Files
ss-tools/.env.example
busya 8fd23f7ea1 refactor(ssl): centralize SSL trust management, remove LLM_SSL_VERIFY
Centralized SSL via one contract: CERTS_PATH=/opt/certs mounted into all containers.

Backend:
  - NEW: backend/src/core/ssl.py — system_ssl_context(), httpx_verify(),
    cert_dir_inventory()
  - LLMClient._get_ssl_verify() → delegates to core.ssl
  - _llm_async_http._get_verify() → delegates to core.ssl
  - Removed LLM_SSL_VERIFY env reading from all runtime code

Docker:
  - NEW: docker/certs.sh — shared cert installer (PEM/DER/cer to .crt conversion,
    update-ca-certificates, hash symlinks, NSS import)
  - NEW: docker/agent.entrypoint.sh — agent entrypoint with cert installation
  - backend.entrypoint.sh → uses certs.sh instead of install_llm_ca_certs
  - Dockerfile.agent → adds ca-certificates, openssl, entrypoint

Compose:
  - Removed LLM_CA_CERT_URLS and LLM_SSL_VERIFY from all compose files
  - Added CERTS_PATH volume mount to agent (dev + enterprise)
  - Added certs volume mount to backend/agent in dev compose

Env examples:
  - Removed LLM_SSL_VERIFY, LLM_CA_CERT_URLS from .env.example,
    .env.enterprise-clean.example, .env.current.example, .env.master.example,
    backend/.env.example
  - Enhanced CERTS_PATH comments with accepted formats

Diagnostics:
  - diag_container.py: removed LLM_* checks, added CERTS_PATH inventory,
    uses core.ssl for context creation

Tests:
  - Updated test_llm_analysis_service, test_llm_async_http,
    test_client_headers to verify centralized ssl context (no env disable)
  - 4/4 SSL tests pass
2026-07-06 21:00:28 +03:00

86 lines
4.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ======================================================================
# superset-tools — локальная разработка (docker compose)
# Все переменные, используемые docker-compose.yml.
# Скопируйте в .env.current или .env.master и отредактируйте под ветку.
# ======================================================================
# ── Проект ─────────────────────────────────────────────────────────────
COMPOSE_PROJECT_NAME=ss-tools-current
# ── PostgreSQL (встроенный, docker compose db service) ──────────────────
POSTGRES_IMAGE=postgres:16-alpine
POSTGRES_HOST_PORT=5433
POSTGRES_DB=ss_tools
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
# ── Порты хоста ────────────────────────────────────────────────────────
BACKEND_HOST_PORT=8101
FRONTEND_HOST_PORT=8100
FRONTEND_SSL_PORT=443
AGENT_HOST_PORT=7860
# ── Безопасность (ОБЯЗАТЕЛЬНО) ─────────────────────────────────────────
# JWT-ключ подписи токенов — единый для backend и agent.
# Сгенерировать: python3 -c "import secrets; print(secrets.token_urlsafe(32))"
AUTH_SECRET_KEY=change-me-to-a-random-secret-32-chars-min
# Fernet-ключ шифрования паролей подключений и API-ключей.
# Сгенерировать: python3 -c "import base64,os; print(base64.urlsafe_b64encode(os.urandom(32)).decode())"
ENCRYPTION_KEY=D40dpvWPZxKd41jeaTHtEs2R7nwMVLxbkMRLjAICRls=
# Сервисный токен для agent→backend вызовов.
# Сгенерировать: python3 -c "import secrets; print('svc-' + secrets.token_urlsafe(24))"
SERVICE_JWT=agent-service-secret
# JWT audience / issuer (опционально)
# JWT_AUDIENCE=superset-tools-api
# JWT_ISSUER=superset-tools
# ── Admin bootstrap (первый запуск) ────────────────────────────────────
INITIAL_ADMIN_CREATE=true
INITIAL_ADMIN_USERNAME=admin
INITIAL_ADMIN_PASSWORD=admin
INITIAL_ADMIN_EMAIL=
# ── LLM / AI провайдеры (опционально — настраивается через Web UI) ─────
OPENAI_API_KEY=
ANTHROPIC_API_KEY=
# Агент: LLM настройки (если не подтягиваются из FastAPI /api/agent/llm-config)
LLM_API_KEY=
LLM_BASE_URL=https://api.openai.com/v1
LLM_MODEL=gpt-4o
# ── Агент (настройки) ──────────────────────────────────────────────────
GRADIO_SERVER_PORT=7860
# GRADIO_ALLOW_PORT_FALLBACK=true
# AGENT_ENABLE_LLM_TITLES=true
# AGENT_TITLE_GENERATION_TIMEOUT_S=0.25
# AGENT_PREFETCH_DASHBOARD_LIMIT=25
# AGENT_CONFIRM_TOOLS=false
# AGENT_INTERRUPT_BEFORE=
# ── Сертификаты / фронтенд ─────────────────────────────────────────────
CERTS_PATH=./certs
SSL_KEY_PASSPHRASE=
# ── Логирование ────────────────────────────────────────────────────────
ENABLE_BELIEF_STATE_LOGGING=true
TASK_LOG_LEVEL=INFO
# ── CORS / Безопасность деплоя ─────────────────────────────────────────
ALLOWED_ORIGINS=http://localhost:8100,http://127.0.0.1:8100
FORCE_HTTPS=false
APP_TIMEZONE=Europe/Moscow
# ── Features ───────────────────────────────────────────────────────────
FEATURES__DATASET_REVIEW=true
FEATURES__HEALTH_MONITOR=true
# ── ADFS SSO (опционально) ─────────────────────────────────────────────
# ADFS_CLIENT_ID=
# ADFS_CLIENT_SECRET=
# ADFS_METADATA_URL=
# ── OpenRouter (опционально) ───────────────────────────────────────────
# OPENROUTER_SITE_URL=
# OPENROUTER_APP_NAME=
# APP_BASE_URL=