Skip to main content

Configuration

This document gives an overview over the configuration options supported by ORT Server. It also shortly describes the configuration mechanism in place.

note

In this context, the term configuration refers to the static configuration of an ORT Server deployment, such as database settings, service credentials, etc. It does not cover the configuration of single ORT runs that can be specified by users when triggering a run.

Configuration Mechanism

This section describes the way configuration options can be defined for ORT Server.

In general, ORT Server distinguishes between non-sensitive and sensitive configuration information. To the first group belong options like URLs to services, or options that customize the behavior of services or ORT Server itself. The second group is mainly related to credentials for infrastructure services; they require a special treatment, so that they are not exposed to the public. These different options are discussed separately below.

Non-sensitive Configuration Options

ORT Server uses the Typesafe Config library to access configuration data that does not require special protection. The library reads properties from files named application.conf that are in the HOCON.

The single ORT Server components have their own application.conf files that define their specific configuration settings. Since such files are not intended to be overridden or manipulated by users, customization is done via environment variables: application.conf files can contain references to environment variables. Each property that can be customized is declared twice in the file, once with a default value and once referring to an environment variable. The semantic is that if the referenced environment variable is defined, it overrides the default value; otherwise, the default is active.

So, basically, non-sensitive configuration options can be set via environment variables.

Sensitive Configuration Options

When it comes to database credentials or credentials for other external systems or services, these may require additional effort to keep them confident. While it is possible (and conform to the Twelve-Factor principles) to pass this information via environment variables, too, there can be other approaches that are more secure or convenient to use. For instance, cloud providers typically offer dedicated secret storage services that provide an integration with their container services; so, secrets could be directly injected into containers.

To allow ORT Server to make use of such approaches, configuration options for secrets or credentials are accessed differently. For this purpose, there is the dedicated ConfigManager component offering corresponding functionality. The component defines a ConfigSecretProvider interface that it uses to actually access secrets. The integration of specific secret storage services can be done by providing a concrete implementation of this interface. That way, high security requirements can be fulfilled.

For other environments that do not use a dedicated storage for secrets, there is a fallback mechanism that allows treating secrets analogously to other configuration options: When a secret is requested from ConfigManager, it first checks whether a property with the same name exists in the regular configuration. If so, it returns the value of this setting; otherwise, it delegates to the secret provider. This means that the values of secrets can be set via environment variables in the same way as other configuration options. The fallback mechanism is active by default, but can be disabled to enforce that secrets can only be obtained from a provider. Refer to the documentation of the configuration component for further information how to control this setting.

Available Configuration Options

It would be nice to have a central list with all configuration options supported by ORT Server. However, since the codebase is rapidly changing, it is rather difficult to maintain such a list and keep it in sync. Therefore, this section basically contains references to the application.conf files used by the single ORT Server components. They can be inspected to get a comprehensive list of all configuration options in use.

ComponentLink
Coreapplication.conf
Orchestratorapplication.conf
Config workerapplication.conf
Analyzer workerapplication.conf
Advisor workerapplication.conf
Scanner workerapplication.conf
Evaluator workerapplication.conf
Reporter workerapplication.conf
Kubernetes job monitorapplication.conf

In addition to these global options, ORT Server ships with different implementations for concrete service provider interfaces. The modules for these implementations should contain README files that also describe the configuration options supported by them.

Referenced Secrets

ORT Server itself requires only a small number of secrets for its global configuration. They are listed in the table below. Again, concrete implementations for service provider interfaces may require additional secrets. In this case, their documentation should contain corresponding information.

Secret keyModuleDescription
database.usernameallThe username to connect to the central database.
database.passwordallThe password to connect to the central database.
keycloakApiSecretcoreThe secret for the OAuth client to access the Keycloak API. This is used to create roles and groups in Keycloak dynamically for the organizations, products, and repositories in ORT Server.