138e4658 100644
--- a/docs/_static/env-vars/collaboration.yaml
+++ b/docs/_static/env-vars/collaboration.yaml
@@ -24,6 +24,9 @@ store:
ttl: 30m0s
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
events:
endpoint: 127.0.0.1:9233
cluster: opencloud-cluster
diff --git a/docs/_static/env-vars/collaboration_configvars.md b/docs/_static/env-vars/collaboration_configvars.md
index 2dccd371..f8adb0c2 100644
--- a/docs/_static/env-vars/collaboration_configvars.md
+++ b/docs/_static/env-vars/collaboration_configvars.md
@@ -21,6 +21,9 @@
|`OC_PERSISTENT_STORE_TTL`
`COLLABORATION_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details.`|`30m0s`|
|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`COLLABORATION_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`COLLABORATION_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`
`COLLABORATION_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`COLLABORATION_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false.`|``|
|`OC_EVENTS_ENDPOINT`
`COLLABORATION_EVENTS_ENDPOINT`| next |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
|`OC_EVENTS_CLUSTER`
`COLLABORATION_EVENTS_CLUSTER`| next |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`COLLABORATION_EVENTS_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
diff --git a/docs/_static/env-vars/eventhistory.yaml b/docs/_static/env-vars/eventhistory.yaml
index aa3896ea..32797e2f 100644
--- a/docs/_static/env-vars/eventhistory.yaml
+++ b/docs/_static/env-vars/eventhistory.yaml
@@ -28,3 +28,6 @@ store:
ttl: 0s
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
diff --git a/docs/_static/env-vars/eventhistory_configvars.md b/docs/_static/env-vars/eventhistory_configvars.md
index 0361ed0d..c34fc641 100644
--- a/docs/_static/env-vars/eventhistory_configvars.md
+++ b/docs/_static/env-vars/eventhistory_configvars.md
@@ -22,3 +22,6 @@
|`OC_PERSISTENT_STORE_TTL`
`EVENTHISTORY_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`0s`|
|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`EVENTHISTORY_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`EVENTHISTORY_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`
`EVENTHISTORY_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`EVENTHISTORY_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false.`|``|
diff --git a/docs/_static/env-vars/frontend.yaml b/docs/_static/env-vars/frontend.yaml
index ff3e3cdd..a2e0f001 100644
--- a/docs/_static/env-vars/frontend.yaml
+++ b/docs/_static/env-vars/frontend.yaml
@@ -99,6 +99,9 @@ ocs:
stat_cache_disable_persistence: false
stat_cache_auth_username: ""
stat_cache_auth_password: ""
+ stat_cache_enable_tls: false
+ stat_cache_tls_insecure: false
+ stat_cache_tls_root_ca_certificate: ""
enable_denials: false
list_ocm_shares: true
include_ocm_sharees: false
diff --git a/docs/_static/env-vars/frontend_configvars.md b/docs/_static/env-vars/frontend_configvars.md
index d2726c66..b031ff3d 100644
--- a/docs/_static/env-vars/frontend_configvars.md
+++ b/docs/_static/env-vars/frontend_configvars.md
@@ -1,5 +1,5 @@
-2026-06-15-00-10-35
+2026-06-18-00-20-35
## Deprecation Notice
@@ -75,6 +75,9 @@
|`OC_CACHE_DISABLE_PERSISTENCE`
`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``|
+|`OC_CACHE_ENABLE_TLS`
`FRONTEND_OCS_STAT_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`FRONTEND_OCS_STAT_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false.`|``|
|`FRONTEND_OCS_ENABLE_DENIALS`| 1.0.0 |bool|`EXPERIMENTAL: enable the feature to deny access on folders.`|`false`|
|`OC_ENABLE_OCM`
`FRONTEND_OCS_LIST_OCM_SHARES`| 1.0.0 |bool|`Include OCM shares when listing shares. See the OCM service documentation for more details.`|`true`|
|`OC_ENABLE_OCM`
`FRONTEND_OCS_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing sharees.`|`false`|
@@ -93,7 +96,8 @@
|`OCDAV_GATEWAY_REQUEST_TIME`
`FRONTENT_OUTOCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`|
|`OC_MACHINE_AUTH_API_KEY`
`OCDAV_MACHINE_AUTH_API_KEY`
`FRONTENT_OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
|`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`
`FRONTENT_OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`|
-|`OCDAV_NAME_VALIDATION_INVALID_CHARS`
`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|``|
+|`OCDAV_NAME_VALIDATION_INVALID_CHARS`
`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|`[�
+ \]`|
|`OCDAV_NAME_VALIDATION_MAX_LENGTH`
`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| 6.0.0 |int|`Max length of file or folder names.`|`255`|
|`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`|
|`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`|
diff --git a/docs/_static/env-vars/gateway.yaml b/docs/_static/env-vars/gateway.yaml
index 410ed3ea..3a84ad19 100644
--- a/docs/_static/env-vars/gateway.yaml
+++ b/docs/_static/env-vars/gateway.yaml
@@ -33,6 +33,9 @@ cache:
provider_cache_disable_persistence: false
provider_cache_auth_username: ""
provider_cache_auth_password: ""
+ provider_cache_enable_tls: false
+ provider_cache_tls_insecure: false
+ provider_cache_tls_root_ca_certificate: ""
create_home_cache_store: memory
create_home_cache_nodes:
- 127.0.0.1:9233
@@ -41,6 +44,9 @@ cache:
create_home_cache_disable_persistence: false
create_home_cache_auth_username: ""
create_home_cache_auth_password: ""
+ create_home_cache_enable_tls: false
+ create_home_cache_tls_insecure: false
+ create_home_cache_tls_root_ca_certificate: ""
frontend_public_url: https://localhost:9200
users_endpoint: eu.opencloud.api.users
groups_endpoint: eu.opencloud.api.groups
diff --git a/docs/_static/env-vars/gateway_configvars.md b/docs/_static/env-vars/gateway_configvars.md
index 345bb713..1f2ba988 100644
--- a/docs/_static/env-vars/gateway_configvars.md
+++ b/docs/_static/env-vars/gateway_configvars.md
@@ -26,6 +26,9 @@
|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`GATEWAY_PROVIDER_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`GATEWAY_PROVIDER_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false.`|``|
|`OC_CACHE_STORE`
`GATEWAY_CREATE_HOME_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
|`OC_CACHE_STORE_NODES`
`GATEWAY_CREATE_HOME_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-createhome`|
@@ -33,6 +36,9 @@
|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false.`|``|
|`OC_URL`
`GATEWAY_FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`|
|`GATEWAY_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.users`|
|`GATEWAY_GROUPS_ENDPOINT`| 1.0.0 |string|`The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.groups`|
diff --git a/docs/_static/env-vars/global_configvars.md b/docs/_static/env-vars/global_configvars.md
index 460cf7c4..7889bffd 100644
--- a/docs/_static/env-vars/global_configvars.md
+++ b/docs/_static/env-vars/global_configvars.md
@@ -9,8 +9,11 @@
| `OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to use for authentication. Only applies when using the 'nats-js-kv' store type. | |
| `OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | cache-stat |
| `OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false. | false |
+| `OC_CACHE_ENABLE_TLS` | next | bool | Enable TLS for the connection to file metadata cache. | false |
| `OC_CACHE_STORE` | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory |
| `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
+| `OC_CACHE_TLS_INSECURE` | next | bool | Whether to verify the server TLS certificates. | false |
+| `OC_CACHE_TLS_ROOT_CA_CERTIFICATE` | next | string | The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false. | |
| `OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 5m0s |
| `OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | false |
| `OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control] |
@@ -26,7 +29,7 @@
| `OC_EVENTS_ENABLE_TLS` | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false |
| `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | 127.0.0.1:9233 |
| `OC_EVENTS_TLS_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
-| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided. | |
+| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false. | |
| `OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the GRPC service. | 127.0.0.1:9142 |
| `OC_GRPC_CLIENT_TLS_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. | |
| `OC_GRPC_CLIENT_TLS_MODE` | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. | |
@@ -77,7 +80,7 @@
| `OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 |
| `OC_OIDC_CLIENT_ID` | 1.0.0 | string | The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP. | web |
| `OC_OIDC_CLIENT_SCOPES` | 6.0.0 | []string | The OIDC client scopes the Android app should request. | [openid profile email offline_access] |
-| `OC_OIDC_ISSUER` | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 |
+| `OC_OIDC_ISSUER` | 1.0.0 | string | The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider. | https://localhost:9200 |
| `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | 1.0.0 | string | Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details. | |
| `OC_PASSWORD_POLICY_DISABLED` | 1.0.0 | bool | Disable the password policy. Defaults to false if not set. | false |
| `OC_PASSWORD_POLICY_MIN_CHARACTERS` | 1.0.0 | int | Define the minimum password length. Defaults to 8 if not set. | 8 |
@@ -88,7 +91,10 @@
| `OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. | nats-js-kv |
| `OC_PERSISTENT_STORE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | |
| `OC_PERSISTENT_STORE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | |
+| `OC_PERSISTENT_STORE_ENABLE_TLS` | next | bool | Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured. | false |
| `OC_PERSISTENT_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
+| `OC_PERSISTENT_STORE_TLS_INSECURE` | next | bool | Whether to verify the server TLS certificates. | false |
+| `OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE` | next | string | The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false. | |
| `OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 0s |
| `OC_REVA_GATEWAY` | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway |
| `OC_SERVICE_ACCOUNT_ID` | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. | |
@@ -97,13 +103,13 @@
| `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false. | false |
| `OC_SHOW_USER_EMAIL_IN_RESULTS` | 1.0.0 | bool | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. | false |
| `OC_SPACES_MAX_QUOTA` | 1.0.0 | uint64 | Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities. | 0 |
-| `OC_SYSTEM_USER_API_KEY` | 1.0.0 | string | API key for the STORAGE-SYSTEM system user. | |
-| `OC_SYSTEM_USER_ID` | 1.0.0 | string | ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. | |
+| `OC_SYSTEM_USER_API_KEY` | 4.0.0 | string | API key for the STORAGE-SYSTEM system user. | |
+| `OC_SYSTEM_USER_ID` | 4.0.0 | string | ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. | |
| `OC_SYSTEM_USER_IDP` | 4.0.0 | string | IDP of the OpenCloud STORAGE-SYSTEM system user. | internal |
| `OC_TRANSFER_SECRET` | 1.0.0 | string | Transfer secret for signing file up- and download requests. | |
| `OC_TRANSLATION_PATH` | 1.0.0 | string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. | |
-| `OC_URL` | 1.0.0 | string | The public facing URL of the OpenCloud frontend. | https://localhost:9200 |
-| `OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false |
+| `OC_URL` | 1.0.0 | string | The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider. | https://localhost:9200 |
+| `OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable the chat functionality of the office app. | false |
| `SEARCH_EVENTS_ACK_WAIT` | 4.0.0 | Duration | The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes. | 1m0s |
| `SEARCH_EVENTS_MAX_ACK_PENDING` | 4.0.0 | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 1000 |
| `STORAGE_GATEWAY_GRPC_ADDR` | 4.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
diff --git a/docs/_static/env-vars/graph.yaml b/docs/_static/env-vars/graph.yaml
index 163c4735..84569124 100644
--- a/docs/_static/env-vars/graph.yaml
+++ b/docs/_static/env-vars/graph.yaml
@@ -12,6 +12,9 @@ cache:
disable_persistence: false
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
debug:
addr: 127.0.0.1:9124
token: ""
@@ -158,3 +161,6 @@ store:
database: graph
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
diff --git a/docs/_static/env-vars/graph_configvars.md b/docs/_static/env-vars/graph_configvars.md
index bc1daaf9..b3228de0 100644
--- a/docs/_static/env-vars/graph_configvars.md
+++ b/docs/_static/env-vars/graph_configvars.md
@@ -11,6 +11,9 @@
|`OC_CACHE_DISABLE_PERSISTENCE`
`GRAPH_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`GRAPH_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`GRAPH_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`GRAPH_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`GRAPH_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false.`|``|
|`GRAPH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9124`|
|`GRAPH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
|`GRAPH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
@@ -114,3 +117,6 @@
|`GRAPH_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`graph`|
|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`GRAPH_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`GRAPH_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`
`GRAPH_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`GRAPH_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false.`|``|
diff --git a/docs/_static/env-vars/notifications.yaml b/docs/_static/env-vars/notifications.yaml
index cc6a0c10..0c49b9ae 100644
--- a/docs/_static/env-vars/notifications.yaml
+++ b/docs/_static/env-vars/notifications.yaml
@@ -46,3 +46,6 @@ store:
ttl: 336h0m0s
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
diff --git a/docs/_static/env-vars/notifications_configvars.md b/docs/_static/env-vars/notifications_configvars.md
index ba8e6f06..3e8a1c13 100644
--- a/docs/_static/env-vars/notifications_configvars.md
+++ b/docs/_static/env-vars/notifications_configvars.md
@@ -38,3 +38,6 @@
|`OC_PERSISTENT_STORE_TTL`
`NOTIFICATIONS_STORE_TTL`| 1.0.0 |Duration|`Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`NOTIFICATIONS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`NOTIFICATIONS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`
`NOTIFICATIONS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`NOTIFICATIONS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false.`|``|
diff --git a/docs/_static/env-vars/ocs.yaml b/docs/_static/env-vars/ocs.yaml
index ef58a4b5..7bcc8690 100644
--- a/docs/_static/env-vars/ocs.yaml
+++ b/docs/_static/env-vars/ocs.yaml
@@ -41,5 +41,8 @@ signing_keys:
ttl: 24h0m0s
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
token_manager:
jwt_secret: ""
diff --git a/docs/_static/env-vars/ocs_configvars.md b/docs/_static/env-vars/ocs_configvars.md
index 2dc39ab4..b7f82885 100644
--- a/docs/_static/env-vars/ocs_configvars.md
+++ b/docs/_static/env-vars/ocs_configvars.md
@@ -21,4 +21,7 @@
|`OC_CACHE_TTL`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`24h0m0s`|
|`OC_CACHE_AUTH_USERNAME`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false.`|``|
|`OC_JWT_SECRET`
`OCS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
diff --git a/docs/_static/env-vars/postprocessing.yaml b/docs/_static/env-vars/postprocessing.yaml
index 83de9136..74de6abe 100644
--- a/docs/_static/env-vars/postprocessing.yaml
+++ b/docs/_static/env-vars/postprocessing.yaml
@@ -16,6 +16,9 @@ store:
ttl: 168h0m0s
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
postprocessing:
events:
endpoint: 127.0.0.1:9233
diff --git a/docs/_static/env-vars/postprocessing_configvars.md b/docs/_static/env-vars/postprocessing_configvars.md
index 5e4ec8de..0a30165f 100644
--- a/docs/_static/env-vars/postprocessing_configvars.md
+++ b/docs/_static/env-vars/postprocessing_configvars.md
@@ -14,6 +14,9 @@
|`OC_PERSISTENT_STORE_TTL`
`POSTPROCESSING_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`168h0m0s`|
|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`POSTPROCESSING_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`POSTPROCESSING_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`
`POSTPROCESSING_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`POSTPROCESSING_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`POSTPROCESSING_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_STORE_TLS_INSECURE will be seen as false.`|``|
|`OC_EVENTS_ENDPOINT`
`POSTPROCESSING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
|`OC_EVENTS_CLUSTER`
`POSTPROCESSING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`POSTPROCESSING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the OpenCloud server should skip the client certificate verification during the TLS handshake.`|`false`|
diff --git a/docs/_static/env-vars/proxy.yaml b/docs/_static/env-vars/proxy.yaml
index f809ec5b..afcf227b 100644
--- a/docs/_static/env-vars/proxy.yaml
+++ b/docs/_static/env-vars/proxy.yaml
@@ -181,6 +181,9 @@ oidc:
disable_persistence: false
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
jwks:
refresh_interval: 60
refresh_timeout: 10
@@ -220,6 +223,9 @@ pre_signed_url:
disable_persistence: true
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
account_backend: cs3
user_oidc_claim: preferred_username
user_cs3_claim: username
diff --git a/docs/_static/env-vars/proxy_configvars.md b/docs/_static/env-vars/proxy_configvars.md
index aac765c9..91ab670d 100644
--- a/docs/_static/env-vars/proxy_configvars.md
+++ b/docs/_static/env-vars/proxy_configvars.md
@@ -23,10 +23,13 @@
|`OC_CACHE_STORE_NODES`
`PROXY_OIDC_USERINFO_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-userinfo`|
|`PROXY_OIDC_USERINFO_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_CACHE_TTL`
`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. This value is only applied when the token expiration cannot be extracted from the access tokens (e.g. when non-JWT access tokes are used). See the Environment Variable Types description for more details.`|`10s`|
+|`OC_CACHE_TTL`
`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10s`|
|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false.`|``|
|`PROXY_OIDC_JWKS_REFRESH_INTERVAL`| 1.0.0 |uint64|`The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.`|`60`|
|`PROXY_OIDC_JWKS_REFRESH_TIMEOUT`| 1.0.0 |uint64|`The timeout in seconds for an outgoing JWKS request.`|`10`|
|`PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT`| 1.0.0 |uint64|`Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud.`|`60`|
@@ -43,6 +46,9 @@
|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.`|`true`|
|`OC_CACHE_AUTH_USERNAME`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false.`|``|
|`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|`cs3`|
|`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|`preferred_username`|
|`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|`username`|
diff --git a/docs/_static/env-vars/settings.yaml b/docs/_static/env-vars/settings.yaml
index 8eed1467..e53233d2 100644
--- a/docs/_static/env-vars/settings.yaml
+++ b/docs/_static/env-vars/settings.yaml
@@ -53,6 +53,9 @@ metadata_config:
disable_persistence: false
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
bundles_path: ""
admin_user_id: ""
token_manager:
diff --git a/docs/_static/env-vars/settings_configvars.md b/docs/_static/env-vars/settings_configvars.md
index d082fadc..b252dcb3 100644
--- a/docs/_static/env-vars/settings_configvars.md
+++ b/docs/_static/env-vars/settings_configvars.md
@@ -31,6 +31,9 @@
|`OC_CACHE_DISABLE_PERSISTENCE`
`SETTINGS_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`SETTINGS_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`SETTINGS_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`SETTINGS_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`SETTINGS_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`SETTINGS_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false.`|``|
|`SETTINGS_BUNDLES_PATH`| 1.0.0 |string|`The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.`|``|
|`OC_ADMIN_USER_ID`
`SETTINGS_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``|
|`OC_JWT_SECRET`
`SETTINGS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
diff --git a/docs/_static/env-vars/storage-system.yaml b/docs/_static/env-vars/storage-system.yaml
index e37b5e95..85052491 100644
--- a/docs/_static/env-vars/storage-system.yaml
+++ b/docs/_static/env-vars/storage-system.yaml
@@ -33,6 +33,9 @@ cache:
disable_persistence: false
auth_username: ""
auth_password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
driver: decomposed
drivers:
decomposed:
diff --git a/docs/_static/env-vars/storage-system_configvars.md b/docs/_static/env-vars/storage-system_configvars.md
index 7e24afc4..8ad08ebb 100644
--- a/docs/_static/env-vars/storage-system_configvars.md
+++ b/docs/_static/env-vars/storage-system_configvars.md
@@ -25,6 +25,9 @@
|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`STORAGE_SYSTEM_CACHE_AUTH_USERNAME`| 1.0.0 |string|`Username for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`Password for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`STORAGE_SYSTEM_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`STORAGE_SYSTEM_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_SYSTEM_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_SYSTEM_CACHE_TLS_INSECURE will be seen as false.`|``|
|`STORAGE_SYSTEM_DRIVER`| 1.0.0 |string|`The driver which should be used by the service. The only supported driver is 'decomposed'. For backwards compatibility reasons it's also possible to use the 'ocis' driver and configure it using the 'decomposed' options. `|`decomposed`|
|`STORAGE_SYSTEM_OC_ROOT`| 1.0.0 |string|`Path for the directory where the STORAGE-SYSTEM service stores it's persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/metadata`|
|`STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`|
diff --git a/docs/_static/env-vars/storage-users.yaml b/docs/_static/env-vars/storage-users.yaml
index 9fafb297..b17172a6 100644
--- a/docs/_static/env-vars/storage-users.yaml
+++ b/docs/_static/env-vars/storage-users.yaml
@@ -170,14 +170,21 @@ filemetadata_cache:
disable_persistence: false
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
id_cache:
store: nats-js-kv
nodes:
- 127.0.0.1:9233
database: ids-storage-users
+ ttl: 0s
disable_persistence: false
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
mount_id: ""
expose_data_server: false
readonly: false
diff --git a/docs/_static/env-vars/storage-users_configvars.md b/docs/_static/env-vars/storage-users_configvars.md
index d22339bd..30c53136 100644
--- a/docs/_static/env-vars/storage-users_configvars.md
+++ b/docs/_static/env-vars/storage-users_configvars.md
@@ -1,5 +1,5 @@
-2026-06-15-00-10-35
+2026-06-18-00-20-35
## Deprecation Notice
@@ -123,17 +123,24 @@
|`OC_EVENTS_AUTH_PASSWORD`
`STORAGE_USERS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
|`OC_CACHE_STORE`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-users`|
+|`OC_CACHE_DATABASE`
`STORAGE_USERS_FILEMETADATA_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-users`|
|`OC_CACHE_TTL`
`STORAGE_USERS_FILEMETADATA_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24h0m0s`|
|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`STORAGE_USERS_FILEMETADATA_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_USERS_FILEMETADATA_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE will be seen as false.`|``|
|`OC_CACHE_STORE`
`STORAGE_USERS_ID_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`|
|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_ID_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`ids-storage-users`|
+|`OC_CACHE_TTL`
`STORAGE_USERS_ID_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details.`|`0s`|
|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_ID_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`
`STORAGE_USERS_ID_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`STORAGE_USERS_ID_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_USERS_ID_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_ID_CACHE_TLS_INSECURE will be seen as false.`|``|
|`STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage.`|``|
|`STORAGE_USERS_EXPOSE_DATA_SERVER`| 1.0.0 |bool|`Exposes the data server directly to users and bypasses the data gateway. Ensure that the data server address is reachable by users.`|`false`|
|`STORAGE_USERS_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`|
diff --git a/docs/_static/env-vars/userlog.yaml b/docs/_static/env-vars/userlog.yaml
index 8c6d40e2..756fa70d 100644
--- a/docs/_static/env-vars/userlog.yaml
+++ b/docs/_static/env-vars/userlog.yaml
@@ -51,6 +51,9 @@ persistence:
ttl: 336h0m0s
username: ""
password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
disable_sse: false
global_notifications_secret: ""
service_account:
diff --git a/docs/_static/env-vars/userlog_configvars.md b/docs/_static/env-vars/userlog_configvars.md
index 61fb334a..34ae372c 100644
--- a/docs/_static/env-vars/userlog_configvars.md
+++ b/docs/_static/env-vars/userlog_configvars.md
@@ -35,6 +35,9 @@
|`OC_PERSISTENT_STORE_TTL`
`USERLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`USERLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`USERLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`
`USERLOG_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`USERLOG_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`USERLOG_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false.`|``|
|`OC_DISABLE_SSE,USERLOG_DISABLE_SSE`| 1.0.0 |bool|`Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.`|`false`|
|`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`| 1.0.0 |string|`The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.`|``|
|`OC_SERVICE_ACCOUNT_ID`
`USERLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
diff --git a/docs/_static/env-vars/web_configvars.md b/docs/_static/env-vars/web_configvars.md
index aa2af893..3844ac49 100644
--- a/docs/_static/env-vars/web_configvars.md
+++ b/docs/_static/env-vars/web_configvars.md
@@ -1,5 +1,5 @@
-2026-06-15-00-10-35
+2026-06-18-00-20-35
## Deprecation Notice
diff --git a/docs/_static/env-vars/webfinger_configvars.md b/docs/_static/env-vars/webfinger_configvars.md
index 3729492b..3f51e38e 100644
--- a/docs/_static/env-vars/webfinger_configvars.md
+++ b/docs/_static/env-vars/webfinger_configvars.md
@@ -24,7 +24,7 @@
|`OC_OIDC_CLIENT_SCOPES`
`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`|
|`OC_OIDC_CLIENT_ID`
`WEBFINGER_IOS_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`|
|`OC_OIDC_CLIENT_SCOPES`
`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`
`WEB_OIDC_CLIENT_ID`
`WEBFINGER_WEB_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be remove in a future release.`|`web`|
-|`OC_OIDC_CLIENT_SCOPES`
`WEB_OIDC_SCOPE`
`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be remove in a future release.`|`[openid profile email]`|
+|`OC_OIDC_CLIENT_ID`
`WEB_OIDC_CLIENT_ID`
`WEBFINGER_WEB_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be removed in a future release.`|`web`|
+|`OC_OIDC_CLIENT_SCOPES`
`WEB_OIDC_SCOPE`
`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be removed in a future release.`|`[openid profile email]`|
|`OC_URL`
`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|`https://localhost:9200`|
|`OC_INSECURE`
`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|`false`|