How to Configure OAuth2 on Komodo Deployment Management (Better than Portainer!)

Komodo, a powerful tool for managing builds and deployments, offers a sophisticated system for streamlining your workflow. This article delves into the intricacies of setting up and configuring Komodo, focusing on advanced features that will significantly enhance your DevOps processes. We'll navigate everything from OAuth2 authentication to fine-grained configuration options, empowering you to harness Komodo's full potential.

Let's start with authentication. Komodo offers flexible login options, allowing you to seamlessly integrate with your existing identity providers. You can leverage OAuth2 to connect with popular services like Github and Google, ensuring a consistent and secure login experience. For those who prefer self-hosted solutions, Komodo also supports providers such as Authentik and Gitea. The setup is straightforward; Komodo uses the standard web application login flow. Remember these redirect URIs: <KOMODO_HOST>/auth/github/callback for Github, <KOMODO_HOST>/auth/google/callback for Google, and <KOMODO_HOST>/auth/oidc/callback for OIDC providers. Correctly configuring these redirects within your OAuth provider is crucial for successful authentication.

Beyond authentication, effective configuration management is key. While environment variables offer a quick way to set parameters, Komodo provides the option of using a configuration file for more complex setups and to keep sensitive data securely managed outside of your environment variables. This configuration file, conventionally named core.config.toml, can be mounted to /config/config.toml within the Komodo core container. The beauty of this approach is that environment variables will still override any settings defined within this file, allowing for flexible configuration adjustments based on your needs. For a convenient setup, you can download the example config file using this command: 

wget -P komodo https://raw.githubusercontent.com/moghtech/komodo/main/config/core.config.toml.

Let's examine a detailed breakdown of the core.config.toml file's key settings:

# ###########################

# 🦎 KOMODO CORE CONFIG 🦎 #
# ###########################

# This file configures the Komodo Core application.  Environment variables will override values here.

# Komodo's web UI title.
# Env: KOMODO_TITLE
# Default: 'Komodo'
title = "Komodo"

# The base URL for Komodo, accessible via a web browser. This must match your OAuth provider settings.
# Env: KOMODO_HOST
# Required, no default.
host = "https://demo.komo.do"

# The port Komodo listens on.
# Env: KOMODO_PORT
# Default: 9120
port = 9120

# This is a shared secret between the Komodo core and periphery.
# Env: KOMODO_PASSKEY or KOMODO_PASSKEY_FILE
# Required, no default
passkey = "a_random_passkey"

# Address of the first periphery server to connect to on startup.
# Env: KOMODO_FIRST_SERVER
# Optional, no default.
first_server = ""

# Disables write access via the UI.  Useful for increased security in some environments.
# Env: KOMODO_UI_WRITE_DISABLED
# Default: false
ui_write_disabled = false

# Disables confirmation dialogs, useful in certain headless scenarios.
# Env: KOMODO_DISABLE_CONFIRM_DIALOG
# Default: false
disable_confirm_dialog = false

# Path to the sync files directory (inside the container).  Usually a mounted volume.
# Env: KOMODO_SYNC_DIRECTORY
# Default: /syncs
sync_directory = "/syncs"

# Path to the repository cache directory (inside the container).  Usually a mounted volume.
# Env: KOMODO_REPO_DIRECTORY
# Default: /repo-cache
repo_directory = "/repo-cache"

# Path to the action cache directory (inside the container).
# Env: KOMODO_ACTION_DIRECTORY
# Default: /action-cache
action_directory = "/action-cache"

# Enables local username/password authentication.  Use cautiously, and note password recovery is not implemented.
# Env: KOMODO_LOCAL_AUTH
# Default: false
local_auth = false

# Controls user registration.  Setting to true allows only a single, initial user.
# Env: KOMODO_DISABLE_USER_REGISTRATION
# Default: false
disable_user_registration = false

# Automatically enables new users on sign-up.  Otherwise, admin approval is needed.
# Env: KOMODO_ENABLE_NEW_USERS
# Default: false
enable_new_users = false

# Enables read access for all users to all resources.
# Env: KOMODO_TRANSPARENT_MODE
# Default: false
transparent_mode = false

# Restricts resource creation to admin users only.
# Env: KOMODO_DISABLE_NON_ADMIN_CREATE
# Default: false
disable_non_admin_create = false

# JWT secret for authentication.  Generating a new secret on each restart invalidates existing sessions.
# Env: KOMODO_JWT_SECRET or KOMODO_JWT_SECRET_FILE
# Default: empty string (random secret generated at startup)
jwt_secret = ""

# JWT token lifetime.
# Env: KOMODO_JWT_TTL
# Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk, 30-day
# Default: 1-day
jwt_ttl = "1-day"

# Enables OIDC authentication.
# Env: KOMODO_OIDC_ENABLED
# Default: false
oidc_enabled = false

# OIDC provider URL. This must be reachable from the Komodo container.
# Env: KOMODO_OIDC_PROVIDER
# Optional, no default.
oidc_provider = "https://oidc.provider.internal/application/o/komodo"

# OIDC user redirect host.  Usually differs from `oidc_provider` if Komodo is behind a reverse proxy.
# Env: KOMODO_OIDC_REDIRECT_HOST
# Optional, no default.
oidc_redirect_host = ""

# OIDC client ID.
# Env: KOMODO_OIDC_CLIENT_ID or KOMODO_OIDC_CLIENT_ID_FILE
oidc_client_id = ""

# OIDC client secret.
# Env: KOMODO_OIDC_CLIENT_SECRET or KOMODO_OIDC_CLIENT_SECRET_FILE
oidc_client_secret = ""

# Use the full email address for usernames.
# Env: KOMODO_OIDC_USE_FULL_EMAIL
# Default: false
oidc_use_full_email = false

# Add additional trusted audiences for the JWT validation.
# Env: KOMODO_OIDC_ADDITIONAL_AUDIENCES or KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
# Default: empty
oidc_additional_audiences = []

# Google OAuth settings.
# Env: KOMODO_GOOGLE_OAUTH_ENABLED
# Default: false
[google_oauth]
enabled = false
# Env: KOMODO_GOOGLE_OAUTH_ID or KOMODO_GOOGLE_OAUTH_ID_FILE
id = ""
# Env: KOMODO_GOOGLE_OAUTH_SECRET or KOMODO_GOOGLE_OAUTH_SECRET_FILE
secret = ""

# Github OAuth settings.
# Env: KOMODO_GITHUB_OAUTH_ENABLED
# Default: false
[github_oauth]
enabled = false
# Env: KOMODO_GITHUB_OAUTH_ID or KOMODO_GITHUB_OAUTH_ID_FILE
id = ""
# Env: KOMODO_GITHUB_OAUTH_SECRET or KOMODO_GITHUB_OAUTH_SECRET_FILE
secret = ""

# Enables HTTPS.  Requires providing key and certificate paths.
# Env: KOMODO_SSL_ENABLED
# Default: false
ssl_enabled = false

# Path to the SSL key file.
# Env: KOMODO_SSL_KEY_FILE
# Default: /config/ssl/key.pem
ssl_key_file = "/config/ssl/key.pem"

# Path to the SSL certificate file.
# Env: KOMODO_SSL_CERT_FILE
# Default: /config/ssl/cert.pem
ssl_cert_file = "/config/ssl/cert.pem"

# Database configuration.  Can be specified via URI or individual connection parameters.
[database]
# Full MongoDB URI.
# Env: KOMODO_DATABASE_URI or KOMODO_DATABASE_URI_FILE
uri = ""

# Database address.
# Env: KOMODO_DATABASE_ADDRESS
address = "localhost:27017"

# Database username.
# Env: KOMODO_DATABASE_USERNAME or KOMODO_DATABASE_USERNAME_FILE
username = ""

# Database password.
# Env: KOMODO_DATABASE_PASSWORD or KOMODO_DATABASE_PASSWORD_FILE
password = ""

# Database name.
# Env: KOMODO_DATABASE_DB_NAME
# Default: komodo
db_name = "komodo"

# MongoDB application name.
# Env: KOMODO_DATABASE_APP_NAME
# Default: komodo_core
app_name = "komodo_core"


# Webhook secret.  Must match the secret configured in your Git provider.
# Env: KOMODO_WEBHOOK_SECRET or KOMODO_WEBHOOK_SECRET_FILE
# Optional, no default.
webhook_secret = "a_random_webhook_secret"

# Alternate base URL for webhook receivers (e.g., behind a reverse proxy).
# Env: KOMODO_WEBHOOK_BASE_URL
# Default: empty (none)
webhook_base_url = ""

# Github Webhook App configuration.  See Komodo documentation for details.
[github_webhook_app]
# Env: KOMODO_GITHUB_WEBHOOK_APP_APP_ID or KOMODO_GITHUB_WEBHOOK_APP_APP_ID_FILE
# app_id = 1234455 # Replace with your app ID
# Env: KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_IDS or KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_IDS_FILE
# installations = [ { id = 1234, namespace = "mbecker20" } ] # Replace with your installation IDs and namespaces

# Path to the Github Webhook App private key.
# Env: KOMODO_GITHUB_WEBHOOK_APP_PK_PATH
# pk_path = "/path/to/pk.pem" # Replace with path to your private key

# Logging level.
# Env: KOMODO_LOGGING_LEVEL
# Options: off, error, warn, info, debug, trace
# Default: info
[logging]
level = "info"

# Logging format.
# Env: KOMODO_LOGGING_STDIO
# Options: standard, json, none
# Default: standard
stdio = "standard"

# OpenTelemetry endpoint for tracing.
# Env: KOMODO_LOGGING_OTLP_ENDPOINT
otlp_endpoint = ""

# OpenTelemetry service name.
# Env: KOMODO_LOGGING_OPENTELEMETRY_SERVICE_NAME
# Default: "Komodo"
opentelemetry_service_name = "Komodo"

# Number of days to retain system statistics (0 to disable pruning).
# Env: KOMODO_KEEP_STATS_FOR_DAYS
# Default: 14
keep_stats_for_days = 14

# Number of days to retain alerts (0 to disable pruning).
# Env: KOMODO_KEEP_ALERTS_FOR_DAYS
# Default: 14
keep_alerts_for_days = 14

# Monitoring interval.
# Env: KOMODO_MONITORING_INTERVAL
# Options: 1-sec, 5-sec, 15-sec, 30-sec, 1-min, 2-min, 5-min, 15-min
# Default: 15-sec
monitoring_interval = "15-sec"

# Resource polling interval.
# Env: KOMODO_RESOURCE_POLL_INTERVAL
# Options: 15-sec, 1-min, 5-min, 15-min, 1-hr
# Default: 5-min
resource_poll_interval = "5-min"

# AWS credentials for ephemeral builders and server launches.
[aws]
# Env: KOMODO_AWS_ACCESS_KEY_ID or KOMODO_AWS_ACCESS_KEY_ID_FILE
access_key_id = ""
# Env: KOMODO_AWS_SECRET_ACCESS_KEY or KOMODO_AWS_SECRET_ACCESS_KEY_FILE
secret_access_key = ""

# Hetzner token for server launches.
[hetzner]
# Env: KOMODO_HETZNER_TOKEN or KOMODO_HETZNER_TOKEN_FILE
token = ""

# Git provider configurations.  These cannot be set via environment variables.
# [[git_provider]]
# domain = "github.com"
# accounts = [ { username = "mbecker20", token = "access_token_for_account" } ]

# Docker registry configurations.  These cannot be set via environment variables.
# [[docker_registry]]
# domain = "docker.io"
# accounts = [ { username = "mbecker2020", token = "access_token_for_account" } ]
# organizations = ["DockerhubOrganization"]

# Core secrets. These are available to interpolate into environments and are hidden in the UI and logs.
# [secrets]
# SECRET_1 = "value_1"
# SECRET_2 = "value_2"
    

This configuration file offers extensive control over various aspects of Komodo, including authentication methods, security settings, database connections, webhook configurations, logging levels, and integration with cloud providers and registries. Remember that the [[git_provider]] and [[docker_registry]] sections allow you to add multiple providers, a crucial feature for managing diverse development environments. Properly configuring these settings based on your infrastructure is key to utilizing Komodo effectively.

Komodo’s sophisticated configuration empowers users to precisely tailor its functionality to their specific needs. By strategically combining environment variables and the core.config.toml file, administrators can achieve a seamless balance between rapid adjustments and robust security practices. Mastering these techniques is pivotal to effectively harnessing Komodo's extensive capabilities for efficient build and deployment management.