From 9e6440d97c372b2d997f8e900d1249e8bd2aaa2b Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sun, 5 Apr 2026 12:44:04 +0200
Subject: [PATCH] infra: remove ForwardAuth, keys mount, add OIDC env vars for
 server

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker-compose.yml | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index bbde27b..485cb0c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -96,7 +96,6 @@ services:
         condition: service_completed_successfully
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ./keys:/etc/cameleer/keys:ro
       - jardata:/data/jars
       - bootstrapdata:/data/bootstrap:ro
     environment:
@@ -109,9 +108,6 @@ services:
       LOGTO_JWK_SET_URI: ${LOGTO_JWK_SET_URI:-http://logto:3001/oidc/jwks}
       LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
       LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
-      CAMELEER_JWT_PRIVATE_KEY_PATH: ${CAMELEER_JWT_PRIVATE_KEY_PATH:-}
-      CAMELEER_JWT_PUBLIC_KEY_PATH: ${CAMELEER_JWT_PUBLIC_KEY_PATH:-}
-      CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}
       CAMELEER3_SERVER_ENDPOINT: http://cameleer3-server:8081
       CLICKHOUSE_URL: jdbc:clickhouse://clickhouse:8123/cameleer
     labels:
@@ -119,9 +115,6 @@ services:
       - traefik.http.routers.api.rule=PathPrefix(`/api`)
       - traefik.http.routers.api.service=api
       - traefik.http.services.api.loadbalancer.server.port=8080
-      - traefik.http.routers.forwardauth.rule=Path(`/auth/verify`)
-      - traefik.http.routers.forwardauth.service=forwardauth
-      - traefik.http.services.forwardauth.loadbalancer.server.port=8080
       - traefik.http.routers.spa.rule=PathPrefix(`/`)
       - traefik.http.routers.spa.priority=1
       - traefik.http.routers.spa.service=spa
@@ -145,6 +138,8 @@ services:
       CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}
       CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production}
       CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default}
+      CAMELEER_OIDC_ISSUER_URI: ${LOGTO_ISSUER_URI:-http://logto:3001/oidc}
+      CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local}
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"]
       interval: 5s
@@ -155,12 +150,10 @@ services:
       - traefik.enable=true
       - traefik.http.routers.observe.rule=PathPrefix(`/observe`)
       - traefik.http.routers.observe.service=observe
-      - traefik.http.routers.observe.middlewares=forward-auth
-      - traefik.http.middlewares.forward-auth.forwardauth.address=http://cameleer-saas:8080/auth/verify
       - traefik.http.services.observe.loadbalancer.server.port=8080
       - traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard`)
       - traefik.http.routers.dashboard.service=dashboard
-      - traefik.http.routers.dashboard.middlewares=forward-auth,dashboard-strip
+      - traefik.http.routers.dashboard.middlewares=dashboard-strip
       - traefik.http.middlewares.dashboard-strip.stripprefix.prefixes=/dashboard
       - traefik.http.services.dashboard.loadbalancer.server.port=8080
     networks: