Skip to main content
The Maverics Orchestrator loads its configuration from exactly one source at a time. The source is selected via an environment variable (or CLI flag for local file). Remote sources support hot-reload through ETag-based change detection when enabled.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with configuration files, delivery is managed via the -config flag or MAVERICS_CONFIG environment variable.

How Config Sources Work

The Orchestrator selects its config source at startup using the following precedence:
  1. CLI flag — if -config is passed, the Orchestrator reads from the local filesystem at that path.
  2. Environment variable — if a config source environment variable is set (e.g., MAVERICS_AWS_CONFIG, MAVERICS_GCP_CONFIG), the Orchestrator fetches configuration from that remote location.
  3. Default — if no flag or environment variable is set, the Orchestrator reads from /etc/maverics/maverics.yaml.
Remote config sources deliver configuration as signed bundles (maverics.tar.gz). The Orchestrator downloads the bundle, verifies its signature using the public key specified by MAVERICS_BUNDLE_PUBLIC_KEY_FILE, and applies the configuration. The MAVERICS_BUNDLE_PUBLIC_KEY_FILE environment variable must be set when using a remote config source.
Only one config source may be active at a time. If multiple config source environment variables are set, the Orchestrator will fail to start with a multiple config providers defined error. Ensure only one config source environment variable is set.

Available Sources

SourceEnvironment Variable / FlagUse Case
FileMAVERICS_CONFIG or -config flagLocal configuration file on disk
EnvironmentN/A (substitution syntax)Override values via {{ env.VAR }} substitution
Maverics StorageConsole DeploymentsManaged config delivery from Maverics Storage
S3MAVERICS_AWS_CONFIGAWS S3 bucket
Azure BlobMAVERICS_AZURE_CONFIGAzure Blob Storage
GCSMAVERICS_GCP_CONFIGGoogle Cloud Storage
GitHubMAVERICS_GITHUB_CONFIGGitHub repository
GitLabMAVERICS_GITLAB_CONFIGGitLab.com repository

ETag-Based Change Detection

Remote config sources (S3, Azure Blob, GCS, GitHub, GitLab) can periodically check for configuration changes using ETag headers. When a change is detected, the Orchestrator reloads the configuration automatically. Hot-reload is disabled by default — enable it by setting the MAVERICS_RELOAD_CONFIG environment variable: 
export MAVERICS_RELOAD_CONFIG=true
export MAVERICS_POLLING_INTERVAL_SECONDS=30  # default is 30 seconds
During a successful configuration reload, user sessions and tokens issued on behalf of resource owners are invalidated to ensure policy updates take effect immediately. Plan reload timing accordingly in production environments.

Source Pages

File

Load config from a local file via MAVERICS_CONFIG or -config flag

Environment

Substitute environment variables in config with {{ env.VAR }} syntax

Maverics Storage

Strata-managed config delivery for Console deployments

S3

Load config from an AWS S3 bucket via MAVERICS_AWS_CONFIG

Azure Blob

Load config from Azure Blob Storage via MAVERICS_AZURE_CONFIG

GCS

Load config from Google Cloud Storage via MAVERICS_GCP_CONFIG

GitHub

Load config from a GitHub repository via MAVERICS_GITHUB_CONFIG

GitLab

Load config from a GitLab.com repository via MAVERICS_GITLAB_CONFIG

Sessions

Session configuration and storage options

Identity Fabric

Identity provider integrations

Secret Providers

How the Orchestrator retrieves secrets at runtime

Configuration

Complete configuration field reference