Updated docker build to create relevant postgres databases

[BMartinos]

A sql init script is used for creating the keycloak and shlp database and users with correct permissions

Summary by CodeRabbit

• New Features

  • Introduced new environment variables for Keycloak and SHLP PostgreSQL database configurations.
  • Added initialization SQL script for setting up databases and users.
  • Updated service configurations for easier access and improved database management.
  • Enhanced security with updated placeholders for sensitive information.

• Bug Fixes

  • Adjusted database connection parameters for Keycloak to enhance stability.

• Documentation

  • Updated example environment files to reflect new configurations and placeholders for security settings.

[coderabbitai]

Walkthrough

The pull request introduces significant updates across multiple configuration files, primarily focusing on the .env, .env.example, and .env.production.example files. Key changes include the addition of new PostgreSQL database settings for Keycloak and the SHLP application, as well as modifications to existing environment variables related to security and database connections. The docker-compose.yml file has been updated to reflect these changes, including adjustments to service port mappings and database initialization scripts. A new SQL script establishes the necessary databases and user privileges, enhancing the overall configuration.

Changes

File	Change Summary
.env, .env.example, .env.production.example	Added new PostgreSQL settings for Keycloak and SHLP; modified existing environment variables for security and database connections.
docker-compose.yml	Changed port mappings for services; added volume for database initialization; updated Keycloak database connection parameters.
docker/init.sql	Introduced a script to create keycloak and shlp databases along with their respective users and privileges.
import/config/shlp/shlp-realm.json	Modified the client secret field to use a placeholder value.

Possibly related PRs

• encrypting sensitive data with prisma-field-encryption #44: This PR involves modifications to the .env file, specifically related to the management of encryption keys, which connects to the changes in the main PR.
• Fix/docker image build for production #52: This PR includes updates to the .env file concerning Keycloak configurations and database credentials, aligning with the updates made in the main PR.

Poem

🐰 In a world of keys and secrets bright,
The rabbit hops with pure delight.
With databases fresh and connections anew,
Our configurations dance, a joyful crew!
From Keycloak's realm to SHLP's domain,
Together we thrive, in code we gain! 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  -- I pushed a fix in commit <commit_id>, please review it.
  -- Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  -- @coderabbitai generate unit testing code for this file.
  -- @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  -- @coderabbitai generate interesting stats about this repository and render them as a table.
  -- @coderabbitai read src/utils.ts and generate unit testing code.
  -- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  -- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[BMartinos]

Note: Ive hard coded the user passwords for now just to verify this works. These ideally need to be injected as variables configured via env

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (2)

docker/init.sql (2)

1-3: Consider adding IF NOT EXISTS clause to handle existing databases.

To prevent errors when running the script multiple times, consider adding the IF NOT EXISTS clause to the CREATE DATABASE statements. This will ensure that the databases are only created if they don't already exist.

Apply this diff to add the IF NOT EXISTS clause:

-- Create databases if they don't exist
-CREATE DATABASE keycloak;
-CREATE DATABASE shlp;
+CREATE DATABASE IF NOT EXISTS keycloak;
+CREATE DATABASE IF NOT EXISTS shlp;

---

5-7: LGTM! Consider the principle of least privilege.

The code segment correctly creates the keycloak_user and grants the necessary privileges. However, consider applying the principle of least privilege and only granting the specific privileges that the user requires to perform their intended tasks. This helps to minimize potential security risks.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 2888d02 and 42c4e2c.

Files selected for processing (6)

• .env (1 hunks)
• .env.example (1 hunks)
• .env.production.example (1 hunks)
• docker-compose.yml (3 hunks)
• docker/init.sql (1 hunks)
• import/config/shlp/shlp-realm.json (1 hunks)

Additional comments not posted (39)

docker/init.sql (2)

9-10: LGTM!

The code segment correctly creates the shlp_user with the necessary permissions and grants the required privileges on the shlp database. The CREATEDB permission is appropriately justified by the comment.

---

12-14: LGTM!

Changing the ownership of the databases to their respective users is a good practice. It ensures that the users have the necessary control over their databases and complements the previous segments by assigning the appropriate ownership.

.env.production.example (5)

4-4: Reminder: Set the value of EXTERNAL_URL.

Please ensure that you provide a valid URL for the EXTERNAL_URL variable before deploying the application to production.

---

11-13: LGTM! Remember to set the values for Keycloak PostgreSQL variables.

The addition of KEYCLOAK_POSTGRES_DB, KEYCLOAK_POSTGRES_USER, and KEYCLOAK_POSTGRES_PASSWORD variables aligns with the PR objective of creating relevant PostgreSQL databases. Please ensure that you provide valid values for these variables before deploying the application to production.

---

18-19: Reminder: Set the value of NEXT_LOCAL_KEYCLOAK_URL.

Please ensure that you provide a valid URL for the NEXT_LOCAL_KEYCLOAK_URL variable before running the application locally.

---

20-23: LGTM! Remember to set the values for SHLP PostgreSQL variables.

The addition of SHLP_POSTGRES_HOST, SHLP_POSTGRES_DB, SHLP_POSTGRES_USERNAME, and SHLP_POSTGRES_PASSWORD variables aligns with the PR objective of creating relevant PostgreSQL databases. Please ensure that you provide valid values for these variables before deploying the application to production.

---

24-26: LGTM! Remember to set the values for Prisma encryption variables.

The POSTGRES_PRISMA_URL variable is correctly set using the SHLP PostgreSQL variables. The addition of PRISMA_FIELD_ENCRYPTION_KEY and PRISMA_FIELD_ENCRYPTION_HASH_SALT variables suggests enhanced security measures for data encryption. Please ensure that you provide valid values for these encryption variables before deploying the application to production.

.env (10)

9-9: LGTM!

Using a placeholder value for the KEYCLOAK_CLIENT_SECRET is a good practice to avoid exposing sensitive information. Ensure that the actual value is set in the deployment environment.

---

10-10: LGTM!

The KEYCLOAK_ISSUER URL has been updated to match the Keycloak service configuration in the docker-compose.yml file.

---

11-13: LGTM!

The new environment variables for Keycloak's PostgreSQL database configuration align with the Keycloak service configuration in the docker-compose.yml file. Using a separate database for Keycloak is a good practice to isolate its data from other application data.

---

16-16: LGTM!

Using a placeholder value for the NEXTAUTH_SECRET is a good practice to avoid exposing sensitive information. Ensure that the actual value is set in the deployment environment.

---

17-17: LGTM!

The NEXT_CONTAINER_KEYCLOAK_ENDPOINT URL has been updated to use the Keycloak service name instead of localhost. This allows the Next.js container to communicate with the Keycloak container within the Docker network.

---

18-18: LGTM!

The NEXT_LOCAL_KEYCLOAK_URL has been updated to match the Keycloak service configuration in the docker-compose.yml file. This URL is used for local development to access the Keycloak service from the host machine.

---

20-23: LGTM!

The new environment variables for the SHLP application's PostgreSQL database configuration align with the PostgreSQL service configuration in the docker-compose.yml file. Using a separate database for the SHLP application is a good practice to isolate its data from other application data.

---

24-24: LGTM!

The POSTGRES_PRISMA_URL is constructed using the SHLP application's PostgreSQL database configuration variables. This ensures that the URL is always in sync with the database configuration.

---

25-25: LGTM!

Using a placeholder value for the PRISMA_FIELD_ENCRYPTION_KEY is a good practice to avoid exposing sensitive information. Ensure that the actual value is set in the deployment environment.

---

26-26: LGTM!

Using a placeholder value for the PRISMA_FIELD_ENCRYPTION_HASH_SALT is a good practice to avoid exposing sensitive information. Ensure that the actual value is set in the deployment environment.

.env.example (16)

1-1: LGTM!

Using the default database name postgres is a common practice in development environments.

---

2-2: LGTM!

Using the default database user postgres is a common practice in development environments.

---

3-3: Reminder: Use a secure password in production.

Using the default database password postgres in a development environment is acceptable. However, ensure that a secure password is used in production environments.

---

4-4: LGTM!

Setting the EXTERNAL_URL to a local URL is appropriate for a development environment.

---

9-9: Reminder: Use a secure client secret in production.

Using a placeholder value for the KEYCLOAK_CLIENT_SECRET is acceptable in a development environment. However, ensure that a secure secret is used in production environments.

---

11-11: LGTM!

Using a separate database for Keycloak is a good practice.

---

12-12: LGTM!

Using a separate user for Keycloak is a good practice.

---

13-13: Reminder: Use a secure password for Keycloak in production.

Using a placeholder password for Keycloak in a development environment is acceptable. However, ensure that a secure password is used in production environments.

---

16-16: Reminder: Use a secure NextAuth secret in production.

Using a placeholder value for the NEXTAUTH_SECRET is acceptable in a development environment. However, ensure that a secure secret is used in production environments.

---

20-20: LGTM!

Using the postgres service as the database host is appropriate in a Docker environment.

---

21-21: LGTM!

Using a separate database for the SHLP application is a good practice.

---

22-22: LGTM!

Using a separate user for the SHLP application is a good practice.

---

23-23: Reminder: Use a secure password for the SHLP application in production.

Using a placeholder password for the SHLP application in a development environment is acceptable. However, ensure that a secure password is used in production environments.

---

24-24: LGTM!

Using environment variables to construct the Prisma database connection URL is a good practice. The connection URL follows the correct format for a PostgreSQL connection string.

---

25-25: Reminder: Use a secure Prisma field encryption key in production.

Using a placeholder value for the PRISMA_FIELD_ENCRYPTION_KEY is acceptable in a development environment. However, ensure that a secure key is used in production environments.

---

26-26: Reminder: Use a secure Prisma field encryption hash salt in production.

Using a placeholder value for the PRISMA_FIELD_ENCRYPTION_HASH_SALT is acceptable in a development environment. However, ensure that a secure salt is used in production environments.

docker-compose.yml (5)

16-16: LGTM!

The port mapping change simplifies the service access by aligning the external and internal ports.

---

29-29: LGTM!

The addition of the SQL initialization script enhances the database setup process within the Docker container.

---

55-55: LGTM!

The port mapping change simplifies the service access by aligning the external and internal ports for Keycloak.

---

51-51: Verify the environment variable change in the configuration files.

The change in the database URL environment variable for Keycloak aligns with a more modular database configuration. However, ensure that the KEYCLOAK_POSTGRES_DB variable is correctly defined and used consistently across the configuration files.

Run the following script to verify the environment variable usage:

Verification successful

---

Environment variable change verified and approved

The KEYCLOAK_POSTGRES_DB environment variable is correctly defined in the .env file and properly used in the docker-compose.yml file. This change maintains consistency across the configuration files and allows for flexible database naming.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `KEYCLOAK_POSTGRES_DB` environment variable.

# Test: Search for the variable definition. Expect: Occurrences in the configuration files.
rg --type-add 'config:*.{env,yml}' --type config $'KEYCLOAK_POSTGRES_DB'

Length of output: 193

---

52-53: Verify the environment variable changes in the configuration files.

The changes in the database username and password environment variables for Keycloak align with a more modular database configuration. However, ensure that the KEYCLOAK_POSTGRES_USER and KEYCLOAK_POSTGRES_PASSWORD variables are correctly defined and used consistently across the configuration files.

Run the following script to verify the environment variable usage:

Verification successful

---

Environment variable changes verified and consistent

The KEYCLOAK_POSTGRES_USER and KEYCLOAK_POSTGRES_PASSWORD environment variables are correctly defined in the .env file and properly referenced in the docker-compose.yml file. The usage is consistent across both configuration files, ensuring proper database authentication for Keycloak.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `KEYCLOAK_POSTGRES_USER` and `KEYCLOAK_POSTGRES_PASSWORD` environment variables.

# Test: Search for the variable definitions. Expect: Occurrences in the configuration files.
rg --type-add 'config:*.{env,yml}' --type config $'KEYCLOAK_POSTGRES_USER'
rg --type-add 'config:*.{env,yml}' --type config $'KEYCLOAK_POSTGRES_PASSWORD'

Length of output: 381

import/config/shlp/shlp-realm.json (1)

526-526: Replacing the hardcoded client secret is a good security practice.

Sourcing sensitive configuration values like secrets from the environment is recommended to avoid exposing them in code repositories.

Please ensure that:

• The application code is updated to read the secret from the correct environment variable.
• The deployment process is updated to populate the environment variable with the actual secret value.

[coderabbitai]

Actionable comments posted: 5

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 42c4e2c and 82aa0b7.

Files selected for processing (1)

• .env (1 hunks)

[coderabbitai]

Use a secure secret management solution for sensitive values.

Storing sensitive values like the Keycloak client secret directly in the .env file is not recommended, as it may lead to the secret being accidentally committed to version control.

Consider using a secure secret management solution, such as HashiCorp Vault or AWS Secrets Manager, to store and retrieve sensitive values.

[coderabbitai]

LGTM! Consider using a secure secret management solution for the database credentials.

The addition of dedicated PostgreSQL database configuration for Keycloak is a good practice, as it separates Keycloak's data from the main application database.

However, storing the database credentials directly in the .env file is not recommended. Consider using a secure secret management solution, such as HashiCorp Vault or AWS Secrets Manager, to store and retrieve the database credentials.

[coderabbitai]

Use a secure secret management solution for the NextAuth secret. The Keycloak endpoint update looks good!

The NEXTAUTH_SECRET value should not be stored directly in the .env file. Consider using a secure secret management solution, such as HashiCorp Vault or AWS Secrets Manager, to store and retrieve the secret value.

The update to NEXT_CONTAINER_KEYCLOAK_ENDPOINT to use the keycloak service name instead of localhost is correct, as it will be accessible within the Docker network.

[coderabbitai]

LGTM! Consider using a secure secret management solution for the database credentials.

The addition of dedicated PostgreSQL database configuration for the SHLP application is a good practice, as it separates the application's data from other databases.

However, storing the database credentials directly in the .env file is not recommended. Consider using a secure secret management solution, such as HashiCorp Vault or AWS Secrets Manager, to store and retrieve the database credentials.

[coderabbitai]

The Prisma PostgreSQL URL construction looks good! Consider using a secure secret management solution for the encryption key and hash salt.

The construction of the POSTGRES_PRISMA_URL using the SHLP database configuration is correct and will allow Prisma to connect to the dedicated SHLP database.

However, the PRISMA_FIELD_ENCRYPTION_KEY and PRISMA_FIELD_ENCRYPTION_HASH_SALT values are sensitive and should not be stored directly in the .env file. Consider using a secure secret management solution, such as HashiCorp Vault or AWS Secrets Manager, to store and retrieve these values.

[yassinedorbozgithub]

This PR resolves the project start up issues
The UI App and keycloak are working again 🎉

LGTM 👍