This guide covers configuration for the three internal Tenzir services: the Tenzir UI, Tenzir Gateway, and Platform API. These are the core platform services provided by Tenzir that require internal configuration.
The platform runs as a set of containers in a Docker Compose stack. Our example files read configuration parameters from environment variables.
Create a file named .env in the same directory as your docker-compose.yaml
file and set the environment variables described below.
Admin Rules
Section titled “Admin Rules”The platform distinguishes between regular and admin users. Admin users can create new workspaces and view, edit, and delete all existing workspaces.
Currently, only admins can create shared workspaces by creating a new workspace and editing the access rules.
Configure admins by providing a list of authentication rules. The platform
considers any user matching the provided rules an admin and allows them to use
the tenzir-platform admin CLI commands.
Use the tenzir-platform tools print-auth-rule CLI command to generate valid
rules for insertion here.
# Make everybody an admin.# Use for deployments with few users who fully trust each other.TENZIR_PLATFORM_ADMIN_RULES=[{"auth_fn":"auth_allow_all"}]
# Make the two users with IDs `google-oauth2:12345678901` and# `google-oauth2:12345678902` admins of this platform instance.TENZIR_PLATFORM_ADMIN_RULES=[{"auth_fn":"auth_user","user_id":"google-oauth2:12345678901"}, {"auth_fn":"auth_user","user_id":"google-oauth2:12345678902"}]Random Seeds
Section titled “Random Seeds”The platform requires random strings for encryption functions. Generate these from a secure random number generator and use unique values for each platform instance.
# Random string to encrypt frontend cookies.# Generate with `openssl rand -hex 32`.TENZIR_PLATFORM_INTERNAL_AUTH_SECRET=
# Random string to generate user keys.# Generate with `openssl rand 32 | base64`.TENZIR_PLATFORM_INTERNAL_TENANT_TOKEN_ENCRYPTION_KEY=
# Random string for the app to access restricted API endpoints.# Generate with `openssl rand -hex 32`.TENZIR_PLATFORM_INTERNAL_APP_API_KEY=Internal Proxy
Section titled “Internal Proxy”By default, the Tenzir UI sends requests directly from the browser to the Tenzir Gateway to query connected node status. This can cause problems in some network topologies, particularly in zero-trust networks where accessing the Tenzir Gateway requires additional authentication headers.
Enable the internal proxy to route these requests through the Tenzir UI Backend instead, making all requests from the Tenzir UI Frontend go to the same domain. This approach adds some latency through an additional proxy hop.
TENZIR_PLATFORM_USE_INTERNAL_WS_PROXY=true