Configuration Reference
Host Configuration
Storage Configuration
The following volume layout is recommended for production deployments:
| Volume | Size | Mount Point | Purpose |
|---|---|---|---|
| Root | 50-100 GB | / | Operating system, /etc, /usr, /bin |
| Persistent Data | 600 GB+ | /var/lib/rancher/k3s/storage/ | Kubernetes persistent volumes |
For larger deployments or environments with high data retention requirements, consider the following expanded layout:
| Volume | Size | Mount Point | Purpose |
|---|---|---|---|
| Root | 30-50 GB | / | Operating system, /etc, /usr, /bin |
| Runtime | 100-200 GB | /var/lib/rancher/k3s/, /var/lib/kubelet/, /var/log/ | k3s data, kubelet runtime, logs |
| Persistent Data | 600 GB+ | /var/lib/rancher/k3s/storage/ | Kubernetes persistent volumes |
Storage needs will increase over time with use. The kubelet manages garbage collection of container images using k3s defaults.
STIG Compliance
Manifest Self-Hosted supports deployment on STIG-hardened systems. The installation is compatible with:
- SELinux: Permissive mode supported on RHEL 9 (enforcing will be supported in the future)
- AppArmor: Supported on Ubuntu 24.04 and Debian 12
No additional configuration is required for hardened systems. The k3s installation automatically detects and configures the appropriate security module.
OIDC Configuration
Manifest Self-Hosted natively supports Microsoft, Keycloak, and Google OIDC providers. Other providers are supported but require providing a base64-encoded mapper configuration for Kratos. All providers require the following information.
| Name | Description | Example |
|---|---|---|
| Provider | Name of OIDC provider (must be one of microsoft, keycloak, or google; otherwise a custom mapper url is required) | microsoft |
| Provider ID | Unique name of OIDC provider | microsoft |
| Friendly Name | Name that's displayed for users at sign-in (e.g. "Login with Microsoft") | Microsoft |
| Client ID | Client ID for OIDC application (may be called "application id") | abcd-1234-efgh-5678 |
| Client Secret | Secret value for OIDC application | xyz-098-qrs-765 |
| Issuer URL | Unique URL that identifies the OIDC provider (you can find this from your applications .well-known/openid-configuration endpoint) | https://login.microsoftonline.com/tenant-id/v2.0 |
| Mapper URL | Base64-encoded JSON snippet for mapping provider details to Kratos (leave blank for default providers) | base64://bG9jYWwgY2... |
| Requested Scopes | OIDC scopes that may be requested from the provider (leave blank for default providers) | openid,email,profile,offline_access (optional) |
Configuring the Redirect URI
To finish configuring your OIDC provider, you must add a redirect URI (callback URI) to your OIDC application. For the Manifest platform, the redirect URI is:
https://auth.<domain>/self-service/methods/oidc/callback/<provider-id>Replace <domain> with your Manifest deployment domain and <provider-id> with the Provider ID you configured.
Related Documentation
- Post-Install - Certificate configuration after installation
- Troubleshooting - Common configuration issues and solutions
Updated 5 days ago