fix: generate CAMELEER_SERVER_SECURITY_JWTSECRET in installer and wire into containers

The server now requires a non-empty JWT secret. The installer (bash + ps1) generates a random value for both SaaS and standalone modes, and the compose templates map it into the respective containers. Also fixes container names in generated INSTALL.md docs to use the cameleer- prefix consistently. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-23 09:30:11 +02:00
parent 132143c083
commit 4526d97bda
8 changed files with 46 additions and 29 deletions
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -600,6 +600,9 @@ SERVER_ADMIN_PASS=${ADMIN_PASS}
 # Bootstrap token (required by server, not used externally in standalone mode)
 BOOTSTRAP_TOKEN=$(generate_password)

+# JWT signing secret (required by server, must be non-empty)
+CAMELEER_SERVER_SECURITY_JWTSECRET=$(generate_password)
+
 # Docker
 DOCKER_SOCKET=${DOCKER_SOCKET}
 DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0")
@@ -678,6 +681,9 @@ CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer-server:${VERSION}
 CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE=${REGISTRY}/cameleer-server-ui:${VERSION}
 CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:${VERSION}

+# JWT signing secret (forwarded to provisioned tenant servers, must be non-empty)
+CAMELEER_SERVER_SECURITY_JWTSECRET=$(generate_password)
+
 # Compose file assembly
 COMPOSE_FILE=docker-compose.yml:docker-compose.saas.yml$([ "$TLS_MODE" = "custom" ] && echo ":docker-compose.tls.yml")$([ -n "$MONITORING_NETWORK" ] && echo ":docker-compose.monitoring.yml")
 EOF
@@ -951,10 +957,10 @@ EOF

 | Container | Purpose |
 |---|---|
-| `traefik` | Reverse proxy, TLS termination, routing |
-| `postgres` | PostgreSQL database (SaaS + Logto + tenant schemas) |
-| `clickhouse` | Time-series storage (traces, metrics, logs) |
-| `logto` | OIDC identity provider + bootstrap |
+| `cameleer-traefik` | Reverse proxy, TLS termination, routing |
+| `cameleer-postgres` | PostgreSQL database (SaaS + Logto + tenant schemas) |
+| `cameleer-clickhouse` | Time-series storage (traces, metrics, logs) |
+| `cameleer-logto` | OIDC identity provider + bootstrap |
 | `cameleer-saas` | SaaS platform (Spring Boot + React) |

 Per-tenant `cameleer-server` and `cameleer-server-ui` containers are provisioned dynamically when tenants are created.
@@ -1093,11 +1099,11 @@ generate_install_doc_standalone() {

 | Container | Purpose |
 |---|---|
-| \`traefik\` | Reverse proxy, TLS termination, routing |
-| \`postgres\` | PostgreSQL database (server data) |
-| \`clickhouse\` | Time-series storage (traces, metrics, logs) |
-| \`server\` | Cameleer Server (Spring Boot backend) |
-| \`server-ui\` | Cameleer Dashboard (React frontend) |
+| \`cameleer-traefik\` | Reverse proxy, TLS termination, routing |
+| \`cameleer-postgres\` | PostgreSQL database (server data) |
+| \`cameleer-clickhouse\` | Time-series storage (traces, metrics, logs) |
+| \`cameleer-server\` | Cameleer Server (Spring Boot backend) |
+| \`cameleer-server-ui\` | Cameleer Dashboard (React frontend) |

 ## Networking

@@ -1167,7 +1173,7 @@ The installer preserves your \`.env\`, credentials, and data volumes. Only the c
 | Issue | Command |
 |---|---|
 | Service not starting | \`docker compose -p ${COMPOSE_PROJECT} logs SERVICE_NAME\` |
-| Server issues | \`docker compose -p ${COMPOSE_PROJECT} logs server\` |
+| Server issues | \`docker compose -p ${COMPOSE_PROJECT} logs cameleer-server\` |
 | Routing issues | \`docker compose -p ${COMPOSE_PROJECT} logs cameleer-traefik\` |
 | Database issues | \`docker compose -p ${COMPOSE_PROJECT} exec cameleer-postgres psql -U cameleer -d cameleer\` |