You are reading the documentation for an outdated Corteza release. 2024.9 is the latest stable Corteza release.

Setup

Corteza Command Line Interface (CLI)

Corteza comes with command line interface tool. With it, you can manually or automatically change applications settings, add users, roles, and run the API. You are using the same binary that can start the backend service and the API.

Depending on built flavour, you can use a different entry:

  • Microservice build produce corteza-server-system, corteza-server-messaging and corteza-server-compose

  • Monolith build produces corteza-server binary with system, messaging, compose subcommands

Using the CLI tool

At least basic Docker and Docker Compose knowledge is required for most Corteza setup and management.
Executing with Docker Compose (when service is started)
docker-compose exec <service name> help
Executing with docker (when container is running)
docker exec -it <container name> help
Running with Docker Compose (when service is not started)
docker run -it --rm <container name> help
Executing with Docker (when container is not running)
docker run -it --rm [docker run options] <container name> help
Running and executing with Docker Compose should be easier and simpler because all required options and settings for container are packed in the Docker Compose project configuration file (docker-compose.yaml)
Start HTTP Server with REST API
Usage:
  corteza-server serve-api [flags]

Flags:
  -h, --help   help for serve-api
Provision tasks
Usage:
  corteza-server provision [command]

Available Commands:
  configuration    Create permissions & resources
  migrate-database Run database migration scripts

Flags:
  -h, --help   help for provision

Use "corteza-server provision [command] --help" for more information about a command.
Create permissions & resources
Usage:
  corteza-server provision configuration [flags]

Flags:
  -h, --help   help for configuration
Run database migration scripts
Usage:
  corteza-server provision migrate-database [flags]

Flags:
  -h, --help   help for migrate-database
External authentication
Usage:
  corteza-server system auth [command]

Available Commands:
  auto-discovery     Auto discovers new OIDC client
  jwt                Generates new JWT for a user
  test-notifications Sends samples of all authentication notification to receipient

Flags:
  -h, --help   help for auth

Use "corteza-server system auth [command] --help" for more information about a command.
Auto discovers new OIDC client
Usage:
  corteza-server system auth auto-discovery [name] [url] [flags]

Flags:
      --enable            Enable this provider and external auth
  -h, --help              help for auto-discovery
      --skip-validation   Skip validation
Sends samples of all authentication notification to receipient
Usage:
  corteza-server system auth test-notifications [recipient] [flags]

Flags:
  -h, --help   help for test-notifications
Generates new JWT for a user
Usage:
  corteza-server system auth jwt [email-or-id] [flags]

Flags:
  -h, --help   help for jwt
Export system resources
Usage:
  corteza-server system export [flags]

Flags:
  -h, --help          help for export
  -p, --permissions   Export system permissions
  -s, --settings      Export settings
Import
Usage:
  corteza-server system import [flags]

Flags:
  -h, --help   help for import
Role management
Usage:
  corteza-server system roles [command]

Available Commands:
  useradd     Add user to role

Flags:
  -h, --help   help for roles

Use "corteza-server system roles [command] --help" for more information about a command.
Add user to role
Usage:
  corteza-server system roles useradd [role-ID-or-name-or-handle] [user-ID-or-email] [flags]

Flags:
  -h, --help   help for useradd
Settings management
Usage:
  corteza-server system settings [command]

Available Commands:
  delete      Set value (raw JSON) for a specific key (or by prefix)
  export      Import settings as JSON to stdout or file
  get         Get value (raw JSON) for a specific key
  import      Import settings as JSON from stdin or file
  list        List all
  set         Set value (raw JSON) for a specific key

Flags:
  -h, --help   help for settings

Use "corteza-server system settings [command] --help" for more information about a command.
Set value (raw JSON) for a specific key (or by prefix)
Usage:
  corteza-server system settings delete [keys, ...] [flags]

Flags:
  -h, --help            help for delete
      --prefix string   Filter settings by prefix
Import settings as JSON to stdout or file
Usage:
  corteza-server system settings export [file] [flags]

Flags:
  -h, --help   help for export
Get value (raw JSON) for a specific key
Usage:
  corteza-server system settings get [key to get, ...] [flags]

Flags:
  -h, --help   help for get
Import settings as JSON from stdin or file
Usage:
  corteza-server system settings import [file] [flags]

Flags:
  -h, --help   help for import
List all
Usage:
  corteza-server system settings list [flags]

Flags:
  -h, --help            help for list
      --prefix string   Filter settings by prefix
Set value (raw JSON) for a specific key
Usage:
  corteza-server system settings set [key to set] [value] [flags]

Flags:
  -h, --help   help for set
Sink
Usage:
  corteza-server system sink [command]

Available Commands:
  signature   Creates signature for sink HTTP endpoint

Flags:
  -h, --help   help for sink

Use "corteza-server system sink [command] --help" for more information about a command.
Creates signature for sink HTTP endpoint
Usage:
  corteza-server system sink signature [flags]

Flags:
      --content-type string   Content type (optional)
      --expires string        Date of expiration (YYYY-MM-DD, optional)
  -h, --help                  help for signature
      --method string         HTTP method that will be used (default "GET")
      --origin string         Origin of the request (arbitrary string, optional)
User management
Usage:
  corteza-server system users [command]

Available Commands:
  add         Add new user
  list        List users
  password    Change password for user

Flags:
  -h, --help   help for users

Use "corteza-server system users [command] --help" for more information about a command.
Add new user
Usage:
  corteza-server system users add [email] [flags]

Flags:
  -h, --help          help for add
      --no-password   Create user without password
List users
Usage:
  corteza-server system users list [flags]

Flags:
  -h, --help   help for list
Change password for user
Usage:
  corteza-server system users password [email] [flags]

Flags:
  -h, --help   help for password
Specify one ("modules", "pages", "charts", "permissions") or more resources to export
Usage:
  corteza-server compose export [flags]

Flags:
  -h, --help               help for export
      --namespace string   Export namespace resources (by ID or string)
  -p, --permissions        Export system permissions
  -s, --settings           Export settings
Import
Usage:
  corteza-server compose import [flags]

Flags:
  -h, --help               help for import
      --namespace string   Import into namespace (by ID or string)
Export Messaging resources
Usage:
  corteza-server messaging export [flags]

Flags:
  -h, --help          help for export
  -p, --permissions   Export system permissions
  -s, --settings      Export settings
Import
Usage:
  corteza-server messaging import [flags]

Flags:
  -h, --help   help for import

API Server

Provisioning

Provisioning is step after server is started and API becomes available. It allows you to directly influence how a fresh Corteza instance is configured on first run. This entire process can be disabled by setting env. variables PROVISION_MIGRATE_DATABASE and PROVISION_CONFIGURATION to false.

Table 1. Control provisioning procedure
Type Default value Description

PROVISION_MIGRATE_DATABASE

boolean

true

Controls if database migration (creation of tables, changes of schema between versions) should be done before each service is started.

It’s recommended to keep this setting on. Disabling it on a running server prevents migration between version udpates

PROVISION_CONFIGURATION

boolean

true

Runs various auto-setup procedures and creates resources:

- creates default permission rules and roles - default channels are created - default applications are created - compose resources (namespaces, modules, charts,…​) - settings auto-discovery
Table 2. Provision authentication settings:
Type Default value Description

PROVISION_SETTINGS_AUTH_EXTERNAL_ENABLED

auth.external.enabled

boolean

true

Is OAuth2 enabled or disabled

OAuth2 flow redirection URL.

PROVISION_SETTINGS_AUTH_EXTERNAL_REDIRECT_URL

auth.external.redirect-url

string

searches env-variables (DOMAIN, LETSENCRYPT_HOST, VIRTUAL_HOST, HOSTNAME, HOST) and uses additional info (monolith, api-base-url) to calculate the value

PROVISION_SETTINGS_AUTH_EXTERNAL_SESSION_STORE_SECRET

auth.external.session-store-secret

string

random 64 char string

generated 64 char long string if missing.

Is session cookie "secure" flag used (if yes, cookie can only be access over HTTPS).

PROVISION_SETTINGS_AUTH_EXTERNAL_SESSION_STORE_SECURE

auth.external.session-store-secure

bool

false

If HTTPS is used for external auth redirection url, value is set to true.

PROVISION_SETTINGS_AUTH_FRONTEND_URL_BASE

auth.frontend.url.base

string

Where the frontend SPA is located. Serves as base for generating other auth.frontend.url…​ variables.

PROVISION_SETTINGS_AUTH_FRONTEND_URL_PASSWORD_RESET

auth.frontend.url.password-reset

string

Where the frontend SPA is located, the password reset form.

Where the frontend SPA is located, password email confirmation page.

PROVISION_SETTINGS_AUTH_FRONTEND_URL_EMAIL_CONFIRMATION

auth.frontend.url.email-confirmation

string

auth.frontend.url.base is used as base URL

PROVISION_SETTINGS_AUTH_FRONTEND_URL_REDIRECT

auth.frontend.url.redirect

string

Where the frontend SPA is located. User will be redirected here on successful external authentication. Auto discovery uses auth.frontend.url.base as base URL

PROVISION_SETTINGS_AUTH_EMAIL_FROM_ADDRESS

auth.mail.from-address

string

to-be-configured@example.tld

Email address used for sending auth emails (password reset, email confirmation)

Name used for sending auth emails (password reset, email confirmation)

PROVISION_SETTINGS_AUTH_EMAIL_FROM_NAME

auth.mail.from-name

string

Corteza Team (to-be-configured)

Is internal auth enabled? Enable this to allow users to use all (enabled) internal features (sign-up, log in…​.)

auth.internal.signup

PROVISION_SETTINGS_AUTH_INTERNAL_ENABLED

boolean

true

PROVISION_SETTINGS_AUTH_INTERNAL_SIGNUP_ENABLED

auth.internal.signup.enabled

boolean

true

Is internal sign-up enabled? Enable this to allow users to register if you do not have external authentication providers.

PROVISION_SETTINGS_AUTH_INTERNAL_SIGNUP_EMAIL_CONFIRMATION_REQUIRED

auth.internal.signup-email-confirmation-required

boolean

false

Is email confirmation required for internal sign-ups? Enabled on auto-discovery if server has email capabilities (SMTP_HOST variable is set)

PROVISION_SETTINGS_AUTH_INTERNAL_PASSWORD_RESET_ENABLED

auth.internal.password-reset.enabled

boolean

false

Is password reset enabled for internal account? Auto-discovery enables this if server has email capabilities (SMTP_HOST variable is set)
Table 3. Provision OIDC providers:
Type Default value Description

PROVISION_OIDC_PROVIDER

string

Registers all given providers on start. Provide a list of space delimited provider pairs (<name> <provider-url> or <name> <provider-url> <name-2> <provider-url-2>).

The provider is auto-discovered only if it does not exist (match by name).

Also, make sure that your redirect URL (auth.external.redirect-url) is properly. and PROVISION_SETTINGS_AUTH_EXTERNAL_REDIRECT_URL.

PROVISION_SETTINGS_AUTH_EXTERNAL_REDIRECT_URL

string

Sets value for auth.external.redirect-url setting.

This should be set to: https://api.your-corteza-instance.tld/system/auth/external/%s/callback
Table 4. Provision other external provider
Type Default value Description

PROVISION_SETTINGS_AUTH_EXTERNAL_GITHUB

string

Github’s app credentials: <key> <secret>

PROVISION_SETTINGS_AUTH_EXTERNAL_FACEBOOK

string

Facebook’s app credentials: <key> <secret>

PROVISION_SETTINGS_AUTH_EXTERNAL_GPLUS

string

Google’s app credentials: <key> <secret>

PROVISION_SETTINGS_AUTH_EXTERNAL_LINKEDIN

string

LinkedIn’s app credentials: <key> <secret>

PROVISION_SETTINGS_AUTH_EXTERNAL_OIDC

string

OIDC provider settings <name> <issuer> <key> <secret>

Server options

Type Default value Description

CORREDOR_ENABLED

bool

true

Enable/disable Corredor integration

CORREDOR_ADDR

string

corredor:80

Hostname and port of the Corredor gRPC server

CORREDOR_LOG_ENABLED

bool

false

Log communication with Corredor

CORREDOR_MAX_BACKOFF_DELAY

duration

1 minute

Max delay for backoff on connection

CORREDOR_API_BASE_URL_SYSTEM

string

Instructions passed to Corredor on every call - where Corteza API is located.

CORREDOR_API_BASE_URL_MESSAGING

string

Instructions passed to Corredor on every call - where Corteza API is located.

CORREDOR_API_BASE_URL_COMPOSE

string

Instructions passed to Corredor on every call - where Corteza API is located.

DB_DSN

string

corteza:corteza@tcp(db:3306)/corteza?collation=utf8mb4_general_ci

Database connection string <username>:<password>@(<host>:<port>)/<dbname>?collation=utf8mb4_general_ci

DB_LOGGER

bool

false

Log SQL queries

DB_MAX_TRIES

int

100

Max number of connection retries

DB_CONN_ERR_DELAY

duration

5 seconds

How long do we wait between retries

DB_CONN_TIMEOUT

duration

1 minute

For how long do we try to connect

GRPC_SERVER_NETWORK

string

tcp

Network to use for gRPC

GRPC_SERVER_ADDR

string

:50051

Where do we listen for gRPC connections

GRPC_CLIENT_BACKOFF_DELAY

duration

1 minute

Max delay for backoff on connection

GRPC_CLIENT_LOG

bool

false

Log gRPC communication

HTTP_ADDR

string

:80

IP & port for HTTP server

HTTP_LOG_REQUEST

bool

false

Log requests

HTTP_LOG_RESPONSE

bool

false

Log responses

HTTP_ENABLE_VERSION_ROUTE

bool

false

Enable /version route

HTTP_ENABLE_DEBUG_ROUTE

bool

false

Enable /debug route

HTTP_METRICS

bool

false

Enable (prometheus) metrics

HTTP_METRICS_NAME

string

corteza

Name for metrics endpoint

HTTP_METRICS_USERNAME

string

metrics

Username for metrics endpoint

HTTP_METRICS_PASSWORD

string

(random)

Password for metrics endpoint

HTTP_REPORT_PANIC

bool

Report panic to Sentry

HTTP_CLIENT_TSL_INSECURE

bool

false

Allow insecure (invalid, expired TSL/SSL cert)

HTTP_CLIENT_TIMEOUT

bool

30 seconds

Default timeout for clients

AUTH_JWT_SECRET

string

(random)

Secret used for signing JWT tokens

AUTH_JWT_EXPIRY

duration

1 month

Expiration time

MONITOR_INTERVAL

duration

5 minutes

Output (log) interval for monitoring

PROVISION_MIGRATE_DATABASE

bool

true

Migrate database (if needed) on server start

PROVISION_CONFIGURATION

bool

true

Import configuration (only on empty database) on server start

SENTRY_DSN

string

Set to enable Sentry client

SENTRY_DEBUG

bool

false

Print out debugging information

SENTRY_ATTACH_STACKTRACE

bool

false

Attach stacktraces

SENTRY_SAMPLE_RATE

float32

Sample rate for event submission (0.0 - 1.0, defaults to 1.0)

SENTRY_MAX_BREADCRUMBS

int

Maximum number of breadcrumbs

SENTRY_SERVERNAME

string

Set reported Server name

SENTRY_RELEASE

string

(current version)

Set reported Release

SENTRY_DIST

string

Set reported distribution

SENTRY_ENVIRONMENT

string

Set reported environment

SMTP_HOST

string

localhost:25

SMTP_PORT

int

SMTP_USER

string

SMTP_PASS

string

SMTP_FROM

STORAGE_PATH

string

var/store

Where do we store uploaded files

MINIO_ENDPOINT

string

MINIO_SECURE

bool

true

MINIO_ACCESS_KEY

string

MINIO_SECRET_KEY

string

MINIO_SSEC_KEY

string

MINIO_BUCKET

string

MINIO_STRICT

bool

false

Delaying API execution

With WAIT_FOR* Delaying API execution, waiting for external (HTTP) services.

This might aid you in complex setup where another service should be running and accessible before Corteza is ready.

Type Default value Description

WAIT_FOR

duration

0

Delays API startup for the amount of time specified (10s, 2m…​).

This delay happens before service (WAIT_FOR_SERVICES) probing.

WAIT_FOR_STATUS_PAGE

bool

true

Show temporary status web page.

WAIT_FOR_SERVICES

string

Space delimited list of hosts and/or URLs to probe. Host format: host or host:443 (port will default to 80).

Services are probed in parallel.

WAIT_FOR_SERVICES_TIMEOUT

duration

1m

Max time for each service probe.

WAIT_FOR_SERVICES_PROBE_TIMEOUT

duration

30s

Timeout for each service probe.

WAIT_FOR_SERVICES_PROBE_INTERVAL

duration

5s

Interval between service probes.

Corredor Server

Environmental variables used by Corredor and API Server when connected to and communicating with Corredor.

Type Default value Description

CORREDOR_ADDR

string

corredor:80

This setting is used by both, Corredor and API Server.

For Corredor server: where is server listening on

For API server: where can Corredor server be accessed.

Used by Corredor and API server.

CORREDOR_ENABLED

bool

false

This is a setting for API server, will Corredor be used for server automation?

Used by Corredor and API server.

CORREDOR_MAX_BACKOFF_DELAY

duration

1m

Connection timeout (from API server to Corredor)

Used by API server.

CORREDOR_API_BASE_URL_COMPOSE

string

Location of the compose API (example: https://api.your-corteza-instance.tld/compose)

Used by API server.

CORREDOR_API_BASE_URL_MESSAGING

string

Location of the messagign API (example: https://api.your-corteza-instance.tld/messagig)

Used by API server.

CORREDOR_API_BASE_URL_SYSTEM

string

Location of the system API (example: https://api.your-corteza-instance.tld/system)

Used by API server.

CORREDOR_LOG_ENABLED

boolean

corredor

This setting is used by both, Corredor and API Server.

For Corredor service: where is service listening on (gRPC)

For API server: where can Corredor service be accessed.

Used by Corredor and API server.

CORREDOR_LOG_LEVEL

bool

false

If set to true, API server will log communication with Corredor and Corredor will log incoming requests.

Used by Corredor and API server.

CORREDOR_LOG_LEVEL

string

info

Defaults to trace when CORREDOR_DEBUG is true, defines amount of log information outputed.

Used by Corredor and API server.

CORREDOR_LOG_PRETTY

boolean

false

Are events logged in one-line JSON or formatted to ease development?

Used by Corredor.

CORREDOR_DEBUG

boolean

false

Corredor will log even more information

Used by Corredor.

Email automation: processing inbound email

Corteza supports email automation and processing of incoming email messages. This can be achieved through local email service like [postfix] or 3rd party provider that forward received emails through webhooks.

Flow:

  1. Email is received by internal or external system

  2. Email is forwarded to sink API endpoint

  3. Corteza sink service extracts header and body data from received email

  4. onReceive triggers are filtered for a match (trigger can be configured to match specific headers like sender or subject)

  5. Automation script is called

Preparing (signing) sink URL

Signing the URL (the sign=…​ parameter and value) is created as a combination of all parameters and Corteza’s secret string. This signature should be kept secret as it is effectively same as password that allows access to Corteza.

Example:
docker-compose exec server system sink signature --method POST --origin postfix --content-type email
Command will output a line that looks like this:
/sink?content-type=email&expires=&method=POST&origin=postfix&sign=6280d530ae74f1f9c55e4dd362c9ef2094221287
Table 5. Parameters:
Parameter Description

method

must match the request method

origin

arbitrary string, can be used to describe

content-type

used to set the processor for the data inputed

expires

can be used to sign link with expiration date.
Validation
echo "
From: 
To: 
Subject: hello
Message-ID: <1234@local.machine.example>

Ola Corteza!
" | curl -i --data-binary @- "https://api.your-corteza-instance.tld/system/sink?content-type=email&expires=&method=POST&origin=postfix&sign=6280d530ae74f1f9c55e4dd362c9ef2094221287'"

This command must return 200 OK response.