Skip to content

Settings overview in Orchestrator

You can use the api/settings/overview endpoint to get an overview of the settings that are used in the application. This endpoint provides a JSON response that contains the settings that are defined in the application. The settings are grouped by their names and sensitive values are masked for security reasons. Per default, the application settings are used to configure the application. The settings are defined in the orchestrator.settings.py module and can be used to configure the application.

An example of the settings is shown below:

from orchestrator.settings import BaseSettings


class AppSettings(BaseSettings):
    TESTING: bool = True
    SESSION_SECRET: OrchSecretStr = "".join(secrets.choice(string.ascii_letters) for i in range(16))  # type: ignore
    CORS_ORIGINS: str = "*"
    ...
    EXPOSE_SETTINGS: bool = False
    EXPOSE_OAUTH_SETTINGS: bool = False


app_settings = AppSettings()

if app_settings.EXPOSE_SETTINGS:
    expose_settings("app_settings", app_settings)  # type: ignore

if app_settings.EXPOSE_OAUTH_SETTINGS:
    expose_settings("oauth2lib_settings", oauth2lib_settings)  # type: ignore

What you see above is the default settings for the application. The settings are defined in the orchestrator.settings.py module and can be used to configure the application. The EXPOSE_SETTINGS and EXPOSE_OAUTH_SETTINGS flags are used to control whether the settings should be exposed via the api/settings/overview endpoint, the result looks like this:

[
  {
    "name": "app_settings",
    "variables": [
      {
        "env_name": "TESTING",
        "env_value": false
      },
      {
        "env_name": "SESSION_SECRET",
        "env_value": "**********"
      },
      {
        "env_name": "CORS_ORIGINS",
        "env_value": "*"
      }
    ]
  }
]

The app_settings in the example above is a name of the settings class that is registered to be exposed.

Exposing your settings

In order to expose your settings, you need to register them using the expose_settings() function. This function takes two arguments: the name of the settings class and the instance of the settings class.

from orchestrator.settings import expose_settings, BaseSettings


class MySettings(BaseSettings):
    debug: bool = True


my_settings = MySettings()

expose_settings("my_settings", my_settings)

Lifecycle Validation Mode

The Lifecycle Validation Mode is used to validate in workflow steps that a subscription model has been instantiated with the correct product type class for its lifecycle status. E.g. a subscription model with a lifecycle status of PROVISIONING should be instantiated with a product type class that has a lifecycle status of PROVISIONING.

You can run the application with three different lifecycle validation modes:

class LifecycleValidationMode(strEnum):
    STRICT = "strict"
    LOOSE = "loose" # default
    IGNORED = "ignored"

The Lifecycle Validation Mode can be set using the LIFECYCLE_VALIDATION_MODE environment variable. The default setting is loose. The different modes are explained below:

  • strict: The application will enforce strict checks on the lifecycle status of subscription models in workflow steps. If any issues are found, the application will raise an error and stop running.

Error in strict mode

2025-09-26 13:46:56 [error    ] Subscription of type <class 'products.product_types.l3vpn.L3Vpn'> should use <class 'products.product_types.l3vpn.L3VpnProvisioning'> for lifecycle status 'provisioning' [orchestrator.domain.lifecycle] func=re_deploy_nso process_id=6a483f61-c21d-47be-8390-bbd608c59a77 workflow_name=create_l3vpn

Warning

A workflow failing on this error will not be recoverable, so it is advised to test this in development first.

  • loose: The application will log warnings for any issues with the lifecycle validation in workflow steps, but it will still run normally.

Warning in loose mode

2025-09-26 13:46:56 [warning    ] Subscription of type <class 'products.product_types.l3vpn.L3Vpn'> should use <class 'products.product_types.l3vpn.L3VpnProvisioning'> for lifecycle status 'provisioning' [orchestrator.domain.lifecycle] func=re_deploy_nso
  • ignored: The application will ignore all lifecycle validation issues and run normally.

Masking Secrets

The following rules apply when exposing settings:

Rules for Masking Secrets

  • Keys containing "password" or "secret" in their names are masked.
  • SecretStr from from pydantic import SecretStr are masked.
  • SecretStr from from orchestrator.utils.expose_settings import SecretStr are masked.
  • PostgresDsn from from pydantic import PostgresDsn are masked.

Overview of AppSettings class

Toggle the source code block below to get a complete overview of the current application settings.

orchestrator.settings.AppSettings

Bases: pydantic_settings.BaseSettings

Source code in orchestrator/settings.py 
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
class AppSettings(BaseSettings):
    TESTING: bool = True
    SESSION_SECRET: OrchSecretStr = "".join(secrets.choice(string.ascii_letters) for i in range(16))  # type: ignore
    CORS_ORIGINS: str = "*"
    CORS_ALLOW_METHODS: list[str] = ["GET", "PUT", "PATCH", "POST", "DELETE", "OPTIONS", "HEAD"]
    CORS_ALLOW_HEADERS: list[str] = ["If-None-Match", "Authorization", "If-Match", "Content-Type"]
    CORS_EXPOSE_HEADERS: list[str] = [
        "Cache-Control",
        "Content-Language",
        "Content-Length",
        "Content-Type",
        "Expires",
        "Last-Modified",
        "Pragma",
        "Content-Range",
        "ETag",
    ]
    ENVIRONMENT: str = "local"
    EXECUTOR: str = ExecutorType.THREADPOOL
    WORKFLOWS_SWAGGER_HOST: str = "localhost"
    WORKFLOWS_GUI_URI: str = "http://localhost:3000"
    DATABASE_URI: PostgresDsn = "postgresql://nwa:nwa@localhost/orchestrator-core"  # type: ignore
    MAX_WORKERS: int = 5
    MAIL_SERVER: str = "localhost"
    MAIL_PORT: int = 25
    MAIL_STARTTLS: bool = False
    CACHE_URI: RedisDsn = "redis://localhost:6379/0"  # type: ignore
    CACHE_HMAC_SECRET: OrchSecretStr | None = None  # HMAC signing key, used when pickling results in the cache
    REDIS_RETRY_COUNT: NonNegativeInt = Field(
        2, description="Number of retries for redis connection errors/timeouts, 0 to disable"
    )  # More info: https://redis-py.readthedocs.io/en/stable/retry.html
    ENABLE_DISTLOCK_MANAGER: bool = True
    DISTLOCK_BACKEND: str = "memory"
    CC_NOC: int = 0
    SERVICE_NAME: str = "orchestrator-core"
    LOGGING_HOST: str = "localhost"
    LOG_LEVEL: str = "DEBUG"
    SLACK_ENGINE_SETTINGS_HOOK_ENABLED: bool = False
    SLACK_ENGINE_SETTINGS_HOOK_URL: str = ""
    TRACING_ENABLED: bool = False
    TRACE_HOST: str = "http://localhost:4317"
    TRANSLATIONS_DIR: Path | None = None
    WEBSOCKET_BROADCASTER_URL: OrchSecretStr = "memory://"  # type: ignore
    ENABLE_WEBSOCKETS: bool = True
    DISABLE_INSYNC_CHECK: bool = False
    DEFAULT_PRODUCT_WORKFLOWS: list[str] = ["modify_note"]
    SKIP_MODEL_FOR_MIGRATION_DB_DIFF: list[str] = []
    SERVE_GRAPHQL_UI: bool = True
    FEDERATION_ENABLED: bool = False
    DEFAULT_CUSTOMER_FULLNAME: str = "Default::Orchestrator-Core Customer"
    DEFAULT_CUSTOMER_SHORTCODE: str = "default-cust"
    DEFAULT_CUSTOMER_IDENTIFIER: str = "59289a57-70fb-4ff5-9c93-10fe67b12434"
    TASK_LOG_RETENTION_DAYS: int = 3
    ENABLE_GRAPHQL_DEPRECATION_CHECKER: bool = True
    ENABLE_GRAPHQL_PROFILING_EXTENSION: bool = False
    ENABLE_GRAPHQL_STATS_EXTENSION: bool = False
    ENABLE_PROMETHEUS_METRICS_ENDPOINT: bool = False
    VALIDATE_OUT_OF_SYNC_SUBSCRIPTIONS: bool = False
    FILTER_BY_MODE: Literal["partial", "exact"] = "exact"
    EXPOSE_SETTINGS: bool = False
    EXPOSE_OAUTH_SETTINGS: bool = False
    LIFECYCLE_VALIDATION_MODE: LifecycleValidationMode = LifecycleValidationMode.LOOSE