-
Notifications
You must be signed in to change notification settings - Fork 0
Feat/nginx proxy and cert handling #16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: wydot-deployment-2026
Are you sure you want to change the base?
Changes from all commits
f9af11c
1330468
b332bf6
ede5011
8db9144
300d2f0
97a4812
24e973a
3635364
bcebd9f
280e4b7
588e05b
4a25a24
0f809d8
2525793
1828ccf
a3d021d
913cc8c
22be9b2
d437b14
969abaf
58fdbe5
9c55fc4
656165a
13d6432
7173d32
849361f
f86ef5e
4c66d53
2778982
0cbde22
aa1aee4
1431092
233eb0b
dc68246
64b5fbd
aced1d6
685e102
42cc272
97df42f
b41480c
3e42085
14ee52d
dad4b3d
d24e70d
0e356bc
c08a0af
21ea2cf
d8e7901
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -5,6 +5,33 @@ include: | |||||
| - docker-compose-obu-ota-server.yml | ||||||
|
|
||||||
| services: | ||||||
| cvmanager_nginx_proxy: | ||||||
| profiles: | ||||||
| - nginx_proxy | ||||||
| build: | ||||||
| context: ./resources/nginx | ||||||
| dockerfile: Dockerfile | ||||||
| image: cvmanager_nginx_proxy:latest | ||||||
| restart: unless-stopped | ||||||
| ports: | ||||||
| - 80:80 | ||||||
| - 443:443 | ||||||
| environment: | ||||||
| NGINX_ENVSUBST_OUTPUT_DIR: /etc/nginx | ||||||
| SERVER_HOST: ${WEBAPP_DOMAIN} | ||||||
| volumes: | ||||||
| - ./resources/nginx/nginx-ssl.conf:/etc/nginx/templates/nginx.conf.template | ||||||
| - ./resources/nginx/ssl:/etc/ssl | ||||||
| depends_on: | ||||||
| - cvmanager_webapp | ||||||
| - cvmanager_keycloak | ||||||
| - cvmanager_api | ||||||
| - cvmanager_postgres | ||||||
|
||||||
| - cvmanager_postgres |
Copilot
AI
Jan 7, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cvmanager_api service has a hard dependency on cvmanager_postgres at line 105, but when deploying with an external database, the local postgres container may not be running. This will cause the API service to fail to start in external database scenarios. Consider making this dependency conditional or documenting that users must comment it out when using an external database.
| depends_on: | |
| - cvmanager_postgres |
Copilot
AI
Jan 7, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The KC_HOSTNAME_PORT is hardcoded to 443, but this may not be appropriate for all deployment scenarios. For local development or testing environments where different ports might be used, this should be configurable through an environment variable. Consider changing this to use an environment variable like '${KEYCLOAK_PORT:-443}' to allow for flexibility.
| KC_HOSTNAME_PORT: 443 | |
| KC_HOSTNAME_PORT: ${KEYCLOAK_PORT:-443} |
Copilot
AI
Jan 7, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The healthcheck endpoint has been changed from '/health' to '/realms/master', but this is checking a functional endpoint rather than a dedicated health endpoint. The '/health' endpoint is specifically designed for health checks and is more appropriate. If the health endpoint is not available on port 8080, consider using 'http://localhost:8080/health/ready' or similar dedicated health endpoints provided by Keycloak. Using a functional endpoint like '/realms/master' can lead to false positives if the service is partially degraded.
| test: ['CMD', 'curl', '-f', 'http://localhost:8080/realms/master'] | |
| test: ['CMD', 'curl', '-f', 'http://localhost:8080/health/ready'] |
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -27,7 +27,7 @@ | |||||||||
| "oauth2DeviceCodeLifespan": 600, | ||||||||||
| "oauth2DevicePollingInterval": 5, | ||||||||||
| "enabled": true, | ||||||||||
| "sslRequired": "external", | ||||||||||
| "sslRequired": "all", | ||||||||||
| "registrationAllowed": false, | ||||||||||
| "registrationEmailAsUsername": false, | ||||||||||
| "rememberMe": false, | ||||||||||
|
|
@@ -688,8 +688,8 @@ | |||||||||
| "enabled": true, | ||||||||||
| "alwaysDisplayInConsole": false, | ||||||||||
| "clientAuthenticatorType": "client-secret", | ||||||||||
| "redirectUris": ["http://localhost:3000/*", "http://localhost/*", "http://cvmanager.local.com/*"], | ||||||||||
| "webOrigins": ["http://localhost:3000", "http://localhost", "http://cvmanager.local.com"], | ||||||||||
| "redirectUris": ["http://localhost:3000/*", "http://localhost/*", "https://cvmanager.local.com/*"], | ||||||||||
| "webOrigins": ["http://localhost:3000", "http://localhost", "https://cvmanager.local.com"], | ||||||||||
|
Comment on lines
+691
to
+692
|
||||||||||
| "redirectUris": ["http://localhost:3000/*", "http://localhost/*", "https://cvmanager.local.com/*"], | |
| "webOrigins": ["http://localhost:3000", "http://localhost", "https://cvmanager.local.com"], | |
| "redirectUris": ["http://localhost:3000/*", "http://localhost/*", "https://${CVMANAGER_GUI_DOMAIN}/*"], | |
| "webOrigins": ["http://localhost:3000", "http://localhost", "https://${CVMANAGER_GUI_DOMAIN}"], |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,14 @@ | ||||||
| FROM nginx:alpine | ||||||
|
|
||||||
| # The official nginx image supports environment variable substitution in templates | ||||||
| # placed in /etc/nginx/templates/*.template. | ||||||
| # We mount the config in docker-compose, but we can also copy it here as a default. | ||||||
|
|
||||||
| # Ensure we have openssl for dhparam generation if needed by the script | ||||||
| RUN apk add --no-network --no-cache openssl || apk add --no-cache openssl | ||||||
|
||||||
| RUN apk add --no-network --no-cache openssl || apk add --no-cache openssl | |
| RUN apk add --no-cache openssl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's an inconsistency in the commented-out code. Line 177 adds a volume mount for the SSL certificate to the firmware_manager_upgrade_runner service, but this mount is not present in the firmware_manager_upgrade_scheduler service (which would also need to communicate securely if enabled). If these services are being prepared for SSL support, both should have consistent certificate mounts. Additionally, since these services are commented out, consider removing them entirely or documenting why they're disabled and when they'll be re-enabled.