cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: prefix all third-party service names with cameleer-
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 2m7s
Details
CI / docker (push) Successful in 1m33s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 1m51s
Details
SonarQube / sonarqube (push) Successful in 3m28s
Details

Browse Source 
Rename all Docker/K8s service names, DNS hostnames, secrets, volumes,
and manifest files to use the cameleer- prefix, making it clear which
software package each container belongs to.

Services renamed:
- postgres → cameleer-postgres
- clickhouse → cameleer-clickhouse
- logto → cameleer-logto
- logto-postgresql → cameleer-logto-postgresql
- traefik (service) → cameleer-traefik
- postgres-external → cameleer-postgres-external

Secrets renamed:
- postgres-credentials → cameleer-postgres-credentials
- clickhouse-credentials → cameleer-clickhouse-credentials
- logto-credentials → cameleer-logto-credentials

Volumes renamed:
- pgdata → cameleer-pgdata
- chdata → cameleer-chdata
- certs → cameleer-certs
- bootstrapdata → cameleer-bootstrapdata

K8s manifests renamed:
- deploy/postgres.yaml → deploy/cameleer-postgres.yaml
- deploy/clickhouse.yaml → deploy/cameleer-clickhouse.yaml
- deploy/logto.yaml → deploy/cameleer-logto.yaml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-13 22:51:08 +02:00
parent fe283674fb
commit ac680b7f3f
16 changed files with 89 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.gitea/workflows/ci.yml
View File

@@ -198,14 +198,14 @@ jobs:
--from-literal=CAMELEER_SERVER_SECURITY_JWTSECRET="${CAMELEER_JWT_SECRET}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic postgres-credentials \
kubectl create secret generic cameleer-postgres-credentials \
--namespace=cameleer \
--from-literal=POSTGRES_USER="$POSTGRES_USER" \
--from-literal=POSTGRES_PASSWORD="$POSTGRES_PASSWORD" \
--from-literal=POSTGRES_DB="${POSTGRES_DB:-cameleer}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic logto-credentials \
kubectl create secret generic cameleer-logto-credentials \
--namespace=cameleer \
--from-literal=PG_USER="${LOGTO_PG_USER:-logto}" \
--from-literal=PG_PASSWORD="${LOGTO_PG_PASSWORD}" \
@@ -213,20 +213,20 @@ jobs:
--from-literal=ADMIN_ENDPOINT="${LOGTO_ADMIN_ENDPOINT}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic clickhouse-credentials \
kubectl create secret generic cameleer-clickhouse-credentials \
--namespace=cameleer \
--from-literal=CLICKHOUSE_USER="${CLICKHOUSE_USER:-default}" \
--from-literal=CLICKHOUSE_PASSWORD="$CLICKHOUSE_PASSWORD" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl apply -f deploy/postgres.yaml
kubectl -n cameleer rollout status statefulset/postgres --timeout=120s
kubectl apply -f deploy/cameleer-postgres.yaml
kubectl -n cameleer rollout status statefulset/cameleer-postgres --timeout=120s
kubectl apply -f deploy/clickhouse.yaml
kubectl -n cameleer rollout status statefulset/clickhouse --timeout=180s
kubectl apply -f deploy/cameleer-clickhouse.yaml
kubectl -n cameleer rollout status statefulset/cameleer-clickhouse --timeout=180s
kubectl apply -f deploy/logto.yaml
kubectl -n cameleer rollout status deployment/logto --timeout=180s
kubectl apply -f deploy/cameleer-logto.yaml
kubectl -n cameleer rollout status deployment/cameleer-logto --timeout=180s
kubectl apply -k deploy/overlays/main
kubectl -n cameleer set image deployment/cameleer3-server \
@@ -283,7 +283,7 @@ jobs:
run: kubectl create namespace "$BRANCH_NS" --dry-run=client -o yaml | kubectl apply -f -
- name: Copy secrets from cameleer namespace
run: |
for SECRET in gitea-registry postgres-credentials clickhouse-credentials cameleer-auth; do
for SECRET in gitea-registry cameleer-postgres-credentials cameleer-clickhouse-credentials cameleer-auth; do
kubectl get secret "$SECRET" -n cameleer -o json \
| jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.managedFields)' \
| kubectl apply -n "$BRANCH_NS" -f -
@@ -358,8 +358,8 @@ jobs:
--namespace=cameleer \
--image=postgres:16 \
--restart=Never \
--env="PGPASSWORD=$(kubectl get secret postgres-credentials -n cameleer -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d)" \
--command -- sh -c "psql -h postgres -U $(kubectl get secret postgres-credentials -n cameleer -o jsonpath='{.data.POSTGRES_USER}' | base64 -d) -d cameleer3 -c 'DROP SCHEMA IF EXISTS ${BRANCH_SCHEMA} CASCADE'"
--env="PGPASSWORD=$(kubectl get secret cameleer-postgres-credentials -n cameleer -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d)" \
--command -- sh -c "psql -h cameleer-postgres -U $(kubectl get secret cameleer-postgres-credentials -n cameleer -o jsonpath='{.data.POSTGRES_USER}' | base64 -d) -d cameleer3 -c 'DROP SCHEMA IF EXISTS ${BRANCH_SCHEMA} CASCADE'"
kubectl wait --for=condition=Ready pod/cleanup-schema-${BRANCH_SLUG} -n cameleer --timeout=30s || true
kubectl wait --for=jsonpath='{.status.phase}'=Succeeded pod/cleanup-schema-${BRANCH_SLUG} -n cameleer --timeout=60s || true
kubectl delete pod cleanup-schema-${BRANCH_SLUG} -n cameleer --ignore-not-found

4
CLAUDE.md
View File

@@ -192,7 +192,7 @@ ClickHouse: `cameleer3-server-app/src/main/resources/clickhouse/init.sql` (run i
- K8s manifests in `deploy/` — Kustomize base + overlays (main/feature), shared infra (PostgreSQL, ClickHouse, Logto) as top-level manifests
- Deployment target: k3s at 192.168.50.86, namespace `cameleer` (main), `cam-<slug>` (feature branches)
- Feature branches: isolated namespace, PG schema; Traefik Ingress at `<slug>-api.cameleer.siegeln.net`
- Secrets managed in CI deploy step (idempotent `--dry-run=client | kubectl apply`): `cameleer-auth`, `postgres-credentials`, `clickhouse-credentials`
- Secrets managed in CI deploy step (idempotent `--dry-run=client | kubectl apply`): `cameleer-auth`, `cameleer-postgres-credentials`, `cameleer-clickhouse-credentials`
- K8s probes: server uses `/api/v1/health`, PostgreSQL uses `pg_isready -U "$POSTGRES_USER"` (env var, not hardcoded)
- K8s security: server and database pods run with `securityContext.runAsNonRoot`. UI (nginx) runs without securityContext (needs root for entrypoint setup).
- Docker: server Dockerfile has no default credentials — all DB config comes from env vars at runtime
@@ -381,7 +381,7 @@ Mean processing time = `camel.route.policy.total_time / camel.route.policy.count
<!-- gitnexus:start -->
# GitNexus — Code Intelligence
This project is indexed by GitNexus as **cameleer3-server** (6031 symbols, 15304 relationships, 300 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
This project is indexed by GitNexus as **cameleer3-server** (6027 symbols, 15299 relationships, 300 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
> If any GitNexus tool warns the index is stale, run `npx gitnexus analyze` in terminal first.

12
HOWTO.md
View File

@@ -146,7 +146,7 @@ curl -s -X PUT http://localhost:8081/api/v1/admin/oidc \
-H "Authorization: Bearer $TOKEN" \
-d '{
"enabled": true,
"issuerUri": "http://logto:3001/oidc",
"issuerUri": "http://cameleer-logto:3001/oidc",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"rolesClaim": "realm_access.roles",
@@ -187,7 +187,7 @@ Logto is proxy-aware via `TRUST_PROXY_HEADER=1`. The `LOGTO_ENDPOINT` and `LOGTO
6. **Configure resource server** (for M2M token validation):
```
CAMELEER_SERVER_SECURITY_OIDCISSUERURI=<LOGTO_ENDPOINT>/oidc
CAMELEER_SERVER_SECURITY_OIDCJWKSETURI=http://logto:3001/oidc/jwks
CAMELEER_SERVER_SECURITY_OIDCJWKSETURI=http://cameleer-logto:3001/oidc/jwks
CAMELEER_SERVER_SECURITY_OIDCAUDIENCE=<api-resource-indicator-from-step-3>
CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY=true # optional — skip cert verification for self-signed CAs
```
@@ -510,8 +510,8 @@ The full stack is deployed to k3s via CI/CD on push to `main`. K8s manifests are
```
cameleer namespace:
PostgreSQL (StatefulSet, 10Gi PVC) ← postgres:5432 (ClusterIP)
ClickHouse (StatefulSet, 10Gi PVC) ← clickhouse:8123 (ClusterIP)
PostgreSQL (StatefulSet, 10Gi PVC) ← cameleer-postgres:5432 (ClusterIP)
ClickHouse (StatefulSet, 10Gi PVC) ← cameleer-clickhouse:8123 (ClusterIP)
cameleer3-server (Deployment) ← NodePort 30081
cameleer3-ui (Deployment, Nginx) ← NodePort 30090
cameleer-deploy-demo (Deployment) ← NodePort 30092
@@ -549,10 +549,10 @@ kubectl -n cameleer get pods
kubectl -n cameleer logs -f deploy/cameleer3-server
# View PostgreSQL logs
kubectl -n cameleer logs -f statefulset/postgres
kubectl -n cameleer logs -f statefulset/cameleer-postgres
# View ClickHouse logs
kubectl -n cameleer logs -f statefulset/clickhouse
kubectl -n cameleer logs -f statefulset/cameleer-clickhouse
# Restart server
kubectl -n cameleer rollout restart deployment/cameleer3-server

14
deploy/base/server.yaml
View File

@@ -28,22 +28,22 @@ spec:
- name: SPRING_DATASOURCE_USERNAME
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_USER
- name: SPRING_DATASOURCE_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_PASSWORD
- name: SPRING_FLYWAY_USER
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_USER
- name: SPRING_FLYWAY_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_PASSWORD
- name: CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN
valueFrom:
@@ -71,16 +71,16 @@ spec:
key: CAMELEER_SERVER_SECURITY_JWTSECRET
optional: true
- name: CAMELEER_SERVER_CLICKHOUSE_URL
value: "jdbc:clickhouse://clickhouse.cameleer.svc.cluster.local:8123/cameleer"
value: "jdbc:clickhouse://cameleer-clickhouse.cameleer.svc.cluster.local:8123/cameleer"
- name: CAMELEER_SERVER_CLICKHOUSE_USERNAME
valueFrom:
secretKeyRef:
name: clickhouse-credentials
name: cameleer-clickhouse-credentials
key: CLICKHOUSE_USER
- name: CAMELEER_SERVER_CLICKHOUSE_PASSWORD
valueFrom:
secretKeyRef:
name: clickhouse-credentials
name: cameleer-clickhouse-credentials
key: CLICKHOUSE_PASSWORD
resources:

26
deploy/clickhouse.yaml → deploy/cameleer-clickhouse.yaml
View File

@@ -1,36 +1,36 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: clickhouse
name: cameleer-clickhouse
namespace: cameleer
spec:
serviceName: clickhouse
serviceName: cameleer-clickhouse
replicas: 1
selector:
matchLabels:
app: clickhouse
app: cameleer-clickhouse
template:
metadata:
labels:
app: clickhouse
app: cameleer-clickhouse
spec:
securityContext:
runAsNonRoot: true
runAsUser: 101
fsGroup: 101
containers:
- name: clickhouse
- name: cameleer-clickhouse
image: clickhouse/clickhouse-server:24.12
env:
- name: CLICKHOUSE_USER
valueFrom:
secretKeyRef:
name: clickhouse-credentials
name: cameleer-clickhouse-credentials
key: CLICKHOUSE_USER
- name: CLICKHOUSE_PASSWORD
valueFrom:
secretKeyRef:
name: clickhouse-credentials
name: cameleer-clickhouse-credentials
key: CLICKHOUSE_PASSWORD
- name: CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT
value: "1"
@@ -78,10 +78,10 @@ spec:
volumes:
- name: initdb
configMap:
name: clickhouse-initdb
name: cameleer-clickhouse-initdb
- name: config
configMap:
name: clickhouse-config
name: cameleer-clickhouse-config
volumeClaimTemplates:
- metadata:
name: data
@@ -94,12 +94,12 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: clickhouse
name: cameleer-clickhouse
namespace: cameleer
spec:
clusterIP: None
selector:
app: clickhouse
app: cameleer-clickhouse
ports:
- port: 8123
targetPort: 8123
@@ -111,7 +111,7 @@ spec:
apiVersion: v1
kind: ConfigMap
metadata:
name: clickhouse-config
name: cameleer-clickhouse-config
namespace: cameleer
data:
# Server-level tuning for 4Gi container.
@@ -199,7 +199,7 @@ data:
apiVersion: v1
kind: ConfigMap
metadata:
name: clickhouse-initdb
name: cameleer-clickhouse-initdb
namespace: cameleer
data:
01-create-database.sql: |

42
deploy/logto.yaml → deploy/cameleer-logto.yaml
View File

@@ -1,7 +1,7 @@
# Logto OIDC Provider for Cameleer
# Provides external identity management with OAuth2/OIDC.
#
# Logto is proxy-aware: ENDPOINT and ADMIN_ENDPOINT (from logto-credentials secret)
# Logto is proxy-aware: ENDPOINT and ADMIN_ENDPOINT (from cameleer-logto-credentials secret)
# set the public-facing URLs that Logto advertises in OIDC discovery, redirects, etc.
# When behind a reverse proxy (e.g., Traefik), set these to the external URLs.
#
@@ -16,21 +16,21 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: logto-postgresql
name: cameleer-logto-postgresql
namespace: cameleer
spec:
serviceName: logto-postgresql
serviceName: cameleer-logto-postgresql
replicas: 1
selector:
matchLabels:
app: logto-postgresql
app: cameleer-logto-postgresql
template:
metadata:
labels:
app: logto-postgresql
app: cameleer-logto-postgresql
spec:
containers:
- name: postgresql
- name: cameleer-logto-postgresql
image: postgres:16-alpine
ports:
- containerPort: 5432
@@ -40,12 +40,12 @@ spec:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: logto-credentials
name: cameleer-logto-credentials
key: PG_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: logto-credentials
name: cameleer-logto-credentials
key: PG_PASSWORD
volumeMounts:
- name: data
@@ -80,12 +80,12 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: logto-postgresql
name: cameleer-logto-postgresql
namespace: cameleer
spec:
clusterIP: None
selector:
app: logto-postgresql
app: cameleer-logto-postgresql
ports:
- port: 5432
targetPort: 5432
@@ -95,20 +95,20 @@ spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: logto
name: cameleer-logto
namespace: cameleer
spec:
replicas: 1
selector:
matchLabels:
app: logto
app: cameleer-logto
template:
metadata:
labels:
app: logto
app: cameleer-logto
spec:
containers:
- name: logto
- name: cameleer-logto
image: ghcr.io/logto-io/logto:latest
command: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
ports:
@@ -122,24 +122,24 @@ spec:
- name: PG_USER
valueFrom:
secretKeyRef:
name: logto-credentials
name: cameleer-logto-credentials
key: PG_USER
- name: PG_PASSWORD
valueFrom:
secretKeyRef:
name: logto-credentials
name: cameleer-logto-credentials
key: PG_PASSWORD
- name: DB_URL
value: "postgresql://$(PG_USER):$(PG_PASSWORD)@logto-postgresql:5432/logto"
value: "postgresql://$(PG_USER):$(PG_PASSWORD)@cameleer-logto-postgresql:5432/logto"
- name: ENDPOINT
valueFrom:
secretKeyRef:
name: logto-credentials
name: cameleer-logto-credentials
key: ENDPOINT
- name: ADMIN_ENDPOINT
valueFrom:
secretKeyRef:
name: logto-credentials
name: cameleer-logto-credentials
key: ADMIN_ENDPOINT
resources:
requests:
@@ -168,12 +168,12 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: logto
name: cameleer-logto
namespace: cameleer
spec:
type: NodePort
selector:
app: logto
app: cameleer-logto
ports:
- port: 3001
targetPort: 3001

26
deploy/postgres.yaml → deploy/cameleer-postgres.yaml
View File

@@ -1,41 +1,41 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
name: cameleer-postgres
namespace: cameleer
spec:
serviceName: postgres
serviceName: cameleer-postgres
replicas: 1
selector:
matchLabels:
app: postgres
app: cameleer-postgres
template:
metadata:
labels:
app: postgres
app: cameleer-postgres
spec:
securityContext:
runAsNonRoot: true
runAsUser: 999
fsGroup: 999
containers:
- name: postgres
- name: cameleer-postgres
image: postgres:16
ports:
- containerPort: 5432
name: postgres
name: cameleer-pg
env:
- name: POSTGRES_DB
value: cameleer3
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_PASSWORD
volumeMounts:
- name: data
@@ -79,26 +79,26 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: postgres
name: cameleer-postgres
namespace: cameleer
spec:
clusterIP: None
selector:
app: postgres
app: cameleer-postgres
ports:
- port: 5432
targetPort: 5432
name: postgres
name: cameleer-pg
---
apiVersion: v1
kind: Service
metadata:
name: postgres-external
name: cameleer-postgres-external
namespace: cameleer
spec:
type: NodePort
selector:
app: postgres
app: cameleer-postgres
ports:
- port: 5432
targetPort: 5432

6
deploy/overlays/feature/init-job.yaml
View File

@@ -13,18 +13,18 @@ spec:
args:
- |
PGPASSWORD=$POSTGRES_PASSWORD psql \
-h postgres.cameleer.svc.cluster.local \
-h cameleer-postgres.cameleer.svc.cluster.local \
-U $POSTGRES_USER -d cameleer3 \
-c "CREATE SCHEMA IF NOT EXISTS BRANCH_SCHEMA"
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
name: cameleer-postgres-credentials
key: POSTGRES_PASSWORD
backoffLimit: 3

2
deploy/overlays/feature/kustomization.yaml
View File

@@ -24,7 +24,7 @@ patches:
- name: server
env:
- name: SPRING_DATASOURCE_URL
value: "jdbc:postgresql://postgres.cameleer.svc.cluster.local:5432/cameleer3?currentSchema=BRANCH_SCHEMA"
value: "jdbc:postgresql://cameleer-postgres.cameleer.svc.cluster.local:5432/cameleer3?currentSchema=BRANCH_SCHEMA"
- name: CAMELEER_SERVER_SECURITY_UIORIGIN
value: "http://BRANCH_SLUG.cameleer.siegeln.net"
# UI ConfigMap: branch-specific API URL

2
deploy/overlays/main/kustomization.yaml
View File

@@ -41,7 +41,7 @@ patches:
- name: CAMELEER_SERVER_SECURITY_UIORIGIN
value: "http://192.168.50.86:30090"
- name: SPRING_DATASOURCE_URL
value: "jdbc:postgresql://postgres:5432/cameleer3?currentSchema=public"
value: "jdbc:postgresql://cameleer-postgres:5432/cameleer3?currentSchema=public"
# UI ConfigMap: production API URL
- target:
kind: ConfigMap

6
docker-compose.yml
View File

@@ -1,5 +1,5 @@
services:
postgres:
cameleer-postgres:
image: postgres:16
ports:
- "5432:5432"
@@ -8,7 +8,7 @@ services:
POSTGRES_USER: cameleer
POSTGRES_PASSWORD: cameleer_dev
volumes:
- pgdata:/home/postgres/pgdata/data
- cameleer-pgdata:/home/postgres/pgdata/data
volumes:
pgdata:
cameleer-pgdata:

2
docs/SERVER-CAPABILITIES.md
View File

@@ -293,7 +293,7 @@ This applies to both M2M tokens (`scope` claim) and OIDC user login (configurabl
| Variable | Purpose |
|----------|---------|
| `CAMELEER_SERVER_SECURITY_OIDCISSUERURI` | OIDC issuer URI for token validation (e.g., `https://auth.example.com/oidc`) |
| `CAMELEER_SERVER_SECURITY_OIDCJWKSETURI` | Direct JWKS URL (e.g., `http://logto:3001/oidc/jwks`) — use when public issuer isn't reachable from inside containers |
| `CAMELEER_SERVER_SECURITY_OIDCJWKSETURI` | Direct JWKS URL (e.g., `http://cameleer-logto:3001/oidc/jwks`) — use when public issuer isn't reachable from inside containers |
| `CAMELEER_SERVER_SECURITY_OIDCAUDIENCE` | Expected audience (API resource indicator) |
| `CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY` | Skip TLS certificate verification for OIDC calls (default `false`) — use when provider has a self-signed CA |

6
docs/superpowers/plans/2026-04-05-logto-oidc-resource-server.md
View File

@@ -926,13 +926,13 @@ Logto is deployed alongside the Cameleer stack. After first deployment:
5. **Configure Cameleer**: Use the admin API (`PUT /api/v1/admin/oidc`) or set env vars for initial seeding:
```
CAMELEER_OIDC_ENABLED=true
CAMELEER_OIDC_ISSUER=http://logto:3001/oidc
CAMELEER_OIDC_ISSUER=http://cameleer-logto:3001/oidc
CAMELEER_OIDC_CLIENT_ID=<client-id-from-step-2>
CAMELEER_OIDC_CLIENT_SECRET=<not-needed-for-public-spa>
```
6. **Configure resource server** (for M2M token validation):
```
CAMELEER_OIDC_ISSUER_URI=http://logto:3001/oidc
CAMELEER_OIDC_ISSUER_URI=http://cameleer-logto:3001/oidc
CAMELEER_OIDC_AUDIENCE=https://cameleer.siegeln.net/api
```
```
@@ -948,7 +948,7 @@ Replace:
With:
```json
"issuerUri": "http://logto:3001/oidc",
"issuerUri": "http://cameleer-logto:3001/oidc",
```
- [ ] **Step 3: Update HOWTO.md — replace infrastructure diagram**

2
docs/superpowers/specs/2026-03-16-storage-layer-design.md
View File

@@ -568,7 +568,7 @@ MetricsFlushScheduler (@Scheduled)
### Configuration
Environment variables (existing pattern):
- `SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/cameleer3`
- `SPRING_DATASOURCE_URL=jdbc:postgresql://cameleer-postgres:5432/cameleer3`
- `SPRING_DATASOURCE_USERNAME`, `SPRING_DATASOURCE_PASSWORD`
- `OPENSEARCH_URL=http://opensearch:9200`
- `CAMELEER_RETENTION_DAYS=30` (applies to both PostgreSQL and OpenSearch)

2
docs/superpowers/specs/2026-03-31-clickhouse-migration-design.md
View File

@@ -746,7 +746,7 @@ public void enforceRetention() {
```yaml
clickhouse:
url: jdbc:clickhouse://clickhouse:8123/cameleer?async_insert=1&wait_for_async_insert=0
url: jdbc:clickhouse://cameleer-clickhouse:8123/cameleer?async_insert=1&wait_for_async_insert=0
username: cameleer_app
password: ${CLICKHOUSE_PASSWORD}
```

2
docs/superpowers/specs/2026-04-05-logto-oidc-resource-server-design.md
View File

@@ -186,7 +186,7 @@ Update PUT handler default: `rolesClaim` from `realm_access.roles` to `roles`.
| Variable | Purpose | Required |
|----------|---------|----------|
| `CAMELEER_OIDC_ISSUER_URI` | Logto issuer URI (e.g., `http://logto:3001/oidc`) | No — when blank, no OIDC resource server |
| `CAMELEER_OIDC_ISSUER_URI` | Logto issuer URI (e.g., `http://cameleer-logto:3001/oidc`) | No — when blank, no OIDC resource server |
| `CAMELEER_OIDC_AUDIENCE` | Expected audience / API resource indicator | No — when blank, audience not validated |
## Files Changed