From 776a01d87b220da64d7f579a8350a5bb7d71c8e9 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sat, 11 Apr 2026 23:13:28 +0200
Subject: [PATCH] feat: set INFRASTRUCTUREENDPOINTS=false on tenant server
 containers

Adds CAMELEER_SERVER_SECURITY_INFRASTRUCTUREENDPOINTS=false to the env
var list injected into provisioned tenant server containers, disabling
the Database and ClickHouse admin endpoints (returns 404) on SaaS-
managed instances. The server defaults to true (standalone mode).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../cameleer/saas/provisioning/DockerTenantProvisioner.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
index 96f246d..0f50bf2 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
@@ -211,7 +211,8 @@ public class DockerTenantProvisioner implements TenantProvisioner {
             "CAMELEER_SERVER_RUNTIME_JARSTORAGEPATH=/data/jars",
             // Apps deployed by this server join the tenant network (isolated)
             "CAMELEER_SERVER_RUNTIME_DOCKERNETWORK=" + tenantNetwork,
-            "CAMELEER_SERVER_RUNTIME_JARDOCKERVOLUME=cameleer-jars-" + slug
+            "CAMELEER_SERVER_RUNTIME_JARDOCKERVOLUME=cameleer-jars-" + slug,
+            "CAMELEER_SERVER_SECURITY_INFRASTRUCTUREENDPOINTS=false"
         ));
         // If no CA bundle exists, fall back to TLS skip for OIDC (self-signed dev)
         if (!java.nio.file.Files.exists(java.nio.file.Path.of("/certs/ca.pem"))) {