cameleer/cameleer-saas
2
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: generate CAMELEER_SERVER_SECURITY_JWTSECRET in installer and wire into containers
All checks were successful
CI / build (push) Successful in 1m16s
Details
CI / docker (push) Successful in 59s
Details

Browse Source 
The server now requires a non-empty JWT secret. The installer (bash + ps1)
generates a random value for both SaaS and standalone modes, and the compose
templates map it into the respective containers. Also fixes container names
in generated INSTALL.md docs to use the cameleer- prefix consistently.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-23 09:30:11 +02:00
parent 132143c083
commit 4526d97bda
8 changed files with 46 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
installer/install.ps1
View File

@@ -578,32 +578,37 @@ function Generate-EnvFile {
$ts = (Get-Date -Format 'yyyy-MM-dd HH:mm:ss') + ' UTC'
$bt = Generate-Password
$jwtSecret = Generate-Password
if ($c.DeploymentMode -eq 'standalone') {
$content = @"
# Cameleer Server Configuration (standalone)
# Generated by installer v${CAMELEER_INSTALLER_VERSION} on $ts
VERSION=$($c.Version)
PUBLIC_HOST=$($c.PublicHost)
PUBLIC_PROTOCOL=$($c.PublicProtocol)
HTTP_PORT=$($c.HttpPort)
HTTPS_PORT=$($c.HttpsPort)
# PostgreSQL
POSTGRES_USER=cameleer
POSTGRES_PASSWORD=$($c.PostgresPassword)
POSTGRES_DB=cameleer
# ClickHouse
CLICKHOUSE_PASSWORD=$($c.ClickhousePassword)
# Server admin
SERVER_ADMIN_USER=$($c.AdminUser)
SERVER_ADMIN_PASS=$($c.AdminPass)
# Bootstrap token
BOOTSTRAP_TOKEN=$bt
# JWT signing secret (required by server, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$jwtSecret
# Docker
DOCKER_SOCKET=$($c.DockerSocket)
DOCKER_GID=$gid
@@ -668,6 +673,9 @@ DOCKER_GID=$gid
CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer-server:$($c.Version)
CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=${REGISTRY}/cameleer-server-ui:$($c.Version)
CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:$($c.Version)
# JWT signing secret (forwarded to provisioned tenant servers, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$jwtSecret
"@
$content += $provisioningBlock
$composeFile = 'docker-compose.yml;docker-compose.saas.yml'
@@ -1033,10 +1041,10 @@ $logtoConsoleRow
| Container | Purpose |
|---|---|
| ``traefik`` | Reverse proxy, TLS termination, routing |
| ``postgres`` | PostgreSQL database (SaaS + Logto + tenant schemas) |
| ``clickhouse`` | Time-series storage (traces, metrics, logs) |
| ``logto`` | OIDC identity provider + bootstrap |
| ``cameleer-traefik`` | Reverse proxy, TLS termination, routing |
| ``cameleer-postgres`` | PostgreSQL database (SaaS + Logto + tenant schemas) |
| ``cameleer-clickhouse`` | Time-series storage (traces, metrics, logs) |
| ``cameleer-logto`` | OIDC identity provider + bootstrap |
| ``cameleer-saas`` | SaaS platform (Spring Boot + React) |
Per-tenant ``cameleer-server`` and ``cameleer-server-ui`` containers are provisioned dynamically.
@@ -1157,11 +1165,11 @@ placing your certificate and key files in the ``certs/`` directory and restartin
| Container | Purpose |
|---|---|
| ``traefik`` | Reverse proxy, TLS termination, routing |
| ``postgres`` | PostgreSQL database (server data) |
| ``clickhouse`` | Time-series storage (traces, metrics, logs) |
| ``server`` | Cameleer Server (Spring Boot backend) |
| ``server-ui`` | Cameleer Dashboard (React frontend) |
| ``cameleer-traefik`` | Reverse proxy, TLS termination, routing |
| ``cameleer-postgres`` | PostgreSQL database (server data) |
| ``cameleer-clickhouse`` | Time-series storage (traces, metrics, logs) |
| ``cameleer-server`` | Cameleer Server (Spring Boot backend) |
| ``cameleer-server-ui`` | Cameleer Dashboard (React frontend) |
## Networking
@@ -1203,7 +1211,7 @@ docker compose -p $($c.ComposeProject) exec cameleer-clickhouse clickhouse-clien
| Issue | Command |
|---|---|
| Service not starting | ``docker compose -p $($c.ComposeProject) logs SERVICE_NAME`` |
| Server issues | ``docker compose -p $($c.ComposeProject) logs server`` |
| Server issues | ``docker compose -p $($c.ComposeProject) logs cameleer-server`` |
| Routing issues | ``docker compose -p $($c.ComposeProject) logs cameleer-traefik`` |
| Database issues | ``docker compose -p $($c.ComposeProject) exec cameleer-postgres psql -U cameleer -d cameleer`` |

26
installer/install.sh
View File

@@ -600,6 +600,9 @@ SERVER_ADMIN_PASS=${ADMIN_PASS}
# Bootstrap token (required by server, not used externally in standalone mode)
BOOTSTRAP_TOKEN=$(generate_password)
# JWT signing secret (required by server, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$(generate_password)
# Docker
DOCKER_SOCKET=${DOCKER_SOCKET}
DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0")
@@ -678,6 +681,9 @@ CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer-server:${VERSION}
CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=${REGISTRY}/cameleer-server-ui:${VERSION}
CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:${VERSION}
# JWT signing secret (forwarded to provisioned tenant servers, must be non-empty)
CAMELEER_SERVER_SECURITY_JWTSECRET=$(generate_password)
# Compose file assembly
COMPOSE_FILE=docker-compose.yml:docker-compose.saas.yml$([ "$TLS_MODE" = "custom" ] && echo ":docker-compose.tls.yml")$([ -n "$MONITORING_NETWORK" ] && echo ":docker-compose.monitoring.yml")
EOF
@@ -951,10 +957,10 @@ EOF
| Container | Purpose |
|---|---|
| `traefik` | Reverse proxy, TLS termination, routing |
| `postgres` | PostgreSQL database (SaaS + Logto + tenant schemas) |
| `clickhouse` | Time-series storage (traces, metrics, logs) |
| `logto` | OIDC identity provider + bootstrap |
| `cameleer-traefik` | Reverse proxy, TLS termination, routing |
| `cameleer-postgres` | PostgreSQL database (SaaS + Logto + tenant schemas) |
| `cameleer-clickhouse` | Time-series storage (traces, metrics, logs) |
| `cameleer-logto` | OIDC identity provider + bootstrap |
| `cameleer-saas` | SaaS platform (Spring Boot + React) |
Per-tenant `cameleer-server` and `cameleer-server-ui` containers are provisioned dynamically when tenants are created.
@@ -1093,11 +1099,11 @@ generate_install_doc_standalone() {
| Container | Purpose |
|---|---|
| \`traefik\` | Reverse proxy, TLS termination, routing |
| \`postgres\` | PostgreSQL database (server data) |
| \`clickhouse\` | Time-series storage (traces, metrics, logs) |
| \`server\` | Cameleer Server (Spring Boot backend) |
| \`server-ui\` | Cameleer Dashboard (React frontend) |
| \`cameleer-traefik\` | Reverse proxy, TLS termination, routing |
| \`cameleer-postgres\` | PostgreSQL database (server data) |
| \`cameleer-clickhouse\` | Time-series storage (traces, metrics, logs) |
| \`cameleer-server\` | Cameleer Server (Spring Boot backend) |
| \`cameleer-server-ui\` | Cameleer Dashboard (React frontend) |
## Networking
@@ -1167,7 +1173,7 @@ The installer preserves your \`.env\`, credentials, and data volumes. Only the c
| Issue | Command |
|---|---|
| Service not starting | \`docker compose -p ${COMPOSE_PROJECT} logs SERVICE_NAME\` |
| Server issues | \`docker compose -p ${COMPOSE_PROJECT} logs server\` |
| Server issues | \`docker compose -p ${COMPOSE_PROJECT} logs cameleer-server\` |
| Routing issues | \`docker compose -p ${COMPOSE_PROJECT} logs cameleer-traefik\` |
| Database issues | \`docker compose -p ${COMPOSE_PROJECT} exec cameleer-postgres psql -U cameleer -d cameleer\` |

1
installer/templates/docker-compose.saas.yml
View File

@@ -77,6 +77,7 @@ services:
CAMELEER_SAAS_PROVISIONING_DATASOURCEUSERNAME: ${POSTGRES_USER:-cameleer}
CAMELEER_SAAS_PROVISIONING_DATASOURCEPASSWORD: ${POSTGRES_PASSWORD}
CAMELEER_SAAS_PROVISIONING_CLICKHOUSEPASSWORD: ${CLICKHOUSE_PASSWORD}
CAMELEER_SERVER_SECURITY_JWTSECRET: ${CAMELEER_SERVER_SECURITY_JWTSECRET:?CAMELEER_SERVER_SECURITY_JWTSECRET must be set in .env}
CAMELEER_SAAS_PROVISIONING_SERVERIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERIMAGE:-gitea.siegeln.net/cameleer/cameleer-server:latest}
CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE:-gitea.siegeln.net/cameleer/cameleer-server-ui:latest}
CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE: ${CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE:-gitea.siegeln.net/cameleer/cameleer-runtime-base:latest}

1
installer/templates/docker-compose.server.yml
View File

@@ -29,6 +29,7 @@ services:
CAMELEER_SERVER_CLICKHOUSE_USERNAME: default
CAMELEER_SERVER_CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD}
CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN: ${BOOTSTRAP_TOKEN:?BOOTSTRAP_TOKEN must be set in .env}
CAMELEER_SERVER_SECURITY_JWTSECRET: ${CAMELEER_SERVER_SECURITY_JWTSECRET:?CAMELEER_SERVER_SECURITY_JWTSECRET must be set in .env}
CAMELEER_SERVER_SECURITY_UIUSER: ${SERVER_ADMIN_USER:-admin}
CAMELEER_SERVER_SECURITY_UIPASSWORD: ${SERVER_ADMIN_PASS:?SERVER_ADMIN_PASS must be set in .env}
CAMELEER_SERVER_SECURITY_CORSALLOWEDORIGINS: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}