Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,44 @@ jobs:
printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key

- name: Write compose .env file
env:
POSTGRES_PASSWORD: ${{ secrets.DB_ADMIN_PASSWORD }}
ORGANIZATION_DB_PASSWORD: ${{ secrets.DB_ORGANIZATION_PASSWORD }}
MEMBER_DB_PASSWORD: ${{ secrets.DB_MEMBER_PASSWORD }}
EVENT_DB_PASSWORD: ${{ secrets.DB_EVENT_PASSWORD }}
FEEDBACK_DB_PASSWORD: ${{ secrets.DB_FEEDBACK_PASSWORD }}
FINANCE_DB_PASSWORD: ${{ secrets.DB_FINANCE_PASSWORD }}
LETTER_DB_PASSWORD: ${{ secrets.DB_LETTER_PASSWORD }}
REPORTS_DB_PASSWORD: ${{ secrets.DB_REPORTS_PASSWORD }}
KEYCLOAK_ADMIN_PASSWORD: ${{ secrets.KEYCLOAK_ADMIN_PASSWORD }}
KEYCLOAK_DB_PASSWORD: ${{ secrets.KEYCLOAK_DB_PASSWORD }}
KEYCLOAK_REALM_ADMIN_PASSWORD: ${{ secrets.KEYCLOAK_REALM_ADMIN_PASSWORD }}
KEYCLOAK_REALM_USER_PASSWORD: ${{ secrets.KEYCLOAK_REALM_USER_PASSWORD }}
FORWARD_AUTH_COOKIE_SECRET: ${{ secrets.FORWARD_AUTH_COOKIE_SECRET }}
KEYCLOAK_ADMIN_CLIENT_SECRET: ${{ secrets.KEYCLOAK_ADMIN_CLIENT_SECRET }}
FORWARD_AUTH_CLIENT_SECRET: ${{ secrets.FORWARD_AUTH_CLIENT_SECRET }}
GRAFANA_OAUTH_CLIENT_SECRET: ${{ secrets.GRAFANA_OAUTH_CLIENT_SECRET }}
run: |
cat > /tmp/compose.env << ENVFILE
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
ORGANIZATION_DB_PASSWORD=$ORGANIZATION_DB_PASSWORD
MEMBER_DB_PASSWORD=$MEMBER_DB_PASSWORD
EVENT_DB_PASSWORD=$EVENT_DB_PASSWORD
FEEDBACK_DB_PASSWORD=$FEEDBACK_DB_PASSWORD
FINANCE_DB_PASSWORD=$FINANCE_DB_PASSWORD
LETTER_DB_PASSWORD=$LETTER_DB_PASSWORD
REPORTS_DB_PASSWORD=$REPORTS_DB_PASSWORD
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
KEYCLOAK_DB_PASSWORD=$KEYCLOAK_DB_PASSWORD
KEYCLOAK_REALM_ADMIN_PASSWORD=$KEYCLOAK_REALM_ADMIN_PASSWORD
KEYCLOAK_REALM_USER_PASSWORD=$KEYCLOAK_REALM_USER_PASSWORD
FORWARD_AUTH_COOKIE_SECRET=$FORWARD_AUTH_COOKIE_SECRET
KEYCLOAK_ADMIN_CLIENT_SECRET=$KEYCLOAK_ADMIN_CLIENT_SECRET
FORWARD_AUTH_CLIENT_SECRET=$FORWARD_AUTH_CLIENT_SECRET
GRAFANA_OAUTH_CLIENT_SECRET=$GRAFANA_OAUTH_CLIENT_SECRET
ENVFILE

Comment on lines +33 to +70

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Write and validate all Compose secrets.

This file omits GRAFANA_OAUTH_CLIENT_SECRET and FORWARD_AUTH_CLIENT_SECRET, so Compose falls back to the literal defaults in infra/docker-compose.yml. Add those secrets and fail fast if any required value is empty.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd.yml around lines 33 - 64, The compose .env writer in
the cd workflow is missing required secrets, so values in
infra/docker-compose.yml can fall back to defaults. Update the “Write compose
.env file” step to include GRAFANA_OAUTH_CLIENT_SECRET and
FORWARD_AUTH_CLIENT_SECRET alongside the existing secret exports, using the same
secret-to-env pattern as the other variables. Also add a simple validation in
that step to fail fast if any required compose secret is empty before writing
/tmp/compose.env.

- name: Write genai .env file
env:
GENAI_ENV_CONTENT: ${{ secrets.GENAI_ENV_CONTENT }}
Expand Down Expand Up @@ -59,6 +97,7 @@ jobs:
infra/ansible/playbook.yml \
-e "repo_url=https://github.com/${{ github.repository }}.git" \
-e "branch=${{ github.ref_name }}" \
-e "compose_env_file=/tmp/compose.env" \
-e "genai_env_file=/tmp/genai.env" \
-e "letter_env_file=/tmp/letter.env"

Expand Down Expand Up @@ -253,5 +292,21 @@ jobs:
--namespace "$NAMESPACE" \
--set global.image.tag=${{ github.sha }} \
--set keycloak.hostname=https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/auth \
--set database.password="${{ secrets.DB_ADMIN_PASSWORD }}" \
--set database.users.organization.password="${{ secrets.DB_ORGANIZATION_PASSWORD }}" \
--set database.users.member.password="${{ secrets.DB_MEMBER_PASSWORD }}" \
--set database.users.event.password="${{ secrets.DB_EVENT_PASSWORD }}" \
--set database.users.feedback.password="${{ secrets.DB_FEEDBACK_PASSWORD }}" \
--set database.users.finance.password="${{ secrets.DB_FINANCE_PASSWORD }}" \
--set database.users.letter.password="${{ secrets.DB_LETTER_PASSWORD }}" \
--set database.users.reports.password="${{ secrets.DB_REPORTS_PASSWORD }}" \
--set keycloak.adminPassword="${{ secrets.KEYCLOAK_ADMIN_PASSWORD }}" \
--set keycloak.db.password="${{ secrets.KEYCLOAK_DB_PASSWORD }}" \
--set keycloak.users.admin.password="${{ secrets.KEYCLOAK_REALM_ADMIN_PASSWORD }}" \
--set keycloak.users.user.password="${{ secrets.KEYCLOAK_REALM_USER_PASSWORD }}" \
Comment on lines +295 to +306

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect Helm secret injection sites and template consumers before switching to --set-string or a values file.
rg -n -C 2 -- '--set .*secrets\.|database\.users\..*password|keycloak\..*password|forwardAuth\..*Secret' .github/workflows infra/helm/team-devoops

Repository: AET-DevOps26/team-devoops

Length of output: 7434


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the exact deploy command and the corresponding Helm value consumers.
sed -n '270,305p' .github/workflows/cd.yml
printf '\n---\n'
sed -n '1,120p' infra/helm/team-devoops/templates/secret-db.yaml
printf '\n---\n'
sed -n '1,80p' infra/helm/team-devoops/templates/keycloak-secret.yaml
printf '\n---\n'
sed -n '1,80p' infra/helm/team-devoops/templates/keycloak-realm-configmap.yaml
printf '\n---\n'
sed -n '1,90p' infra/helm/team-devoops/templates/forward-auth.yaml

Repository: AET-DevOps26/team-devoops

Length of output: 7746


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check whether these values are documented as plain strings or can be interpreted as numbers/bools.
sed -n '1,40p' infra/helm/team-devoops/values.yaml
printf '\n---\n'
sed -n '176,220p' infra/helm/team-devoops/values.yaml

Repository: AET-DevOps26/team-devoops

Length of output: 3444


🌐 Web query:

Helm --set type coercion --set-string passwords documentation

💡 Result:

In Helm, the --set and --set-string flags serve different purposes regarding type coercion [1][2][3]. --set The --set flag attempts to automatically detect and coerce values into appropriate types (such as integers, floats, booleans, or strings) [4][5][6]. Because of this, it can sometimes behave unexpectedly when a value looks like a number or boolean but should be treated as a string (e.g., a password containing only digits or a Git commit hash) [5][6][7]. --set-string The --set-string flag is designed to force values to be treated as strings, bypassing the automatic type coercion performed by the --set parser [5][6]. It is the recommended approach for values like passwords, image tags, or any other data where you want to ensure the input is interpreted strictly as a string [6]. Important Notes: 1. Syntax Compatibility: Despite its name, --set-string still supports Helm's complex value syntax, allowing you to define arrays and dictionaries (e.g., --set-string list={1,2,3}) [5]. It simply forces the terminal leaf values to be strings rather than native types [5]. 2. Not a Literal Flag: It is important to note that --set-string is not a "literal" flag [5]. It does not prevent all interpretation; for example, it may still be subject to shell expansion or Helm's internal parsing of complex structures [4][5]. If you require a value to be treated absolutely literally, or if you encounter issues where --set-string does not produce the desired result (such as with certain boolean-looking strings), you may need to quote the value or ensure your Helm chart templates handle the input correctly [4][5]. 3. Precedence: When using these flags, the last (right-most) value specified takes precedence if the same key is set multiple times [1]. For security-sensitive data like passwords, using --set-string is a standard practice to prevent Helm from misinterpreting numeric strings as integers or floating-point numbers [6].

Citations:


Use --set-string for the secret-backed Helm inputs here. Helm still type-infers these values before the templates quote them, so a numeric-looking password can change shape; if any secret may contain commas or other special characters, switch to a temporary values file instead. [.github/workflows/cd.yml:289-300]

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd.yml around lines 289 - 300, The Helm deploy step is
using --set for secret-backed password inputs, which can still be type-inferred
or mangled before templating; update the affected entries in the deploy command
to use --set-string for the database and keycloak password flags referenced in
the workflow snippet. If any of these secrets may contain commas or other
special characters, prefer passing them through a temporary values file instead
of inline CLI flags.

--set forwardAuth.cookieSecret="${{ secrets.FORWARD_AUTH_COOKIE_SECRET }}" \
--set forwardAuth.clientSecret="${{ secrets.FORWARD_AUTH_CLIENT_SECRET }}" \
--set monitoring.grafana.oauthClientSecret="${{ secrets.GRAFANA_OAUTH_CLIENT_SECRET }}" \
--set services.organization-service.env.KEYCLOAK_ADMIN_CLIENT_SECRET="${{ secrets.KEYCLOAK_ADMIN_CLIENT_SECRET }}" \
--set services.member-service.env.KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET="${{ secrets.KEYCLOAK_ADMIN_CLIENT_SECRET }}" \
--rollback-on-failure --timeout 15m
27 changes: 25 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,24 @@ automated; no manual VM access is required for normal deploys.
| Secret | `GENAI_ENV_CONTENT` | Contents of `services/py-genai-helper/.env` |
| Secret | `LETTER_ENV_CONTENT` | Contents of `services/spring-letter/.env` (mail credentials) |
| Secret | `KUBECONFIG` | Kubeconfig for the RKE2 cluster (used by the `deploy-k8s` job) |
| Secret | `DB_ADMIN_PASSWORD` | Shared Postgres admin password. VM: `POSTGRES_PASSWORD` in `infra/.env`. K8s: Helm `database.password` |
| Secret | `DB_ORGANIZATION_PASSWORD` | `organization_user` DB password. VM: `ORGANIZATION_DB_PASSWORD`. K8s: Helm `database.users.organization.password` |
| Secret | `DB_MEMBER_PASSWORD` | `member_user` DB password. VM: `MEMBER_DB_PASSWORD`. K8s: Helm `database.users.member.password` |
| Secret | `DB_EVENT_PASSWORD` | `event_user` DB password. VM: `EVENT_DB_PASSWORD`. K8s: Helm `database.users.event.password` |
| Secret | `DB_FEEDBACK_PASSWORD` | `feedback_user` DB password. VM: `FEEDBACK_DB_PASSWORD`. K8s: Helm `database.users.feedback.password` |
| Secret | `DB_FINANCE_PASSWORD` | `finance_user` DB password. VM: `FINANCE_DB_PASSWORD`. K8s: Helm `database.users.finance.password` |
| Secret | `DB_LETTER_PASSWORD` | `letter_user` DB password. VM: `LETTER_DB_PASSWORD`. K8s: Helm `database.users.letter.password` |
| Secret | `DB_REPORTS_PASSWORD` | `reports_user` DB password. VM: `REPORTS_DB_PASSWORD`. K8s: Helm `database.users.reports.password` |
| Secret | `KEYCLOAK_ADMIN_PASSWORD` | Keycloak bootstrap admin console password. VM: `KEYCLOAK_ADMIN_PASSWORD`. K8s: Helm `keycloak.adminPassword` |
| Secret | `KEYCLOAK_DB_PASSWORD` | Keycloak's own Postgres password. VM: `KEYCLOAK_DB_PASSWORD`. K8s: Helm `keycloak.db.password` |
| Secret | `KEYCLOAK_REALM_ADMIN_PASSWORD` | Password for the seeded `admin` realm user. VM: `KEYCLOAK_REALM_ADMIN_PASSWORD`. K8s: Helm `keycloak.users.admin.password` |
| Secret | `KEYCLOAK_REALM_USER_PASSWORD` | Password for the seeded `user` realm user. VM: `KEYCLOAK_REALM_USER_PASSWORD`. K8s: Helm `keycloak.users.user.password` |
| Secret | `FORWARD_AUTH_COOKIE_SECRET` | 32+ char random string signing forward-auth session cookies. VM: `FORWARD_AUTH_COOKIE_SECRET`. K8s: Helm `forwardAuth.cookieSecret` |
| Secret | `KEYCLOAK_ADMIN_CLIENT_SECRET` | Secret for the `org-role-sync` Keycloak service-account client (`manage-users`/`view-clients` — used by organization-service and member-service to call the Keycloak Admin REST API). VM: `KEYCLOAK_ADMIN_CLIENT_SECRET`. K8s: Helm `services.organization-service.env.KEYCLOAK_ADMIN_CLIENT_SECRET` and `services.member-service.env.KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET` (same value, two consumers) |
| Secret | `FORWARD_AUTH_CLIENT_SECRET` | Secret for the `traefik-forward-auth` Keycloak client (Traefik/oauth2-proxy's OIDC client, gates every proxied route). VM: `FORWARD_AUTH_CLIENT_SECRET`. K8s: Helm `forwardAuth.clientSecret` |
| Secret | `GRAFANA_OAUTH_CLIENT_SECRET` | Secret for the `grafana` Keycloak client (Grafana's own generic-OAuth login). VM: `GRAFANA_OAUTH_CLIENT_SECRET`. K8s: Helm `monitoring.grafana.oauthClientSecret` |

Each of these 16 secrets is the single source of truth for that value across **both** deploy targets — the `deploy` job's "Write compose .env file" step assembles `infra/.env` from them for the VM, and the `deploy-k8s` job passes them individually via `--set` for Helm. No GitHub secret's value is duplicated by a *different* GitHub secret (`KEYCLOAK_ADMIN_CLIENT_SECRET` is intentionally passed to two `--set` targets, since organization-service and member-service both authenticate to Keycloak as the same `org-role-sync` client).

The OIDC service principal needs `Contributor` on the subscription (to manage
resources in `rg-team-devoops`) and `Storage Blob Data Contributor` on the
Expand Down Expand Up @@ -269,8 +287,10 @@ All services are protected by [Keycloak 26](https://www.keycloak.org) via OIDC/J

| Realm | `devops` |
|---|---|
| Admin user | `admin` / `admin123` (roles: `admin`, `member`) |
| Regular user | `user` / `user123` (role: `member`) |
| Admin user | `admin` / `admin123` locally (roles: `admin`, `member`) |
| Regular user | `user` / `user123` locally (role: `member`) |

Passwords shown are the local-dev defaults from [`infra/.env.example`](infra/.env.example). On the VM and Kubernetes they come from the `KEYCLOAK_REALM_ADMIN_PASSWORD`/`KEYCLOAK_REALM_USER_PASSWORD` GitHub secrets instead — see [Required GitHub secrets / variables](#required-github-secrets--variables). ("Realm" distinguishes these two application-level accounts from the Keycloak server's own bootstrap console admin, `KEYCLOAK_ADMIN_PASSWORD`.) `infra/keycloak/realm-config.json` stores these as `__KEYCLOAK_REALM_ADMIN_PASSWORD__`/`__KEYCLOAK_REALM_USER_PASSWORD__` placeholders, substituted at container start (Compose) or chart render (Helm).

### Clients

Expand All @@ -279,6 +299,9 @@ All services are protected by [Keycloak 26](https://www.keycloak.org) via OIDC/J
| `devops-client` | public, PKCE S256 | React frontend |
| `traefik-forward-auth` | confidential | Traefik forward-auth middleware |
| `grafana` | confidential | Grafana's own generic-OAuth login (admin-only, see [Monitoring](#monitoring)) |
| `org-role-sync` | confidential, service account (`manage-users`/`view-clients`) | organization-service and member-service, to call the Keycloak Admin REST API |

The three confidential clients' secrets are local-dev defaults from `infra/.env.example` (matching what's committed in `infra/keycloak/realm-config.json`'s `__KEYCLOAK_ADMIN_CLIENT_SECRET__`/`__FORWARD_AUTH_CLIENT_SECRET__`/`__GRAFANA_OAUTH_CLIENT_SECRET__` placeholders); on the VM and Kubernetes they come from the `KEYCLOAK_ADMIN_CLIENT_SECRET`/`FORWARD_AUTH_CLIENT_SECRET`/`GRAFANA_OAUTH_CLIENT_SECRET` GitHub secrets — see [Required GitHub secrets / variables](#required-github-secrets--variables).

### Local login

Expand Down
30 changes: 30 additions & 0 deletions infra/.env.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Local secrets for `docker compose up` (run from infra/, see README "Running Locally").
# Copy to `.env` (gitignored) and fill in real values. Never commit `.env`.
#
# Each value below has a matching GitHub secret that's the single source of truth across
# both deploy targets: CI assembles infra/.env on the Azure VM from these secrets, and
# passes the same secrets individually via --set to `helm upgrade` for Kubernetes. See
# README "Required GitHub secrets / variables" for the full mapping.

POSTGRES_PASSWORD=app_admin_password
ORGANIZATION_DB_PASSWORD=organization_password
MEMBER_DB_PASSWORD=member_password
EVENT_DB_PASSWORD=event_password
FEEDBACK_DB_PASSWORD=feedback_password
FINANCE_DB_PASSWORD=finance_password
LETTER_DB_PASSWORD=letter_password
REPORTS_DB_PASSWORD=reports_password
KEYCLOAK_ADMIN_PASSWORD=admin
KEYCLOAK_DB_PASSWORD=keycloak_password
KEYCLOAK_REALM_ADMIN_PASSWORD=admin123
KEYCLOAK_REALM_USER_PASSWORD=user123
FORWARD_AUTH_COOKIE_SECRET=VdpPltrnS+cc+1hswmya727K69iG7MpMZH/LOLlmox0=
Comment on lines +9 to +21

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Replace the example credentials with placeholders.

These are still real-looking secrets, not examples. In particular, the FORWARD_AUTH_COOKIE_SECRET value is a shared session-signing key, so copying this file verbatim would give every environment the same cookie secret. Use blanks or <generate-random> placeholders instead and document how to populate them locally. As per PR objective "Removed hardcoded secrets", .env.example should not ship reusable credentials.

🧰 Tools
🪛 Betterleaks (1.6.0)

[high] 21-21: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 dotenv-linter (4.0.0)

[warning] 10-10: [UnorderedKey] The ORGANIZATION_DB_PASSWORD key should go before the POSTGRES_PASSWORD key

(UnorderedKey)


[warning] 11-11: [UnorderedKey] The MEMBER_DB_PASSWORD key should go before the ORGANIZATION_DB_PASSWORD key

(UnorderedKey)


[warning] 12-12: [UnorderedKey] The EVENT_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key

(UnorderedKey)


[warning] 13-13: [UnorderedKey] The FEEDBACK_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key

(UnorderedKey)


[warning] 14-14: [UnorderedKey] The FINANCE_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key

(UnorderedKey)


[warning] 15-15: [UnorderedKey] The LETTER_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key

(UnorderedKey)


[warning] 17-17: [UnorderedKey] The KEYCLOAK_ADMIN_PASSWORD key should go before the LETTER_DB_PASSWORD key

(UnorderedKey)


[warning] 18-18: [UnorderedKey] The KEYCLOAK_DB_PASSWORD key should go before the LETTER_DB_PASSWORD key

(UnorderedKey)


[warning] 19-19: [UnorderedKey] The KEYCLOAK_REALM_ADMIN_PASSWORD key should go before the LETTER_DB_PASSWORD key

(UnorderedKey)


[warning] 20-20: [UnorderedKey] The KEYCLOAK_REALM_USER_PASSWORD key should go before the LETTER_DB_PASSWORD key

(UnorderedKey)


[warning] 21-21: [UnorderedKey] The FORWARD_AUTH_COOKIE_SECRET key should go before the KEYCLOAK_ADMIN_PASSWORD key

(UnorderedKey)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@infra/.env.example` around lines 9 - 21, Replace the hardcoded sample
credentials in infra/.env.example with non-reusable placeholders, especially
FORWARD_AUTH_COOKIE_SECRET and the password entries. Update the examples to use
blanks or <generate-random> style values and add a brief note that each
developer/environment must supply its own secrets locally. Keep the changes
within the existing environment variable list so the file remains an example
only.

Source: Linters/SAST tools


# OIDC/OAuth client secrets. Rendered into the matching client's "secret" field in
# infra/keycloak/realm-config.json at container start; must equal whatever the consuming
# service (grafana, traefik-forward-auth, organization-service/member-service) is
# configured with, or the OIDC handshake fails. Values below just mirror what used to be
# hardcoded directly in realm-config.json -- fine for local dev, not real secrets.
KEYCLOAK_ADMIN_CLIENT_SECRET=org-role-sync-secret
FORWARD_AUTH_CLIENT_SECRET=traefik-forward-auth-secret
GRAFANA_OAUTH_CLIENT_SECRET=grafana-oauth-secret
8 changes: 8 additions & 0 deletions infra/ansible/playbook.yml
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,14 @@
group: "{{ ansible_user }}"
recurse: true

- name: Write compose .env file
copy:
src: "{{ compose_env_file }}"
dest: "{{ app_dir }}/infra/.env"
mode: "0600"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"

- name: Write py-genai-helper .env file
copy:
src: "{{ genai_env_file }}"
Expand Down
2 changes: 1 addition & 1 deletion infra/docker-compose.override.yml
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ services:
- GF_AUTH_GENERIC_OAUTH_ENABLED=true
- GF_AUTH_GENERIC_OAUTH_NAME=Keycloak
- GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
- GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=grafana-oauth-secret
- GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${GRAFANA_OAUTH_CLIENT_SECRET}
- GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
- GF_AUTH_GENERIC_OAUTH_AUTH_URL=http://localhost:8081/auth/realms/devops/protocol/openid-connect/auth
- GF_AUTH_GENERIC_OAUTH_TOKEN_URL=http://keycloak:8080/auth/realms/devops/protocol/openid-connect/token
Expand Down
Loading
Loading