Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
f9af11c
feat: add cvmanager_nginx_proxy service to docker-compose
dmccoystephenson Dec 31, 2025
1330468
fix: set default values for STORAGE_TYPE and ISS_KEY_TABLE_NAME in do…
dmccoystephenson Dec 31, 2025
b332bf6
chore: comment out firmware manager services in docker-compose-addons…
dmccoystephenson Dec 31, 2025
ede5011
chore: update SSL certificate paths in docker-compose for cvmanager_a…
dmccoystephenson Dec 31, 2025
8db9144
chore: comment out cvmanager_postgres service in docker-compose.yml
dmccoystephenson Dec 31, 2025
300d2f0
feat: add SSL support for database connection in pgquery.py
dmccoystephenson Dec 31, 2025
97a4812
chore: comment out file type validation in util.py
dmccoystephenson Dec 31, 2025
24e973a
chore: update default active upgrade limit to 4 in upgrade_scheduler.py
dmccoystephenson Dec 31, 2025
3635364
chore: add commented-out SSL certificate path in docker-compose-addon…
dmccoystephenson Dec 31, 2025
bcebd9f
chore: update nginx proxy build context in docker-compose.yml
dmccoystephenson Dec 31, 2025
280e4b7
chore: update resource paths and placeholders for nginx proxy and SSL…
dmccoystephenson Dec 31, 2025
588e05b
chore: add nginx SSL configuration for webapp, API, and Keycloak
dmccoystephenson Dec 31, 2025
4a25a24
chore: add script to generate Diffie-Hellman parameters if not present
dmccoystephenson Dec 31, 2025
0f809d8
chore: add SSL certificate and key files to .gitignore
dmccoystephenson Dec 31, 2025
2525793
chore: enhance nginx SSL configuration with rate limiting, security h…
dmccoystephenson Dec 31, 2025
1828ccf
chore: update docker-compose.yml to include cvmanager_postgres servic…
dmccoystephenson Dec 31, 2025
a3d021d
chore: refactor nginx SSL configuration for improved structure and re…
dmccoystephenson Dec 31, 2025
913cc8c
chore: update realm.json to include HTTPS origins for redirectUris an…
dmccoystephenson Dec 31, 2025
22be9b2
chore: update cvmanager API port in nginx SSL configuration
dmccoystephenson Dec 31, 2025
d437b14
chore: update docker-compose.yml to remove unused gen_dhparam.sh volu…
dmccoystephenson Dec 31, 2025
969abaf
chore: update sample.env to change Keycloak and API endpoints to use …
dmccoystephenson Dec 31, 2025
58fdbe5
chore: update nginx SSL configuration to include trailing slash in pr…
dmccoystephenson Dec 31, 2025
9c55fc4
chore: update Keycloak endpoint in sample.env to include trailing sla…
dmccoystephenson Dec 31, 2025
656165a
chore: enhance SSL connection handling for PostgreSQL based on PG_SSL…
dmccoystephenson Dec 31, 2025
13d6432
chore: add configurable Keycloak verification based on KEYCLOAK_VERIF…
dmccoystephenson Dec 31, 2025
7173d32
chore: update docker-compose files to include PG_SSL_REQUIRED variabl…
dmccoystephenson Dec 31, 2025
849361f
chore: add Dockerfile for nginx with OpenSSL and dhparam generation s…
dmccoystephenson Dec 31, 2025
f86ef5e
chore: update realm configuration to require SSL for all connections …
dmccoystephenson Dec 31, 2025
4c66d53
chore: update nginx configuration to enhance rate limiting and buffer…
dmccoystephenson Dec 31, 2025
2778982
chore: update Keycloak configuration in docker-compose to enforce str…
dmccoystephenson Dec 31, 2025
0cbde22
chore: add detailed local testing documentation for NGINX SSL proxy s…
dmccoystephenson Dec 31, 2025
aa1aee4
chore: update COMPOSE_PROFILES in sample.env
dmccoystephenson Dec 31, 2025
1431092
chore: remove unnecessary `depends_on` condition from iss_health_chec…
dmccoystephenson Dec 31, 2025
233eb0b
chore: add deployment documentation for NGINX SSL proxy with external…
dmccoystephenson Dec 31, 2025
dc68246
chore: re-enable file extension validation in `is_valid_file_extensio…
dmccoystephenson Dec 31, 2025
64b5fbd
chore: update `test_pgquery` to mock `PG_SSL_REQUIRED` and adjust `cr…
dmccoystephenson Dec 31, 2025
aced1d6
chore: update `test_get_upgrade_limit_no_env` assertion to reflect ne…
dmccoystephenson Dec 31, 2025
685e102
chore: update NGINX configuration for improved SSL settings and proxy…
dmccoystephenson Jan 6, 2026
42cc272
chore: update NGINX configuration with new endpoints for geo-query an…
dmccoystephenson Jan 6, 2026
97df42f
chore: add support for custom CA certificates in API service and impr…
dmccoystephenson Jan 6, 2026
b41480c
chore: update dhparam generation script to use correct NGINX path
dmccoystephenson Jan 6, 2026
3e42085
chore: update Keycloak endpoint in docker-compose and sample.env for …
dmccoystephenson Jan 6, 2026
14ee52d
chore: update endpoint references in documentation and sample.env for…
dmccoystephenson Jan 6, 2026
dad4b3d
chore: update KEYCLOAK_ENDPOINT to use KEYCLOAK_DOMAIN in sample.env
dmccoystephenson Jan 6, 2026
d24e70d
chore: update docker-compose to remove dynamic NGINX_PROXY_RESOURCES …
dmccoystephenson Jan 7, 2026
0e356bc
chore: refine CA certificate handling in Dockerfile.api to copy speci…
dmccoystephenson Jan 7, 2026
c08a0af
chore: refine CA certificate path references in NGINX deployment docu…
dmccoystephenson Jan 7, 2026
21ea2cf
chore: update CA certificate paths in sample.env for API service
dmccoystephenson Jan 7, 2026
d8e7901
chore: update README-testing.md to improve SSL certificate generation…
dmccoystephenson Jan 7, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,10 @@ htmlcov
.pytest_cache
local_blob_storage
services/coverage.xml

resources/nginx/ssl/*.crt
resources/nginx/ssl/*.key
resources/nginx/ssl/*.pem
services/resources/ca/*.crt
services/resources/ca/*.key
services/resources/ca/*.pem
148 changes: 78 additions & 70 deletions docker-compose-addons.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ services:

DESTINATION_DB: ${COUNT_DESTINATION_DB}

PG_SSL_REQUIRED: ${PG_SSL_REQUIRED:-True}

MONGO_DB_URI: ${MONGO_DB_URI}
MONGO_DB_NAME: ${CM_DATABASE_NAME}
INPUT_COUNTS_MONGO_COLLECTION_NAME: ${INPUT_COUNTS_MONGO_COLLECTION_NAME}
Expand All @@ -35,6 +37,8 @@ services:
KAFKA_BIGQUERY_TABLENAME: ${KAFKA_BIGQUERY_TABLENAME}

LOGGING_LEVEL: ${COUNTS_LOGGING_LEVEL}
volumes:
- ./services/resources/ca:/etc/ssl/ca
logging:
options:
max-size: '10m'
Expand Down Expand Up @@ -67,7 +71,11 @@ services:
PG_DB_USER: ${PG_DB_USER}
PG_DB_PASS: ${PG_DB_PASS}

PG_SSL_REQUIRED: ${PG_SSL_REQUIRED:-True}

LOGGING_LEVEL: ${RSU_STATUS_LOGGING_LEVEL}
volumes:
- ./services/resources/ca:/etc/ssl/ca
logging:
options:
max-size: '10m'
Expand All @@ -82,97 +90,97 @@ services:
dockerfile: Dockerfile.iss_health_check
image: iss_health_check:latest
restart: on-failure:3
depends_on:
cvmanager_postgres:
condition: service_healthy
required: false
environment:
STORAGE_TYPE: ${STORAGE_TYPE}
STORAGE_TYPE: ${STORAGE_TYPE:-POSTGRES}

ISS_API_KEY: ${ISS_API_KEY}
ISS_API_KEY_NAME: ${ISS_API_KEY_NAME}
ISS_PROJECT_ID: ${ISS_PROJECT_ID}
ISS_SCMS_TOKEN_REST_ENDPOINT: ${ISS_SCMS_TOKEN_REST_ENDPOINT}
ISS_SCMS_VEHICLE_REST_ENDPOINT: ${ISS_SCMS_VEHICLE_REST_ENDPOINT}
ISS_KEY_TABLE_NAME: ${ISS_KEY_TABLE_NAME}
ISS_KEY_TABLE_NAME: ${ISS_KEY_TABLE_NAME:-iss_keys}

PG_DB_HOST: ${PG_DB_HOST}
PG_DB_NAME: ${PG_DB_NAME}
PG_DB_USER: ${PG_DB_USER}
PG_DB_PASS: ${PG_DB_PASS}

PG_SSL_REQUIRED: ${PG_SSL_REQUIRED:-True}

PROJECT_ID: ${GCP_PROJECT_ID}
GOOGLE_APPLICATION_CREDENTIALS: /home/gcp_key.json

LOGGING_LEVEL: ${ISS_LOGGING_LEVEL}
volumes:
- ./resources/google/${GOOGLE_ACCESS_KEY_NAME}:/home/gcp_key.json
- ./services/resources/ca:/etc/ssl/ca
logging:
options:
max-size: '10m'
max-file: '5'

firmware_manager_upgrade_scheduler:
profiles:
- addons
- firmware_manager_upgrade_scheduler
build:
context: services
dockerfile: Dockerfile.fmus
image: jpo_firmware_manager_upgrade_scheduler:latest
restart: on-failure:3

ports:
- '8089:8080'
environment:
PG_DB_HOST: ${PG_DB_HOST}
PG_DB_NAME: postgres
PG_DB_USER: ${PG_DB_USER}
PG_DB_PASS: ${PG_DB_PASS}

UPGRADE_RUNNER_ENDPOINT: ${FIRMWARE_MANAGER_UPGRADE_RUNNER_ENDPOINT}

LOGGING_LEVEL: ${FIRMWARE_MANAGER_LOGGING_LEVEL}
volumes:
- ${HOST_BLOB_STORAGE_DIRECTORY}:/mnt/blob_storage
logging:
options:
max-size: '10m'
max-file: '5'

firmware_manager_upgrade_runner:
profiles:
- addons
- firmware_manager_upgrade_runner
build:
context: services
dockerfile: Dockerfile.fmur
image: jpo_firmware_manager_upgrade_runner:latest
restart: on-failure:3

ports:
- '8090:8080'
environment:
BLOB_STORAGE_PROVIDER: ${BLOB_STORAGE_PROVIDER}
BLOB_STORAGE_BUCKET: ${BLOB_STORAGE_BUCKET}

FW_UPGRADE_MAX_RETRY_LIMIT: ${FW_UPGRADE_MAX_RETRY_LIMIT}

GCP_PROJECT: ${GCP_PROJECT_ID}
GOOGLE_APPLICATION_CREDENTIALS: /home/gcp_key.json

SMTP_SERVER_IP: ${SMTP_SERVER_IP}
SMTP_EMAIL: ${SMTP_EMAIL}
SMTP_USERNAME: ${SMTP_USERNAME}
SMTP_PASSWORD: ${SMTP_PASSWORD}

UPGRADE_SCHEDULER_ENDPOINT: ${FIRMWARE_MANAGER_UPGRADE_SCHEDULER_ENDPOINT}

LOGGING_LEVEL: ${FIRMWARE_MANAGER_LOGGING_LEVEL}
volumes:
- ./resources/google/${GOOGLE_ACCESS_KEY_NAME}:/home/gcp_key.json
- ${HOST_BLOB_STORAGE_DIRECTORY}:/mnt/blob_storage
logging:
options:
max-size: '10m'
max-file: '5'
# firmware_manager_upgrade_scheduler:
# profiles:
# - addons
# - firmware_manager_upgrade_scheduler
# build:
# context: services
# dockerfile: Dockerfile.fmus
# image: jpo_firmware_manager_upgrade_scheduler:latest
# restart: on-failure:3
#
# ports:
# - '8089:8080'
# environment:
# PG_DB_HOST: ${PG_DB_HOST}
# PG_DB_NAME: postgres
# PG_DB_USER: ${PG_DB_USER}
# PG_DB_PASS: ${PG_DB_PASS}
#
# UPGRADE_RUNNER_ENDPOINT: ${FIRMWARE_MANAGER_UPGRADE_RUNNER_ENDPOINT}
#
# LOGGING_LEVEL: ${FIRMWARE_MANAGER_LOGGING_LEVEL}
# volumes:
# - ${HOST_BLOB_STORAGE_DIRECTORY}:/mnt/blob_storage
# logging:
# options:
# max-size: '10m'
# max-file: '5'
#
# firmware_manager_upgrade_runner:
# profiles:
# - addons
# - firmware_manager_upgrade_runner
# build:
# context: services
# dockerfile: Dockerfile.fmur
# image: jpo_firmware_manager_upgrade_runner:latest
# restart: on-failure:3
#
# ports:
# - '8090:8080'
# environment:
# BLOB_STORAGE_PROVIDER: ${BLOB_STORAGE_PROVIDER}
# BLOB_STORAGE_BUCKET: ${BLOB_STORAGE_BUCKET}
#
# FW_UPGRADE_MAX_RETRY_LIMIT: ${FW_UPGRADE_MAX_RETRY_LIMIT}
#
# GCP_PROJECT: ${GCP_PROJECT_ID}
# GOOGLE_APPLICATION_CREDENTIALS: /home/gcp_key.json
#
# SMTP_SERVER_IP: ${SMTP_SERVER_IP}
# SMTP_EMAIL: ${SMTP_EMAIL}
# SMTP_USERNAME: ${SMTP_USERNAME}
# SMTP_PASSWORD: ${SMTP_PASSWORD}
#
# UPGRADE_SCHEDULER_ENDPOINT: ${FIRMWARE_MANAGER_UPGRADE_SCHEDULER_ENDPOINT}
#
# LOGGING_LEVEL: ${FIRMWARE_MANAGER_LOGGING_LEVEL}
# volumes:
# - ./resources/google/${GOOGLE_ACCESS_KEY_NAME}:/home/gcp_key.json
# - ${HOST_BLOB_STORAGE_DIRECTORY}:/mnt/blob_storage
# - ${NGINX_PROXY_RESOURCES:-./resources/nginx}/ssl/server.crt:/etc/ssl/certs/server.crt
# logging:
# options:
# max-size: '10m'
# max-file: '5'
Comment on lines +122 to +186

Copilot AI Jan 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an inconsistency in the commented-out code. Line 177 adds a volume mount for the SSL certificate to the firmware_manager_upgrade_runner service, but this mount is not present in the firmware_manager_upgrade_scheduler service (which would also need to communicate securely if enabled). If these services are being prepared for SSL support, both should have consistent certificate mounts. Additionally, since these services are commented out, consider removing them entirely or documenting why they're disabled and when they'll be re-enabled.

Copilot uses AI. Check for mistakes.
56 changes: 41 additions & 15 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,33 @@ include:
- docker-compose-obu-ota-server.yml

services:
cvmanager_nginx_proxy:
profiles:
- nginx_proxy
build:
context: ./resources/nginx
dockerfile: Dockerfile
image: cvmanager_nginx_proxy:latest
restart: unless-stopped
ports:
- 80:80
- 443:443
environment:
NGINX_ENVSUBST_OUTPUT_DIR: /etc/nginx
SERVER_HOST: ${WEBAPP_DOMAIN}
volumes:
- ./resources/nginx/nginx-ssl.conf:/etc/nginx/templates/nginx.conf.template
- ./resources/nginx/ssl:/etc/ssl
depends_on:
- cvmanager_webapp
- cvmanager_keycloak
- cvmanager_api
- cvmanager_postgres

Copilot AI Jan 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cvmanager_nginx_proxy service has a dependency on cvmanager_postgres which may not exist when using an external database. According to the deployment documentation (README-deployment.md), users can configure an external PostgreSQL database and should be able to exclude the local postgres container. This hard dependency will cause deployment failures in such scenarios. Consider making this dependency conditional or removing it since the nginx proxy doesn't directly interact with the database.

Suggested change
- cvmanager_postgres

Copilot uses AI. Check for mistakes.
logging:
options:
max-size: '10m'
max-file: '5'

cvmanager_api:
profiles:
- basic
Expand All @@ -16,14 +43,11 @@ services:
restart: always
extra_hosts:
${WEBAPP_DOMAIN}: ${WEBAPP_HOST_IP}
${KEYCLOAK_DOMAIN}: ${KC_HOST_IP}
ports:
- '8081:5000'
environment:
PG_DB_HOST: ${PG_DB_HOST}
PG_DB_USER: ${PG_DB_USER}
PG_DB_PASS: ${PG_DB_PASS}
PG_DB_NAME: postgres
PG_DB_NAME: ${PG_DB_NAME}
INSTANCE_CONNECTION_NAME: ${INSTANCE_CONNECTION_NAME}

MONGO_DB_URI: ${MONGO_DB_URI}
Expand Down Expand Up @@ -73,8 +97,14 @@ services:

TIMEZONE: ${TIMEZONE}
LOGGING_LEVEL: ${API_LOGGING_LEVEL}
KEYCLOAK_VERIFY: ${KEYCLOAK_VERIFY:-/etc/ssl/ca/ca.crt}
PG_SSL_REQUIRED: ${PG_SSL_REQUIRED:-True}
REQUESTS_CA_BUNDLE: /etc/ssl/ca/ca.crt
depends_on:
- cvmanager_postgres
Comment on lines +103 to +104

Copilot AI Jan 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cvmanager_api service has a hard dependency on cvmanager_postgres at line 105, but when deploying with an external database, the local postgres container may not be running. This will cause the API service to fail to start in external database scenarios. Consider making this dependency conditional or documenting that users must comment it out when using an external database.

Suggested change
depends_on:
- cvmanager_postgres

Copilot uses AI. Check for mistakes.
volumes:
- ./resources/google/${GOOGLE_ACCESS_KEY_NAME}:/home/gcp_key.json
- ./services/resources/ca:/etc/ssl/ca
logging:
options:
max-size: '10m'
Expand Down Expand Up @@ -119,9 +149,6 @@ services:
required: false
extra_hosts:
${WEBAPP_DOMAIN}: ${WEBAPP_HOST_IP}
${KEYCLOAK_DOMAIN}: ${KC_HOST_IP}
ports:
- '80:80'
logging:
options:
max-size: '10m'
Expand Down Expand Up @@ -162,39 +189,38 @@ services:
cvmanager_postgres:
required: false
condition: service_started

extra_hosts:
${WEBAPP_DOMAIN}: ${WEBAPP_HOST_IP}
${KEYCLOAK_DOMAIN}: ${KC_HOST_IP}
ports:
- '8084:8080'
- '9000:9000'
environment:
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
WEBAPP_ORIGIN: ${WEBAPP_ENDPOINT}
KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN}
KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
KC_HEALTH_ENABLED: 'true'
KC_LOG_LEVEL: ${KC_LOGGING_LEVEL}
KC_LOG_LEVEL: ${KC_LOGGING_LEVEL:-INFO}
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://${PG_DB_HOST}/postgres?currentSchema=keycloak
KC_DB_USERNAME: ${PG_DB_USER}
KC_DB_PASSWORD: ${PG_DB_PASS}
KC_HOSTNAME: ${KEYCLOAK_DOMAIN}
KC_HOSTNAME_PORT: 443

Copilot AI Jan 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The KC_HOSTNAME_PORT is hardcoded to 443, but this may not be appropriate for all deployment scenarios. For local development or testing environments where different ports might be used, this should be configurable through an environment variable. Consider changing this to use an environment variable like '${KEYCLOAK_PORT:-443}' to allow for flexibility.

Suggested change
KC_HOSTNAME_PORT: 443
KC_HOSTNAME_PORT: ${KEYCLOAK_PORT:-443}

Copilot uses AI. Check for mistakes.
KC_HOSTNAME_STRICT_HTTPS: 'true'
KC_HOSTNAME_STRICT: 'false'
KEYCLOAK_API_CLIENT_SECRET_KEY: ${KEYCLOAK_API_CLIENT_SECRET_KEY}
GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET}
KC_HOSTNAME_STRICT_HTTPS: 'false'
KC_HTTP_ENABLED: 'true'
KC_PROXY_HEADERS: xforwarded
KC_HOSTNAME_STRICT_BACKCHANNEL: 'false'
command:
- start-dev
- --import-realm
logging:
options:
max-size: '10m'
healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost:9000/health']
test: ['CMD', 'curl', '-f', 'http://localhost:8080/realms/master']

Copilot AI Jan 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The healthcheck endpoint has been changed from '/health' to '/realms/master', but this is checking a functional endpoint rather than a dedicated health endpoint. The '/health' endpoint is specifically designed for health checks and is more appropriate. If the health endpoint is not available on port 8080, consider using 'http://localhost:8080/health/ready' or similar dedicated health endpoints provided by Keycloak. Using a functional endpoint like '/realms/master' can lead to false positives if the service is partially degraded.

Suggested change
test: ['CMD', 'curl', '-f', 'http://localhost:8080/realms/master']
test: ['CMD', 'curl', '-f', 'http://localhost:8080/health/ready']

Copilot uses AI. Check for mistakes.
interval: 30s
timeout: 10s
retries: 3
Expand Down
6 changes: 3 additions & 3 deletions resources/keycloak/realm.json
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"oauth2DeviceCodeLifespan": 600,
"oauth2DevicePollingInterval": 5,
"enabled": true,
"sslRequired": "external",
"sslRequired": "all",
"registrationAllowed": false,
"registrationEmailAsUsername": false,
"rememberMe": false,
Expand Down Expand Up @@ -688,8 +688,8 @@
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": ["http://localhost:3000/*", "http://localhost/*", "http://cvmanager.local.com/*"],
"webOrigins": ["http://localhost:3000", "http://localhost", "http://cvmanager.local.com"],
"redirectUris": ["http://localhost:3000/*", "http://localhost/*", "https://cvmanager.local.com/*"],
"webOrigins": ["http://localhost:3000", "http://localhost", "https://cvmanager.local.com"],
Comment on lines +691 to +692

Copilot AI Jan 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The redirectUris and webOrigins for the cvmanager-gui client include hardcoded references to 'cvmanager.local.com' which is a local development domain. In production deployments, this will need to be changed to the actual domain. Consider using environment variable substitution similar to how KEYCLOAK_API_CLIENT_SECRET_KEY is handled, or document that this file needs to be customized for production deployments.

Suggested change
"redirectUris": ["http://localhost:3000/*", "http://localhost/*", "https://cvmanager.local.com/*"],
"webOrigins": ["http://localhost:3000", "http://localhost", "https://cvmanager.local.com"],
"redirectUris": ["http://localhost:3000/*", "http://localhost/*", "https://${CVMANAGER_GUI_DOMAIN}/*"],
"webOrigins": ["http://localhost:3000", "http://localhost", "https://${CVMANAGER_GUI_DOMAIN}"],

Copilot uses AI. Check for mistakes.
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
Expand Down
14 changes: 14 additions & 0 deletions resources/nginx/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
FROM nginx:alpine

# The official nginx image supports environment variable substitution in templates
# placed in /etc/nginx/templates/*.template.
# We mount the config in docker-compose, but we can also copy it here as a default.

# Ensure we have openssl for dhparam generation if needed by the script
RUN apk add --no-network --no-cache openssl || apk add --no-cache openssl

Copilot AI Jan 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The RUN command has a fallback pattern 'apk add --no-network --no-cache openssl || apk add --no-cache openssl' which is confusing. The '--no-network' flag is not a standard apk option and will cause the first command to fail, then the second command without this flag will execute. If the intent is to try installation without network first, this should be documented. Otherwise, simply use 'apk add --no-cache openssl' directly.

Suggested change
RUN apk add --no-network --no-cache openssl || apk add --no-cache openssl
RUN apk add --no-cache openssl

Copilot uses AI. Check for mistakes.

# Ensure gen_dhparam.sh is executable when mounted
COPY gen_dhparam.sh /docker-entrypoint.d/gen_dhparam.sh
RUN chmod +x /docker-entrypoint.d/gen_dhparam.sh

# The gen_dhparam.sh script will be executed by the entrypoint because it's in /docker-entrypoint.d/
Loading
Loading