Environment variables
The runtime environment each telark service reads at startup.
telark reads its runtime configuration from environment variables. Each service exposes a small, opinionated surface — anything you do not set falls back to a sensible default. This page lists the variables that have first-class effect on behaviour.
Helm values that map to these variables are documented in the Reference → Helm values reference once the public install path lands.
discovery-service
Discovery is the heaviest service and exposes the most knobs.
| Variable | Default | Effect |
|---|---|---|
PROTECTION_PLAN_TICK_INTERVAL_SEC | 31 | Interval at which the protection-plan controller scans, transitions phases, and runs health for active plans. Lower = faster reconciliation, more API hits. |
ROLLBACK_INFORMER_RESYNC | implementation default | How often the rollback controller's dynamic informer resyncs. |
INFORMER_RESYNC_JITTER_FRACTION | implementation default | Jitter applied to informer resync to avoid thundering herds. |
DISCOVERY_REDIS_ADDR | required | Redis address for application coalescing, leader election, and consumer groups. |
DISCOVERY_REDIS_PASSWORD | empty | Redis auth when required. |
DISCOVERY_LEADER_LOCK_TTL | implementation default | Leader election lock TTL. |
EXPORTER_BASE_URL | required | HTTP base for the exporter service. Discovery posts plan / snapshot / notification calls here. |
NATS_URL | optional | NATS endpoint for telark.applications.update event publishing. If unset, events are dropped silently. |
LOG_LEVEL | info | debug, info, warn, error. |
The protection-plan tick is the variable most operators reach for. Lower it during testing; leave it at the default in production unless you have a specific reason.
exporter-service
Exporter owns CRD persistence + the snapshot PVC + the notifications Redis store.
| Variable | Default | Effect |
|---|---|---|
EXPORTER_LISTEN_ADDR | :8080 | HTTP bind address. |
EXPORTER_REDIS_ADDR | required | Redis for notifications + caches. |
EXPORTER_REDIS_PASSWORD | empty | Redis auth. |
SNAPSHOT_PVC_PATH | required | Mount path for the snapshot PVC. Snapshots are addressed by {scope, namespace, generation, id} under this root. |
KUBE_CONFIG_PATH | in-cluster | Override for out-of-cluster development. |
LOG_LEVEL | info | Logging verbosity. |
The exporter's concurrency package serialises writes per-resource
in-process. Multi-replica exporter is supported; cross-replica
serialisation goes through the CRD's resource version + retry.
auth-service
Auth handles passkey + OIDC + sessions + permissions.
| Variable | Default | Effect |
|---|---|---|
AUTH_LISTEN_ADDR | :8080 | HTTP bind. |
AUTH_REDIS_ADDR | required | Redis for session cache + cleanup queue. |
AUTH_REDIS_PASSWORD | empty | Redis auth. |
WEBAUTHN_RP_DISPLAY_NAME | telark | Display name for WebAuthn challenges. |
WEBAUTHN_RP_ID | required | Relying-party ID — must match the dashboard's effective domain. |
WEBAUTHN_RP_ORIGINS | required | Comma-separated list of allowed origins. |
SESSION_TTL_HOURS | 24 | Default session lifetime. |
SESSION_CLEANUP_INTERVAL_SEC | implementation default | How often the cleanup controller runs. |
BOOTSTRAP_ADMIN_EMAIL | empty | First user with this email on login is granted the Admin role. Ignored after bootstrap. |
OIDC_GOOGLE_CLIENT_ID | empty | When set + oidc.enabled=true in GlobalConfig, exposes the Google sign-in flow. |
OIDC_GOOGLE_CLIENT_SECRET | empty | Required when Google OIDC is enabled. |
OIDC_GOOGLE_REDIRECT_URL | required when OIDC enabled | Must match the configured callback URL in Google Cloud. |
EXPORTER_BASE_URL | required | Auth talks to the exporter for User / Passkey / Session persistence. |
LOG_LEVEL | info | Logging verbosity. |
WEBAUTHN_RP_ID and WEBAUTHN_RP_ORIGINS are the two variables
that will trip you up — get them wrong and passkey enrolment
fails with cryptic browser errors. Set them to the public domain
of the dashboard, not the internal service address.
Notes
- telark never reads secrets from environment variables that
contain personally identifiable information. Anything sensitive
(
*_PASSWORD,OIDC_GOOGLE_CLIENT_SECRET) should be mounted from a Kubernetes Secret via Helm. - Cluster-level knobs (excluded namespaces, AI enrichment, OIDC
toggle, snapshot retention) live on the
GlobalConfigCRD, not in environment variables. See Reference → CRD reference — GlobalConfig.