Configuration precedence is as follows:

  1. Environment Variables
  2. Configuration File

Configuration File

The default way that Flipt is configured is with the use of a configuration file default.yml.

This file is read when Flipt starts up and configures several important properties for the server.

You can generate a default configuration file by running flipt config init. See the CLI documentation for more information.

The server will check in a few different locations for server configuration (in order):

  1. --config flag as an override
  2. {{ USER_CONFIG_DIR }}/flipt/config.yml (the USER_CONFIG_DIR value is based on your architecture and specified in the Go documentation)
  3. /etc/flipt/config/default.yml

We provide both a JSON schema and a Cue schema that you can use to validate your configuration file and its properties.

You can edit any of these properties to your liking, and on restart, Flipt will pick up the new changes.

Environment Substitution

The configuration file also supports environment variable substitution.

This allows you to use environment variables in your configuration file. For example, you can use the FLIPT_CUSTOM_AUTH_REQUIRED environment variable in the configuration file like this:

authentication:
  required: ${FLIPT_CUSTOM_AUTH_REQUIRED}

This will replace ${FLIPT_CUSTOM_AUTH_REQUIRED} with the value of the FLIPT_CUSTOM_AUTH_REQUIRED environment variable. The format for environment variable substitution is ${ENV_VAR}.

This can be used to provide sensitive information to Flipt without storing it in the configuration file. For example, you can use environment variables to store the database URL, API keys, or other sensitive information without having to conform to the pre-defined Flipt environment variable format.

Remote Configuration

Flipt supports fetching configuration from a remote source. This is useful for managing configuration across multiple instances of Flipt. The remote configuration source can be a URL to a configuration file stored in one of the following object storage services:

  • S3 (e.g.: s3://bucket-name/path/to/config.yml)
  • Azure Blob Storage (e.g.: azblob://container-name/path/to/config.yml)
  • Google Cloud Storage (e.g.: googlecloud://bucket-name/path/to/config.yml)

To load Flipt configuration from a remote source, replace the config.yml file with the URL to the remote configuration file in the --config flag when starting the server.

flipt server --config s3://bucket-name/path/to/config.yml

For authenticating with the object storage service, you can use the following environment variables depending on the service:

  • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
  • AZURE_STORAGE_ACCOUNT and AZURE_STORAGE_KEY or AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_SECRET
  • GOOGLE_APPLICATION_CREDENTIALS

Environment Variables

All options in the configuration file can be overridden using environment variables using the syntax:

FLIPT_<SectionName>_<KeyName>

Environment variables MUST have FLIPT_ prefix and be in UPPER_SNAKE_CASE format.

Using environment variables to override defaults is especially helpful when running with Docker.

Keys should be uppercase and . should be replaced by _. For example, given these configuration settings:

server:
  grpc_port: 9000

You can override them using:

export FLIPT_SERVER_GRPC_PORT=9001

Multiple Values

Some configuration options can have a list of values. For example, the cors.allowed_origins option can have multiple origins.

In this case, you can use a space separated list of values for the environment variable override:

export FLIPT_CORS_ALLOWED_ORIGINS="http://localhost:3000 http://localhost:3001"

Configuration Parameters

PropertyDescriptionDefaultSince
cors.enabledEnable CORS supportfalsev2.0.0
cors.allowed_originsSets Access-Control-Allow-Origin header on server”*” (all domains)v2.0.0
meta.check_for_updatesEnable check for newer versions of Flipt on startuptruev2.0.0
meta.telemetry_enabledEnable anonymous telemetry data (see Telemetry)truev2.0.0
meta.state_directoryDirectory on the host to store local state$HOME/.config/fliptv2.0.0
diagnostics.profiling.enabledEnable profiling endpoints for pproftruev2.0.0

User Interface

PropertyDescriptionDefaultSince
ui.default_themeSets the default UI theme for userssystemv2.0.0

Server

PropertyDescriptionDefaultSince
server.protocolhttp or httpshttpv2.0.0
server.hostThe host address on which to serve the Flipt application0.0.0.0v2.0.0
server.http_portThe HTTP port on which to serve the Flipt REST API and UI8080v2.0.0
server.https_portThe HTTPS port on which to serve the Flipt REST API and UI443v2.0.0
server.grpc_portThe port on which to serve the Flipt GRPC server9000v2.0.0
server.grpc_conn_max_idle_timeMaximum amount of time a GRPC connection can be idleunlimitedv2.0.0
server.grpc_conn_max_ageMaximum amount of time a GRPC connection can liveunlimitedv2.0.0
server.grpc_conn_max_age_graceMaximum amount of time a GRPC connection can live for outstanding RPCs after exceeding grpc_conn_max_age unlimitedv2.0.0
server.cert_filePath to the certificate file (if protocol is set to https)v2.0.0
server.cert_keyPath to the certificate key file (if protocol is set to https)v2.0.0

Environments

PropertyDescriptionDefaultSince
environments.[id].nameThe canonical name of the environmentdefaultv2.0.0
environments.[id].defaultWhether the environment is the default environmentfalsev2.0.0
environments.[id].storageThe id of the storage to use for the environmentv2.0.0
environments.[id].directoryThe directory to use for the environment with the given storagev2.0.0

Storage

PropertyDescriptionDefaultSince
storage.[id].nameThe canonical name of the storage instancedefaultv2.0.0
storage.[id].backend.typeThe type of backend to use (options: memory, local)memoryv2.0.0
storage.[id].backend.pathThe path to the local storage directory for git backendtemporary directoryv2.0.0
storage.[id].remoteThe remote URL to sync storage to/fromv2.0.0
storage.[id].branchThe branch to use for git backendmainv2.0.0
storage.[id].poll_intervalThe interval to poll the git repository and ref for changes30sv2.0.0
storage.[id].ca_cert_bytesThe CA certificate bytes for the remote URLv2.0.0
storage.[id].ca_cert_pathThe CA certificate path for the remote URLv2.0.0
storage.[id].insecure_skip_tlsSkip verifying the server’s certificate chain (avoid in production)falsev2.0.0
storage.[id].credentialsThe id of the credentials to use for the remote URLv2.0.0
storage.[id].signature.nameThe name of the author to use from the commit signaturev2.0.0
storage.[id].signature.emailThe email of the author to use from the commit signaturev2.0.0

Credentials

PropertyDescriptionDefaultSince
credentials.[id].typeThe type of credentials to use (options: basic, ssh, access_token)basicv2.0.0
credentials.[id].basic.usernameThe username to use for basic authenticationv2.0.0
credentials.[id].basic.passwordThe password to use for basic authenticationv2.0.0
credentials.[id].ssh.userThe username to use for SSH authenticationgitv2.0.0
credentials.[id].ssh.passwordPassword used to generate the SSH key pairv2.0.0
credentials.[id].ssh.private_key_pathPath to private key on the filesystemv2.0.0
credentials.[id].ssh.private_key_bytes(Alternative) Raw private key bytesv2.0.0
credentials.[id].ssh.insecure_ignore_host_keySkip verifying the known hosts key (avoid in production)falsev2.0.0
credentials.[id].access_tokenThe token to use for authenticationv2.0.0

Authentication

Authentication is configured slightly differently in v2 compared to v1. See the Authentication documentation for more details.

PropertyDescriptionDefaultSince
authentication.requiredEnable or disable authentication validation on requestsfalsev2.0.0
authentication.exclude.evaluationExclude authentication for /evaluation/v1 API prefixfalsev2.0.0
authentication.exclude.ofrepExclude authentication for /ofrep API prefixfalsev2.0.0

Authentication Session

PropertyDescriptionDefaultSince
authentication.session.domainPublic domain on which Flipt instance is hostedv2.0.0
authentication.session.secureConfigures the Secure property on created session cookiesfalsev2.0.0
authentication.session.token_lifetimeConfigures the lifetime of the session token (login duration)24hv2.0.0
authentication.session.state_lifetimeConfigures the lifetime of state parameters during OAuth flow10mv2.0.0
authentication.session.csrf.keySecret credential used to sign CSRF prevention tokensv2.0.0
authentication.session.token_lifetimeConfigures the lifetime of the session token (login duration)24hv2.0.0
authentication.session.state_lifetimeConfigures the lifetime of state parameters during OAuth flow10mv2.0.0

Authentication Session Storage

PropertyDescriptionDefaultSince
authentication.session.storage.typeThe type of storage to use for session storage (memory, redis)memoryv2.0.0
authentication.session.storage.cleanup.grace_periodThe grace period for the cleanup of expired sessions30mv2.0.0

Authentication Session Storage: Redis

PropertyDescriptionDefaultSince
authentication.session.storage.redis.hostHost to access the Redis databaselocalhostv2.0.0
authentication.session.storage.redis.portPort to access the Redis database6379v2.0.0
authentication.session.storage.redis.dbRedis database to use0v2.0.0
authentication.session.storage.redis.usernameUsername to access the Redis databasev2.0.0
authentication.session.storage.redis.passwordPassword to access the Redis databasev2.0.0
authentication.session.storage.redis.require_tlsRequire TLS to access the Redis databasefalsev2.0.0
authentication.session.storage.redis.pool_sizeMax number of socket connections per CPU10v2.0.0
authentication.session.storage.redis.min_idle_connMinimum number of idle connections in the pool0v2.0.0
authentication.session.storage.redis.conn_max_idle_timeMaximum amount of time a connection can be idle30mv2.0.0
authentication.session.storage.redis.net_timeoutNetwork timeout for Redis connections0v2.0.0
authentication.session.storage.redis.ca_cert_pathPath to custom certificate authority (CA) certificatev2.0.0
authentication.session.storage.redis.ca_cert_bytes(Alternative) Raw certificate authority (CA) certificate bytesv2.0.0
authentication.session.storage.redis.insecure_skip_tlsSkip verifying the server’s certificate chain (avoid in production)falsev2.0.0

Authentication Methods: Static Token

PropertyDescriptionDefaultSince
authentication.methods.token.enabledEnable static token authenticationfalsev2.0.0
authentication.methods.token.tokensList of static tokens to use for authenticationv2.0.0
authentication.methods.token.tokens.[token].credentialThe credential to use for the tokenv2.0.0
authentication.methods.token.tokens.[token].metadataThe metadata to use for the tokenv2.0.0

Authentication Methods: OIDC

PropertyDescriptionDefaultSince
authentication.methods.oidc.enabledEnable OIDC authenticationfalsev2.0.0
authentication.methods.oidc.providers.[provider].issuer_urlProvider specific OIDC issuer URL (see your providers docs)v2.0.0
authentication.methods.oidc.providers.[provider].client_idProvider specific OIDC client ID (see your providers docs)v2.0.0
authentication.methods.oidc.providers.[provider].client_secretProvider specific OIDC client secret (see your providers docs)v2.0.0
authentication.methods.oidc.providers.[provider].redirect_addressPublic URL on which this Flipt instance is reachablev2.0.0
authentication.methods.oidc.providers.[provider].scopesScopes to request from the providerv2.0.0
authentication.methods.oidc.providers.[provider].use_pkceOption for enabling PKCE for OIDC authentication flowfalsev2.0.0
authentication.methods.oidc.email_matchesList of email addresses (regex) of users allowed to authenticatev2.0.0

Authentication Methods: GitHub

PropertyDescriptionDefaultSince
authentication.methods.github.enabledEnable GitHub authenticationfalsev2.0.0
authentication.methods.github.client_idGitHub client IDv2.0.0
authentication.methods.github.client_secretGitHub client secretv2.0.0
authentication.methods.github.redirect_addressPublic URL on which this Flipt instance is reachablev2.0.0
authentication.methods.github.scopesScopes to request from GitHubv2.0.0
authentication.methods.github.allowed_organizationsList of GitHub organizations allowed to authenticatev2.0.0
authentication.methods.github.allowed_teamsMap of GitHub organizations to teams that users must be members ofv2.0.0
authentication.methods.github.server_urlGitHub Server URL (to support GHES)https://github.comv2.0.0
authentication.methods.github.api_urlGitHub API URL (to support GHES)https://api.github.comv2.0.0

Authentication Methods: Kubernetes

PropertyDescriptionDefaultSince
authentication.methods.kubernetes.enabledEnable Kubernetes service account token authenticationfalsev2.0.0
authentication.methods.kubernetes.discovery_urlKubernetes API server URL for OIDC configuration discoveryhttps://kubernetes.default.svc.cluster.localv2.0.0
authentication.methods.kubernetes.ca_pathKubernetes API CA certification path/var/run/secrets/kubernetes.io/serviceaccount/ca.crtv2.0.0
authentication.methods.kubernetes.service_account_token_pathPath to Flipt service account token/var/run/secrets/kubernetes.io/serviceaccount/tokenv2.0.0

Authentication Methods: JWT

PropertyDescriptionDefaultSince
authentication.methods.jwt.enabledEnable JWT authenticationfalsev2.0.0
authentication.methods.jwt.jwks_urlURL to retrieve JWKS for JWT validationv2.0.0
authentication.methods.jwt.public_key_filePath to public key file for JWT validationv2.0.0
authentication.methods.jwt.validate_claims.issuerThe issuer claim to validate on JWT tokensv2.0.0
authentication.methods.jwt.validate_claims.audiencesThe audience claim (list) to validate on JWT tokensv2.0.0
authentication.methods.jwt.validate_claims.subjectThe subject claim to validate on JWT tokensv2.0.0

Authorization

PropertyDescriptionDefaultSince
authorization.requiredEnable or disable authorization validation on requestsfalsev2.0.0

Authorization Backend: Local

PropertyDescriptionDefaultSince
authorization.local.policy.pathPath to the local policy filev2.0.0
authorization.local.policy.poll_intervalInterval to poll the policy file for changes5mv2.0.0
authorization.local.data.pathPath to the local data filev2.0.0
authorization.local.data.poll_intervalInterval to poll the data file for changes30sv2.0.0

Analytics

PropertyDescriptionDefaultSince
analytics.buffer.flush_periodDuration to wait before sending events to sinks10sv2.0.0

Analytics: Clickhouse

PropertyDescriptionDefaultSince
analytics.storage.clickhouse.enabledEnable Clickhouse supportfalsev2.0.0
analytics.storage.clickhouse.urlURL to connect to clickhouse serverv2.0.0

Analytics: Prometheus

PropertyDescriptionDefaultSince
analytics.storage.prometheus.enabledEnable Prometheus supportfalsev2.0.0
analytics.storage.prometheus.urlURL to connect to prometheus serverv2.0.0
analytics.storage.prometheus.headersAdditional headers to send with Prometheus requests (map[string]string)v2.0.0

Logging

PropertyDescriptionDefaultSince
log.levelLevel at which messages are logged (debug, info, warn, error, fatal, panic)infov2.0.0
log.grpc_levelLevel at which gRPC messages are logged (debug, info, warn, error, fatal, panic)errorv2.0.0
log.fileFile to log to instead of STDOUTv2.0.0
log.encodingEncoding to use for logging (json, console)consolev2.0.0
log.keys.timeStructured logging key used when outputting log timestampTv2.0.0
log.keys.levelStructured logging key used when outputting log levelLv2.0.0
log.keys.messageStructured logging key used when outputting log messageMv2.0.0

Logging: OTLP

Flipt v2 supports the new OpenTelemetry OTLP logging specification. To enable OTLP logging, set the OTLP_LOGS_EXPORTER environment variable

export OTLP_LOGS_EXPORTER=otlp

OpenTelemetry logging is in addition to the existing logging configuration. It does not replace the ability to log to a file or stdout/stderr.

OpenTelemetry OTLP logging is configured via the default OpenTelemetry Environment Variables. See the OpenTelemetry Environment Variables documentation for more details.

For example, to configure the OTLP logging endpoint, you can set the OTEL_EXPORTER_OTLP_LOGS_ENDPOINT environment variable.

export OTEL_EXPORTER_OTLP_LOGS_ENDPOINT=http://localhost:4317

Metrics

PropertyDescriptionDefaultSince
metrics.enabledEnable metrics supporttruev2.0.0
metrics.exporterThe exporter to use (prometheus, otlp)prometheusv2.0.0

Metrics: OTLP

OpenTelemetry OTLP metrics are configured via the default OpenTelemetry Environment Variables. See the OpenTelemetry Environment Variables documentation for more details.

For example, to configure the OTLP metrics endpoint, you can set the OTEL_EXPORTER_OTLP_METRICS_ENDPOINT environment variable.

export OTEL_EXPORTER_OTLP_METRICS_ENDPOINT=http://localhost:4317

To configure the OTLP headers, you can set the OTEL_EXPORTER_OTLP_METRICS_HEADERS environment variable.

export OTEL_EXPORTER_OTLP_METRICS_HEADERS="Authorization=Bearer <token>"

Tracing

PropertyDescriptionDefaultSince
tracing.enabledEnable tracing supportfalsev2.0.0
The only supported tracing backend is OTLP.

Tracing: OTLP

OpenTelemetry OTLP tracing is configured via the default OpenTelemetry Environment Variables. See the OpenTelemetry Environment Variables documentation for more details.

For example, to configure the OTLP tracing endpoint, you can set the OTEL_EXPORTER_OTLP_TRACES_ENDPOINT environment variable.

export OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4317

To configure the OTLP headers, you can set the OTEL_EXPORTER_OTLP_TRACES_HEADERS environment variable.

export OTEL_EXPORTER_OTLP_TRACES_HEADERS="Authorization=Bearer <token>"

Deprecations

From time to time configuration options will need to be deprecated and eventually removed. Deprecated configuration options will be removed after ~6 months from the time they were deprecated.

All deprecated configuration options will be removed from the documentation, however, they will still work as expected until they’re removed. A warning will be logged in the Flipt logs when a deprecated configuration option is used.

All deprecated options are listed in the DEPRECATIONS file in the Flipt repository as well as the CHANGELOG.