config.yaml

---
version: v1alpha1
debug: false

# Logging configuration
logging:
  # Output format to use: [text|json]
  format: text
  # If set to true, the log events will contain the source code position of the
  # log statements.
  add_source: false
  # Log level: [info|warn|error|debug]
  level: info

  # An optional key/value map of attributes to add to each log event
  # attributes:
  #   landscape: dev

# Redis/Valkey settings
redis:
  endpoint: valkey:6379

# Database settings
database:
  dsn: "postgresql://inventory:p4ssw0rd@postgres:5432/inventory?sslmode=disable"
  migration_dir: ./internal/pkg/migrations

# Vault settings.
#
# Some datasources such as OpenStack may be configured from Vault
# secrets. Please refer to the respective datasource configuration (e.g. GCP,
# Azure, AWS, etc.) for more details whether named credentials may be configured
# using secrets from Vault.
#
# When `vault.is_enabled' is set to true, then Inventory will create Vault API
# clients to the specified Vault servers, which can later be used to construct
# other datasource API clients from Vault secrets (e.g. OpenStack credentials)
# or the Vault API clients may be used during task execution.
vault:
  is_enabled: false

  # The Vault servers for which API clients will be created.
  servers:
    # Dev Vault server example
    vault-dev:
      # Endpoint of the Vault server
      endpoint: http://localhost:8200/

      # Optional TLS settings
      # tls:
      #   ca_cert: /path/to/ca.crt
      #   ca_cert_bytes: "PEM-encoded CA bundle"
      #   ca_path: /path/to/ca/cert/files
      #   client_cert: /path/to/client.crt
      #   client_key: /path/to/client.key
      #   tls_server_name: SNI-host
      #   insecure: false

      # The supported Auth Methods are `token' and `jwt'.
      auth_method: token

      # Auth settings when using `token' auth method.
      token_auth:
        token_path: /path/to/my/token

    # Production Vault server example
    # vault-prod:
    #   # Endpoint of the Vault server
    #   endpoint: https://vault.example.org:8200/

    #   # Vault namespace
    #   namespace: my-vault-namespace

    #   # Optional TLS settings
    #   # tls:
    #   #   ca_cert: /path/to/ca.crt
    #   #   ca_cert_bytes: "PEM-encoded CA bundle"
    #   #   ca_path: /path/to/ca/cert/files
    #   #   client_cert: /path/to/client.crt
    #   #   client_key: /path/to/client.key
    #   #   tls_server_name: SNI-host
    #   #   insecure: false

    #   # Example of `jwt' Auth Method
    #   auth_method: jwt

    #   # Auth settings when using `jwt' auth method.
    #   jwt_auth:
    #     # Mount path of the JWT Auth Method
    #     mount_path: my-jwt-am-mount-path
    #     # Role name to use
    #     role_name: my-role-name
    #     # Path to a JWT token to use for logging into Vault
    #     token_path: /path/to/my/jwt/token
    #     # Name of env var from which to read the JWT token when logging into
    #     # Vault. JWT token from env var takes precedence over a JWT provided
    #     # from path.
    #     # token_env: MY_JWT_TOKEN

# Worker settings
worker:
  # Metrics settings
  metrics:
    path: /metrics
    address: ":6080"

  # Concurrency level
  concurrency: 100

  # Priority queue configuration.
  #
  # Check the following documentation for more details about how priority queues
  # work.
  # See https://github.com/hibiken/asynq/wiki/Queue-Priority
  queues:
    default: 1

  # Strict priority specifies whether queue priority is treated strictly.
  #
  # When set to true tasks from queues with higher priority are always processed
  # first, and tasks from queues with lower priority are processed only after
  # higher priority queues are empty.
  strict_priority: false

# Dashboard settings
dashboard:
  address: ":8080"
  read_only: false
  prometheus_endpoint: http://prometheus:9090/

# Azure specific configuration
azure:
  # Setting `is_enabled' to false would not create any Azure clients, and as a
  # result Inventory will not process any of the Azure collection tasks.
  is_enabled: true

  # This section provides configuration specific to each Azure service and which
  # named credentials to be used when creating API clients for the respective
  # service. Inventory supports specifying multiple named credentials per
  # service, which means that collection will happen against each configured
  # named credential.
  #
  # For instance, if `compute' service specifies named credentials `foo' and
  # `bar', then Inventory will connect and collect Compute resources from the
  # Subscriptions and Resource Groups, for which `foo' and `bar' credentials
  # have access to.
  services:
    # Resource Manager API clients collect Subscriptions and Resource Groups.
    resource_manager:
      use_credentials:
        - foo
        - bar

    # Compute service API clients collect Virtual Machines.
    compute:
      use_credentials:
        - foo
        - bar

    # Network service API clients collect Public IP Addresses and LBs.
    network:
      use_credentials:
        - foo

    # Storage service API clients collect Storage Accounts and Blob containers
    storage:
      use_credentials:
        - foo

    # Graph API clients. Used for collecting Microsoft Entra user accounts.
    graph:
      use_credentials:
        - foo

  # The `credentials' section provides named credentials, which are used by the
  # various Azure services. The currently supported authentication mechanisms
  # are `default' and `workload_identity'.
  #
  # When using `default' as the authentication mechanism the API clients will be
  # initialized using the `DefaultAzureCredential' chain of credential providers [1].
  #
  # When using `workload_identity' the API clients will be configured to
  # authenticate using Workload Identity Federation [2]. For more details,
  # please refer to the docs/oidc-azure.md document.
  #
  # [1]: https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication-overview
  # [2]: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
  credentials:
    foo:
      # Set to `default' for `DefaultAzureCredential` chain of providers
      authentication: default

    bar:
      # With `workload_identity' authentication the API client will be
      # configured to authenticate using Workload Identity Federation.
      authentication: workload_identity
      workload_identity:
        client_id: my-registered-app-uuid
        tenant_id: my-tenant-uuid
        token_file: /path/to/my-jwt-token.txt

# GCP specific configuration
gcp:
  # Setting `is_enabled' to false would not create API clients for GCP, and as a
  # result Inventory will not process any of the GCP collection tasks.
  is_enabled: true

  # User-Agent to set for the API clients
  user_agent: gardener-inventory/0.1.0

  # GCP Soil cluster settings. The soil cluster is a GKE cluster from which
  # Inventory will collect data as well. In order to discover the GKE cluster
  # control plane endpoint and CA root of trust make sure to enable the named
  # credentials used by the soil cluster in the `gcp.services.gke' service as
  # well.
  soil_cluster:
    cluster_name: dev-soil-gcp
    use_credentials: foo

  # This section provides configuration specific to each GCP service and which
  # named credentials to be used when creating API clients for the respective
  # service. Inventory supports specifying multiple named credentials per
  # service, which means that collection will happen against each configured
  # named credential.
  #
  # For instance, if `compute' service specifies named credentials `foo' and
  # `bar', then Inventory will connect and collect Compute Resources from the
  # specified projects for the configured named credentials.
  services:
    # Resource Manager API clients collect only GCP Project resources.
    resource_manager:
      use_credentials:
        - foo

    # Compute API clients collect Instances, VPCs, Subnets, Regional & Global
    # Addresses, Disks, Forwarding Rules and Target Pools.
    compute:
      use_credentials:
        - foo

    # Storage API clients collect Buckets.
    storage:
      use_credentials:
        - foo

    # Collects GKE clusters
    gke:
      use_credentials:
        - foo

  # The `credentials' section provides named credentials, which are used by the
  # various GCP services. The currently supported authentication mechanisms are
  # `none' and `key_file'.
  #
  # When using `none' as the authentication mechanism the API clients will be
  # initialized using `Application Default Credentials' strategy [1].
  #
  # When using `key_file' the API client will be configured to authenticate
  # using the specified service account credentials file [2].
  #
  # [1]: https://cloud.google.com/docs/authentication/provide-credentials-adc
  # [2]: https://cloud.google.com/iam/docs/keys-create-delete
  credentials:
    foo:
      # Set to `none' for Application Default Configuration (ADC).
      authentication: none
      # List of project IDs from which to collect resources
      projects:
        - project-foo
        - project-bar

    bar:
      # With `key_file' authentication the API client will be configured to
      # authenticate using the specified service account JSON key file.
      authentication: key_file
      key_file:
        path: /path/to/serviceaccount.json
      projects:
        - project-baz
        - project-qux

# AWS specific configuration
aws:
  # Setting `is_enabled' to false would not create API clients for AWS, and as a
  # result Inventory will not process any of the AWS collection tasks.
  is_enabled: true

  region: eu-central-1  # Frankfurt
  default_region: eu-central-1  # Frankfurt
  app_id: gardener-inventory  # Optional application specific identifier

  # The list of excluded regions specifies AWS region names, from which
  # collection will be skipped.
  # excluded_regions:
  #   - eu-west-1
  #   - eu-west-2

  # This section provides configuration specific to each AWS service and which
  # named credentials are used for each service. This allows the Inventory to
  # connect to multiple AWS accounts based on the named credentials which are
  # used. Inventory will connect to all configured named credentials (accounts)
  # during collection from the respective AWS service.
  services:
    ec2:
      use_credentials:
        - default
        - account-foo
        - account-bar
    elb:
      use_credentials:
        - default
        - account-foo
    elbv2:
      use_credentials:
        - default
    s3:
      use_credentials:
        - default
        - account-bar
    route53:
      use_credentials:
        - default
        - account-bar

  # The `credentials' section provides named credentials, which are used by the
  # various AWS services. The currently supported token retrievers are `none',
  # `kube_sa_token' and `token_file'. See docs/oidc-aws.md for more details.
  credentials:
    default:
      # When using `none' as the token retriever, only the shared AWS
      # credentials file is used.
      token_retriever: none

    account-foo:
      # Example configuration for `kube_sa_token' retriever. When using this
      # token retriever the Inventory will request a Kubernetes Service Account
      # token using the specified kubeconfig, which is then exchanged for
      # temporary security credentials via the AWS STS service.  It is expected
      # that OIDC Trust is already established between Inventory and AWS when
      # using this token retriever.
      token_retriever: kube_sa_token
      kube_sa_token:
        kubeconfig: /path/to/kubeconfig
        namespace: inventory
        service_account: worker
        duration: 30m
        audiences:
          - iaas-aws-dev
        role_arn: arn:aws:iam::account:role/gardener-inventory-dev
        role_session_name: gardener-inventory-worker

    account-bar:
      # Example configuration for `token_file' retriever. When using this token
      # retriever the Inventory will exchange the token contained within the
      # specified file for temporary security credentials via the AWS STS
      # service. It is expected that OIDC Trust is already established between
      # Inventory and AWS when using this token retriever.
      token_retriever: token_file
      token_file:
        path: /path/to/identity/token
        duration: 30m
        role_arn: arn:aws:iam::account:role/name
        role_session_name: gardener-inventory-worker

# OpenStack specific configuration
openstack:
  is_enabled: false

  # The `credentials' section provides named credentials, which are used by the
  # various OpenStack services. The currently supported authentication
  # mechanisms are `password' for username and password, `app_credentials' for
  # Application Credentials and `vault_secret' for credentials provided by a
  # Vault secret..
  credentials:
    # Example of using username/password for authentication
    local:
      domain: <domain>
      auth_endpoint: <endpoint>
      project: <project_name>
      region: <region>
      authentication: password
      password:
        username: "<username>"
        password_file: "<path-to-password-file>"
    # Example of using Application Credentials for authentication
    sa1:
      domain: <domain>
      auth_endpoint: <endpoint>
      project: <project_name>
      region: <region>
      authentication: app_credentials
      app_credentials:
        app_credentials_id: "<app-id>"
        app_credentials_secret_file: "<path-to-secret-file>"
    # Another Application Credentials example
    sa2:
      domain: <domain>
      auth_endpoint: <endpoint>
      project: <project_name>
      region: <region>
      authentication: app_credentials
      app_credentials:
        app_credentials_id: "<app-id>"
        app_credentials_secret_file: "<path-to-secret-file>"
    # Example of using a Vault secret
    sa3:
      domain: <domain>
      auth_endpoint: <endpoint>
      project: <project_name>
      region: <region>
      authentication: vault_secret
      vault_secret:
        # Must refer to a server already defined in `vault.servers'
        server: vault-dev

        # Mount point of a KV v2 secret engine
        secret_engine: kvv2

        # Path to the secret
        secret_path: my/secret

  # OpenStack services configuration
  services:
    # Used for collecting OpenStack Servers
    compute:
      use_credentials:
        - local
        - sa1
    # Used for collecting OpenStack Networks and Subnets
    network:
      use_credentials:
        - local
        - sa2
    # Used for collecting OpenStack Containers and Objects
    object_storage:
      use_credentials:
        - sa1
        - sa2
    # Used for collecting OpenStack LoadBalancers
    load_balancer:
      use_credentials:
        - local
    # Used for collecting OpenStack Project metadata
    identity:
      use_credentials:
        - local

# Scheduler configuration
scheduler:
  # The queue to submit tasks when no queue has been explicitely specified for a
  # periodic job.
  default_queue: default

  # Periodic jobs enqueued by the scheduler
  jobs:
    # AWS tasks
    - name: "aws:task:collect-regions"
      spec: "@every 1h"
      desc: "Collect AWS Regions"
    - name: "aws:task:collect-azs"
      spec: "@every 1h"
      desc: "Collect AWS AZs"
    - name: "aws:task:collect-vpcs"
      spec: "@every 1h"
      desc: "Collect AWS VPCs"
    - name: "aws:task:collect-subnets"
      spec: "@every 1h"
      desc: "Collect AWS Subnets"
    - name: "aws:task:collect-instances"
      spec: "@every 1h"
      desc: "Collect AWS EC2 Instances"
    - name: "aws:task:collect-images"
      spec: "@every 1h"
      desc: "Collect AWS AMIs"
      payload: |
        owners:
          - 0123456789012
    - name: "aws:task:collect-loadbalancers"
      spec: "@every 24h"
      desc: "Collect AWS LoadBalancers"
    - name: "aws:task:collect-buckets"
      spec: "@every 24h"
      desc: "Collect AWS S3 Buckets"
    - name: "aws:task:collect-net-interfaces"
      spec: "@every 1h"
      desc: "Collect AWS Network Interfaces"
    - name: "aws:task:collect-hosted-zones"
      spec: "@every 1h"
      desc: "Collect AWS DNS Hosted Zones"
    - name: "aws:task:collect-dns-record"
      spec: "@every 1h"
      desc: "Collect AWS DNS Records"
    - name: "aws:task:collect-dhcp-option-sets"
      spec: "@every 1h"
      desc: "Collect AWS DHCP Option Sets"
    - name: "aws:task:link-all"
      spec: "@every 30m"
      desc: "Link all AWS models"

    # Gardener tasks
    - name: "g:task:collect-projects"
      spec: "@every 1h"
      desc: "Collect Gardener Projects"
    - name: "g:task:collect-seeds"
      spec: "@every 1h"
      desc: "Collect Gardener Seeds"
    - name: "g:task:collect-shoots"
      spec: "@every 1h"
      desc: "Collect Gardener Shoots"
    - name: "g:task:collect-machines"
      spec: "@every 1h"
      desc: "Collect Gardener Machines"
    - name: "g:task:collect-backup-buckets"
      spec: "@every 1h"
      desc: "Collect Gardener BackupBuckets"
    - name: "g:task:collect-cloud-profiles"
      spec: "@every 1h"
      desc: "Collect Gardener CloudProfiles"
    - name: "g:task:collect-persistent-volumes"
      spec: "@every 1h"
      desc: "Collect Gardener Persistent Volumes"
    - name: "g:task:collect-dns-records"
      spec: "@every 1h"
      desc: "Collect Gardener DNSRecords"
    - name: "g:task:collect-dns-entries"
      spec: "@every 1h"
      desc: "Collect Gardener DNSEntries"
    - name: "g:task:collect-bastions"
      spec: "@every 1h"
      desc: "Collect Gardener Bastions"
    - name: "g:task:link-all"
      spec: "@every 30m"
      desc: "Link all Gardener models"

    # GCP tasks
    - name: "gcp:task:collect-projects"
      spec: "@every 1h"
      desc: "Collect GCP Projects"
    - name: "gcp:task:collect-instances"
      spec: "@every 1h"
      desc: "Collect GCP Instances"
    - name: "gcp:task:collect-vpcs"
      spec: "@every 1h"
      desc: "Collect GCP VPCs"
    - name: "gcp:task:collect-addresses"
      spec: "@every 1h"
      desc: "Collect GCP Addresses"
    - name: "gcp:task:collect-subnets"
      spec: "@every 1h"
      desc: "Collect GCP Subnets"
    - name: "gcp:task:collect-buckets"
      spec: "@every 1h"
      desc: "Collect GCP Buckets"
    - name: "gcp:task:collect-forwarding-rules"
      spec: "@every 1h"
      desc: "Collect GCP Forwarding Rules"
    - name: "gcp:task:collect-disks"
      spec: "@every 1h"
      desc: "Collect GCP Disks"
    - name: "gcp:task:collect-gke-clusters"
      spec: "@every 1h"
      desc: "Collect GKE Clusters"
    - name: "gcp:task:collect-target-pools"
      spec: "@every 1h"
      desc: "Collect Target Pools"
    - name: "gcp:task:collect-iam-policies"
      spec: "@every 1h"
      desc: "Collect IAM Policies"
    - name: "gcp:task:link-all"
      spec: "@every 30m"
      desc: "Link all GCP models"

    # Azure tasks
    - name: "az:task:collect-subscriptions"
      spec: "@every 1h"
      desc: "Collect Azure Subscriptions"
    - name: "az:task:collect-resource-groups"
      spec: "@every 1h"
      desc: "Collect Azure Resource Groups"
    - name: "az:task:collect-vms"
      spec: "@every 1h"
      desc: "Collect Azure Virtual Machines"
    - name: "az:task:collect-public-addresses"
      spec: "@every 1h"
      desc: "Collect Azure Public IP Addresses"
    - name: "az:task:collect-loadbalancers"
      spec: "@every 1h"
      desc: "Collect Azure Load Balancers"
    - name: "az:task:collect-vpcs"
      spec: "@every 1h"
      desc: "Collect Azure VPCs"
    - name: "az:task:collect-subnets"
      spec: "@every 1h"
      desc: "Collect Azure Subnets"
    - name: "az:task:collect-storage-accounts"
      spec: "@every 1h"
      desc: "Collect Azure Storage Accounts"
    - name: "az:task:collect-blob-containers"
      spec: "@every 1h"
      desc: "Collect Azure Blob containers"
    - name: "az:task:collect-network-interfaces"
      spec: "@every 1h"
      desc: "Collect Azure Network Interfaces"
    - name: "az:task:link-all"
      spec: "@every 1h"
      desc: "Link all Azure models"

    # OpenStack tasks
    - name: "openstack:task:collect-servers"
      spec: "@every 1h"
      desc: "Collect OpenStack Servers"
    - name: "openstack:task:collect-networks"
      spec: "@every 1h"
      desc: "Collect OpenStack Networks"
    - name: "openstack:task:collect-loadbalancers"
      spec: "@every 1h"
      desc: "Collect OpenStack LoadBalancers"
    - name: "openstack:task:collect-subnets"
      spec: "@every 1h"
      desc: "Collect OpenStack Subnets"
    - name: "openstack:task:collect-projects"
      spec: "@every 1h"
      desc: "Collect OpenStack Projects"
    - name: "openstack:task:collect-floating-ips"
      spec: "@every 1h"
      desc: "Collect OpenStack Floating IPs"
    - name: "openstack:task:collect-ports"
      spec: "@every 1h"
      desc: "Collect OpenStack Ports"
    - name: "openstack:task:collect-routers"
      spec: "@every 1h"
      desc: "Collect OpenStack Routers"
    # - name: "openstack:task:collect-objects"
    #   spec: "@every 1h"
    #   desc: "Collect OpenStack Objects"
    - name: "openstack:task:collect-pools"
      spec: "@every 1h"
      desc: "Collect OpenStack Pools"
    - name: "openstack:task:collect-containers"
      spec: "@every 1h"
      desc: "Collect OpenStack Containers"
    - name: "openstack:task:collect-volumes"
      spec: "@every 1h"
      desc: "Collect OpenStack Volumes"
    - name: "openstack:task:link-all"
      spec: "@every 1h"
      desc: "Link all OpenStack models"


    # Auxiliary task
    #
    # The housekeeper takes care of cleaning up stale records
    - name: "aux:task:housekeeper"
      spec: "@every 12h"
      payload: |
        retention:
          # AWS
          - name: "aws:model:region"
            duration: 24h
          - name: "aws:model:az"
            duration: 24h
          - name: "aws:model:vpc"
            duration: 24h
          - name: "aws:model:subnet"
            duration: 24h
          - name: "aws:model:instance"
            duration: 24h
          - name: "aws:model:image"
            duration: 24h
          - name: "aws:model:bucket"
            duration: 24h
          - name: "aws:model:loadbalancer"
            duration: 24h
          - name: "aws:model:network_interface"
            duration: 24h
          # Gardener
          - name: "g:model:project"
            duration: 24h
          - name: "g:model:project_member"
            duration: 24h
          - name: "g:model:seed"
            duration: 24h
          - name: "g:model:shoot"
            duration: 24h
          - name: "g:model:machine"
            duration: 24h
          - name: "g:model:backup_bucket"
            duration: 24h
          - name: "g:model:cloud_profile"
            duration: 24h
          - name: "g:model:cloud_profile_aws_image"
            duration: 24h
          - name: "g:model:cloud_profile_gcp_image"
            duration: 24h
          - name: "g:model:cloud_profile_azure_image"
            duration: 24h
          - name: "g:model:cloud_profile_openstack_image"
            duration: 24h
          - name: "g:model:persistent_volume"
            duration: 24h
          - name: "g:model:dns_record"
            duration: 24h
          - name: "g:model:dns_entry"
            duration: 24h
          - name: "g:model:bastion"
            duration: 24h
          # GCP
          - name: "gcp:model:project"
            duration: 24h
          - name: "gcp:model:instance"
            duration: 24h
          - name: "gcp:model:vpc"
            duration: 24h
          - name: "gcp:model:address"
            duration: 24h
          - name: "gcp:model:nic"
            duration: 24h
          - name: "gcp:model:subnet"
            duration: 24h
          - name: "gcp:model:bucket"
            duration: 24h
          - name: "gcp:model:forwarding_rule"
            duration: 24h
          - name: "gcp:model:disk"
            duration: 24h
          - name: "gcp:model:attached_disk"
            duration: 24h
          - name: "gcp:model:gke_cluster"
            duration: 24h
          - name: "gcp:model:target_pool"
            duration: 24h
          - name: "gcp:model:target_pool_instance"
            duration: 24h
          - name: "gcp:model:iam_policy"
            duration: 24h
          - name: "gcp:model:iam_binding"
            duration: 24h
          - name: "gcp:model:iam_role_member"
            duration: 24h
          # Azure
          - name: "az:model:subscription"
            duration: 24h
          - name: "az:model:resource_group"
            duration: 24h
          - name: "az:model:vm"
            duration: 24h
          - name: "az:model:public_address"
            duration: 24h
          - name: "az:model:loadbalancer"
            duration: 24h
          - name: "az:model:vpc"
            duration: 24h
          - name: "az:model:subnet"
            duration: 24h
          - name: "az:model:storage_account"
            duration: 24h
          - name: "az:model:blob_container"
            duration: 24h
          - name: "az:model:network_interface"
            duration: 24h
          - name: "az:model:user"
            duration: 24h
          # OpenStack
          - name: "openstack:model:server"
            duration: 24h
          - name: "openstack:model:network"
            duration: 24h
          - name: "openstack:model:loadbalancer"
            duration: 24h
          - name: "openstack:model:subnet"
            duration: 24h
          - name: "openstack:model:project"
            duration: 24h
          - name: "openstack:model:floating_ip"
            duration: 24h
          - name: "openstack:model:port"
            duration: 24h
          - name: "openstack:model:port_ip"
            duration: 24h
          - name: "openstack:model:router"
            duration: 24h
          - name: "openstack:model:router_external_ip"
            duration: 24h
          - name: "openstack:model:object"
            duration: 24h
          - name: "openstack:model:pool"
            duration: 24h
          - name: "openstack:model:pool_member"
            duration: 24h
          - name: "openstack:model:loadbalancer_with_pool"
            duration: 24h
          - name: "openstack:model:container"
            duration: 24h
          - name: "openstack:model:volume"
            duration: 24h
          - name: "openstack:model:volume_attachment"
            duration: 24h
          # Auxiliary
          - name: "aux:model:housekeeper_run"
            duration: 24h

    # Clean up archived and completed tasks from the queues
    - name: "aux:task:delete-archived-tasks"
      spec: "@every 24h"
      payload: |
        queue: "default"

    - name: "aux:task:delete-completed-tasks"
      spec: "@every 24h"
      payload: |
        queue: "default"

# Gardener specific configuration
gardener:
  # Setting `is_enabled' to false would not create a Gardener API client, and as
  # a result Inventory will not process any of the Gardener collection tasks.
  is_enabled: true

  # Specifies the endpoint of the Gardener APIs.
  endpoint: https://localhost:6443/

  # User-Agent to set for the API clients
  user_agent: gardener-inventory/0.1.0

  # Authentication mechanism to use when communicating with the Gardener APIs.
  # Supported mechanisms are `in_cluster', `token' and `kubeconfig'.
  authentication: token

  # Path to a token file, which is signed by an Identity Provider trusted by
  # Gardener. Should be used with `token' authentication only.
  token_path: /path/to/token/file

  # Path to kubeconfig file to use. Should be used with `kubeconfig'
  # authentication only.
  kubeconfig: /path/to/kubeconfig

  # The `soil_clusters' provides a mapping between Gardener seed clusters and
  # soils in the various cloud providers.
  soil_clusters:
    # The name of the seed, which corresponds to the GKE soil cluster
    gcp: soil-gcp-regional

  # The list of excluded seeds specifies seed cluster names, from which
  # collection will be skipped.
  excluded_seeds:
    - seed-a
    - seed-b