Migrate config to cameleer.server.* naming convention

Move all configuration properties under the cameleer.server.* namespace with all-lowercase dot-separated names and mechanical env var mapping (dots→underscores, uppercase). This aligns with the agent's convention (cameleer.agent.*) and establishes a predictable pattern across all components. Changes: - Move 6 config prefixes under cameleer.server.*: agent-registry, ingestion, security, license, clickhouse, and cameleer.tenant/runtime/indexer - Rename all kebab-case properties to concatenated lowercase (e.g., bootstrap-token → bootstraptoken, jar-storage-path → jarstoragepath) - Update all env vars to CAMELEER_SERVER_* mechanical mapping - Fix container-cpu-request/container-cpu-shares mismatch bug - Remove displayName from AgentRegistrationRequest (redundant with instanceId) - Update agent container env vars to CAMELEER_AGENT_* convention - Update K8s manifests and CI workflow for new env var names - Update CLAUDE.md, HOWTO.md, SERVER-CAPABILITIES.md documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 18:10:51 +02:00
parent 3b95dc777b
commit 8fe48bbf02
35 changed files with 217 additions and 251 deletions
--- a/docs/SERVER-CAPABILITIES.md
+++ b/docs/SERVER-CAPABILITIES.md
@@ -27,7 +27,7 @@ Each server instance serves exactly one tenant. Multiple tenants share infrastru
 |---------|-----------|
 | PostgreSQL | Schema-per-tenant (`?currentSchema=tenant_{id}`) |
 | ClickHouse | Shared DB, `tenant_id` column on all tables, partitioned by `(tenant_id, toYYYYMM(timestamp))` |
-| Configuration | `CAMELEER_TENANT_ID` env var (default: `"default"`) |
+| Configuration | `CAMELEER_SERVER_TENANT_ID` env var (default: `"default"`) |
 | Agents | Each agent belongs to one tenant, one environment |

 **Environments** (dev/staging/prod) are first-class within a tenant. Agents send `environmentId` at registration and in every heartbeat. The UI filters by environment. JWT tokens carry an `env` claim for persistence across restarts.
@@ -66,7 +66,6 @@ Request:
 ```json
 {
  "instanceId": "agent-abc-123",
-  "displayName": "Order Service #1",
  "applicationId": "order-service",
  "environmentId": "production",
  "version": "3.2.1",
@@ -279,7 +278,7 @@ When OIDC is configured and enabled, the login page automatically redirects to t

 ### OIDC Resource Server

-When `CAMELEER_OIDC_ISSUER_URI` is configured, the server accepts external access tokens (e.g., Logto M2M tokens) in addition to internal HMAC JWTs. Dual-path validation: tries internal HMAC first, falls back to OIDC JWKS validation. Supports ES384, ES256, and RS256 algorithms. Handles RFC 9068 `at+jwt` token type.
+When `CAMELEER_SERVER_SECURITY_OIDCISSUERURI` is configured, the server accepts external access tokens (e.g., Logto M2M tokens) in addition to internal HMAC JWTs. Dual-path validation: tries internal HMAC first, falls back to OIDC JWKS validation. Supports ES384, ES256, and RS256 algorithms. Handles RFC 9068 `at+jwt` token type.

 Role mapping is case-insensitive and accepts both bare and `server:`-prefixed names:

@@ -293,10 +292,10 @@ This applies to both M2M tokens (`scope` claim) and OIDC user login (configurabl

 | Variable | Purpose |
 |----------|---------|
-| `CAMELEER_OIDC_ISSUER_URI` | OIDC issuer URI for token validation (e.g., `https://auth.example.com/oidc`) |
-| `CAMELEER_OIDC_JWK_SET_URI` | Direct JWKS URL (e.g., `http://logto:3001/oidc/jwks`) — use when public issuer isn't reachable from inside containers |
-| `CAMELEER_OIDC_AUDIENCE` | Expected audience (API resource indicator) |
-| `CAMELEER_OIDC_TLS_SKIP_VERIFY` | Skip TLS certificate verification for OIDC calls (default `false`) — use when provider has a self-signed CA |
+| `CAMELEER_SERVER_SECURITY_OIDCISSUERURI` | OIDC issuer URI for token validation (e.g., `https://auth.example.com/oidc`) |
+| `CAMELEER_SERVER_SECURITY_OIDCJWKSETURI` | Direct JWKS URL (e.g., `http://logto:3001/oidc/jwks`) — use when public issuer isn't reachable from inside containers |
+| `CAMELEER_SERVER_SECURITY_OIDCAUDIENCE` | Expected audience (API resource indicator) |
+| `CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY` | Skip TLS certificate verification for OIDC calls (default `false`) — use when provider has a self-signed CA |

 Logto is proxy-aware (`TRUST_PROXY_HEADER=1`). The `LOGTO_ENDPOINT` env var sets the public-facing URL used in OIDC discovery, issuer URI, and redirect URLs. Logto requires its own subdomain (not a path prefix).

@@ -407,24 +406,24 @@ Registry: `gitea.siegeln.net/cameleer/cameleer3-server`

 | Variable | Required | Default | Purpose |
 |----------|----------|---------|---------|
-| `CAMELEER_AUTH_TOKEN` | Yes | - | Bootstrap token for agent registration |
-| `CAMELEER_JWT_SECRET` | Recommended | Random (ephemeral) | JWT signing secret |
-| `CAMELEER_TENANT_ID` | No | `default` | Tenant identifier |
-| `CAMELEER_UI_USER` | No | `admin` | Default admin username |
-| `CAMELEER_UI_PASSWORD` | No | `admin` | Default admin password |
-| `CAMELEER_UI_ORIGIN` | No | `http://localhost:5173` | CORS allowed origin (single, legacy) |
-| `CAMELEER_CORS_ALLOWED_ORIGINS` | No | (empty) | Comma-separated CORS origins — overrides `UI_ORIGIN` when set |
-| `CLICKHOUSE_URL` | No | `jdbc:clickhouse://localhost:8123/cameleer` | ClickHouse JDBC URL |
-| `CLICKHOUSE_USERNAME` | No | `default` | ClickHouse user |
-| `CLICKHOUSE_PASSWORD` | No | (empty) | ClickHouse password |
+| `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` | Yes | - | Bootstrap token for agent registration |
+| `CAMELEER_SERVER_SECURITY_JWTSECRET` | Recommended | Random (ephemeral) | JWT signing secret |
+| `CAMELEER_SERVER_TENANT_ID` | No | `default` | Tenant identifier |
+| `CAMELEER_SERVER_SECURITY_UIUSER` | No | `admin` | Default admin username |
+| `CAMELEER_SERVER_SECURITY_UIPASSWORD` | No | `admin` | Default admin password |
+| `CAMELEER_SERVER_SECURITY_UIORIGIN` | No | `http://localhost:5173` | CORS allowed origin (single, legacy) |
+| `CAMELEER_SERVER_SECURITY_CORSALLOWEDORIGINS` | No | (empty) | Comma-separated CORS origins — overrides `UIORIGIN` when set |
+| `CAMELEER_SERVER_CLICKHOUSE_URL` | No | `jdbc:clickhouse://localhost:8123/cameleer` | ClickHouse JDBC URL |
+| `CAMELEER_SERVER_CLICKHOUSE_USERNAME` | No | `default` | ClickHouse user |
+| `CAMELEER_SERVER_CLICKHOUSE_PASSWORD` | No | (empty) | ClickHouse password |
 | `SPRING_DATASOURCE_URL` | No | `jdbc:postgresql://localhost:5432/cameleer3` | PostgreSQL JDBC URL |
 | `SPRING_DATASOURCE_USERNAME` | No | `cameleer` | PostgreSQL user |
 | `SPRING_DATASOURCE_PASSWORD` | No | `cameleer_dev` | PostgreSQL password |
-| `CAMELEER_DB_SCHEMA` | No | `tenant_{CAMELEER_TENANT_ID}` | PostgreSQL schema (override for feature branches) |
-| `CAMELEER_OIDC_ISSUER_URI` | No | (empty) | OIDC issuer URI — enables resource server mode for M2M tokens |
-| `CAMELEER_OIDC_JWK_SET_URI` | No | (empty) | Direct JWKS URL — bypasses OIDC discovery for container networking |
-| `CAMELEER_OIDC_AUDIENCE` | No | (empty) | Expected JWT audience (API resource indicator) |
-| `CAMELEER_OIDC_TLS_SKIP_VERIFY` | No | `false` | Skip TLS cert verification for OIDC calls (self-signed CAs) |
+| `CAMELEER_DB_SCHEMA` | No | `tenant_{CAMELEER_SERVER_TENANT_ID}` | PostgreSQL schema (override for feature branches) |
+| `CAMELEER_SERVER_SECURITY_OIDCISSUERURI` | No | (empty) | OIDC issuer URI — enables resource server mode for M2M tokens |
+| `CAMELEER_SERVER_SECURITY_OIDCJWKSETURI` | No | (empty) | Direct JWKS URL — bypasses OIDC discovery for container networking |
+| `CAMELEER_SERVER_SECURITY_OIDCAUDIENCE` | No | (empty) | Expected JWT audience (API resource indicator) |
+| `CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY` | No | `false` | Skip TLS cert verification for OIDC calls (self-signed CAs) |

 ### Health Probes