Merge 1f5d6f127f into 3b6b64d472

2026-03-22 15:12:08 +01:00 · 2025-10-16 14:24:34 +02:00
19 changed files with 319 additions and 284 deletions
--- a/.github/workflows/deploy-pr.yaml
+++ b/.github/workflows/deploy-pr.yaml
@@ -20,26 +20,13 @@ jobs:
      pr_number: ${{ github.event.pull_request.number }}
    secrets: inherit

-  get_urls:
-    if: github.event.action != 'closed'
-    name: Generate Preview URLs
-    uses: ./.github/workflows/url_generator.yml
-    with:
-      runner: vhs
-      mode: pr
-      pr_number: ${{ github.event.pull_request.number }}
-      base_domain: ${{ vars.DEV_BASE_DOMAIN }}
-    secrets: inherit
-
  frontend:
    if: github.event.action != 'closed'
    name: Frontend - Build and Deploy to Cloudflare Pages (PR)
-    needs: [get_urls]
    uses: ./.github/workflows/frontend-pages.yml
    with:
      mode: pr
      pr_number: ${{ github.event.pull_request.number }}
-      backend_url_scheme: ${{ needs.get_urls.outputs.backend_url_scheme }}
    secrets: inherit

  deploy:
@@ -49,7 +36,7 @@ jobs:
    concurrency:
      group: pr-${{ github.event.pull_request.number }}
      cancel-in-progress: false
-    needs: [build, frontend, get_urls]
+    needs: [build, frontend]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -75,24 +62,25 @@ jobs:
          DEV_BASE_DOMAIN: ${{ secrets.BASE_DOMAIN }}
          RABBITMQ_PASSWORD: ${{ secrets.PROD_RABBITMQ_PASSWORD }}
          DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+          IMAGE_REPO: ${{ needs.build.outputs.image_repo }}
          DIGEST: ${{ needs.build.outputs.digest }}
-          DOMAIN: "${{ needs.get_urls.outputs.backend_url }}"
-          DOMAIN_SCHEME: "${{ needs.get_urls.outputs.backend_url_scheme }}"
-          FRONTEND_DOMAIN: "${{ needs.get_urls.outputs.frontend_url }}"
-          FRONTEND_DOMAIN_SCHEME: "${{ needs.get_urls.outputs.frontend_url_scheme }}"
        run: |
          PR=${{ github.event.pull_request.number }}
+          if [ -z "$PR" ]; then echo "PR number missing"; exit 1; fi
+          if [ -z "$DEV_BASE_DOMAIN" ]; then echo "Secret DEV_BASE_DOMAIN is required (e.g., dev.example.com)"; exit 1; fi
+          if [ -z "$RABBITMQ_PASSWORD" ]; then echo "Secret DEV_RABBITMQ_PASSWORD is required"; exit 1; fi
+          if [ -z "$DB_PASSWORD" ]; then echo "Secret DEV_DB_PASSWORD is required"; exit 1; fi
          RELEASE=myapp-pr-$PR
          NAMESPACE=pr-$PR
+          DOMAIN=pr-$PR.$DEV_BASE_DOMAIN
+          if [ -z "$IMAGE_REPO" ]; then IMAGE_REPO="lukastrkan/cc-app-demo"; fi
          helm upgrade --install "$RELEASE" ./7project/charts/myapp-chart \
            -n "$NAMESPACE" --create-namespace \
            -f 7project/charts/myapp-chart/values-dev.yaml \
            --set prNumber="$PR" \
            --set deployment="pr-$PR" \
            --set domain="$DOMAIN" \
-            --set domain_scheme="$DOMAIN_SCHEME" \
-            --set frontend_domain="$FRONTEND_DOMAIN" \
-            --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \
+            --set image.repository="$IMAGE_REPO" \
            --set image.digest="$DIGEST" \
            --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
            --set-string database.password="$DB_PASSWORD"
@@ -100,16 +88,19 @@ jobs:
      - name: Post preview URLs as PR comment
        uses: actions/github-script@v7
        env:
-          BACKEND_URL: ${{ needs.get_urls.outputs.backend_url_scheme }}
-          FRONTEND_URL: ${{ needs.get_urls.outputs.frontend_url_scheme }}
+          DEV_BASE_DOMAIN: ${{ secrets.BASE_DOMAIN }}
+          FRONTEND_URL: ${{ needs.frontend.outputs.deployed_url }}
        with:
          script: |
            const pr = context.payload.pull_request;
            if (!pr) { core.setFailed('No pull_request context'); return; }
            const prNumber = pr.number;
-            const backendUrl = process.env.BACKEND_URL || '(not available)';
+            const domainBase = process.env.DEV_BASE_DOMAIN;
+            if (!domainBase) { core.setFailed('DEV_BASE_DOMAIN is required'); return; }
+            const backendDomain = `pr-${prNumber}.${domainBase}`;
+            const backendUrl = `https://${backendDomain}`;
            const frontendUrl = process.env.FRONTEND_URL || '(not available)';
-            const marker = '<!-- preview-comment-marker -->';
+            const marker = '<!-- preview-link -->';
            const body = `${marker}\nPreview environment is running\n- Frontend: ${frontendUrl}\n- Backend: ${backendUrl}\n`;
            const { owner, repo } = context.repo;
            const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number: prNumber, per_page: 100 });
--- a/.github/workflows/deploy-prod.yaml
+++ b/.github/workflows/deploy-prod.yaml
@@ -30,28 +30,17 @@ jobs:
      context: 7project/backend
    secrets: inherit

-  get_urls:
-    name: Generate Production URLs
-    uses: ./.github/workflows/url_generator.yml
-    with:
-      mode: prod
-      runner: vhs
-      base_domain: ${{ vars.PROD_DOMAIN }}
-    secrets: inherit
-
  frontend:
    name: Frontend - Build and Deploy to Cloudflare Pages (prod)
-    needs: [get_urls]
    uses: ./.github/workflows/frontend-pages.yml
    with:
      mode: prod
-      backend_url_scheme: ${{ needs.get_urls.outputs.backend_url_scheme }}
    secrets: inherit

  deploy:
    name: Helm upgrade/install (prod)
    runs-on: vhs
-    needs: [build, frontend, get_urls]
+    needs: [build, frontend]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -74,32 +63,25 @@ jobs:

      - name: Helm upgrade/install prod
        env:
-          DOMAIN: ${{ needs.get_urls.outputs.backend_url }}
-          DOMAIN_SCHEME: ${{ needs.get_urls.outputs.backend_url_scheme }}
-          FRONTEND_DOMAIN: ${{ needs.get_urls.outputs.frontend_url }}
-          FRONTEND_DOMAIN_SCHEME: ${{ needs.get_urls.outputs.frontend_url_scheme }}
+          DOMAIN: ${{ secrets.PROD_DOMAIN }}
          RABBITMQ_PASSWORD: ${{ secrets.PROD_RABBITMQ_PASSWORD }}
          DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+          IMAGE_REPO: ${{ needs.build.outputs.image_repo }}
          DIGEST: ${{ needs.build.outputs.digest }}
-          BANKID_CLIENT_ID: ${{ secrets.BANKID_CLIENT_ID }}
-          BANKID_CLIENT_SECRET: ${{ secrets.BANKID_CLIENT_SECRET }}
-          MOJEID_CLIENT_ID: ${{ secrets.MOJEID_CLIENT_ID }}
-          MOJEID_CLIENT_SECRET: ${{ secrets.MOJEID_CLIENT_SECRET }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
        run: |
+          if [ -z "$DOMAIN" ]; then
+            echo "Secret PROD_DOMAIN is required (e.g., app.example.com)"; exit 1; fi
+          if [ -z "$RABBITMQ_PASSWORD" ]; then
+            echo "Secret PROD_RABBITMQ_PASSWORD is required"; exit 1; fi
+          if [ -z "$DB_PASSWORD" ]; then
+            echo "Secret PROD_DB_PASSWORD is required"; exit 1; fi
+          if [ -z "$IMAGE_REPO" ]; then IMAGE_REPO="lukastrkan/cc-app-demo"; fi
          helm upgrade --install myapp ./7project/charts/myapp-chart \
            -n prod --create-namespace \
            -f 7project/charts/myapp-chart/values-prod.yaml \
            --set deployment="prod" \
            --set domain="$DOMAIN" \
-            --set domain_scheme="$DOMAIN_SCHEME" \
-            --set frontend_domain="$FRONTEND_DOMAIN" \
-            --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \
+            --set image.repository="$IMAGE_REPO" \
            --set image.digest="$DIGEST" \
            --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
-            --set-string database.password="$DB_PASSWORD" \
-            --set-string oauth.bankid.clientId="$BANKID_CLIENT_ID" \
-            --set-string oauth.bankid.clientSecret="$BANKID_CLIENT_SECRET" \
-            --set-string oauth.mojeid.clientId="$MOJEID_CLIENT_ID" \
-            --set-string oauth.mojeid.clientSecret="$MOJEID_CLIENT_SECRET" \
-            --set-string sentry_dsn="$SENTRY_DSN" \
+            --set-string database.password="$DB_PASSWORD" 
--- a/.github/workflows/frontend-pages.yml
+++ b/.github/workflows/frontend-pages.yml
@@ -15,10 +15,6 @@ on:
        description: 'Cloudflare Pages project name (overrides default)'
        required: false
        type: string
-      backend_url_scheme:
-        description: 'The full scheme URL for the backend (e.g., https://api.example.com)'
-        required: true
-        type: string
    secrets:
      CLOUDFLARE_API_TOKEN:
        required: true
@@ -29,6 +25,14 @@ on:
        description: 'URL of deployed frontend'
        value: ${{ jobs.deploy.outputs.deployed_url }}

+# Required repository secrets:
+#   CLOUDFLARE_API_TOKEN     - API token with Pages:Edit (or Account:Workers Scripts:Edit) permissions
+#   CLOUDFLARE_ACCOUNT_ID    - Your Cloudflare account ID
+# Optional repository variables:
+#   CF_PAGES_PROJECT_NAME      - Default Cloudflare Pages project name
+#   PROD_DOMAIN                - App domain for prod releases (e.g., api.example.com or https://api.example.com)
+#   BACKEND_URL_PR_TEMPLATE    - Template for PR backend URL. Use {PR} placeholder for PR number (e.g., https://api-pr-{PR}.example.com)
+
 jobs:
  build:
    name: Build frontend
@@ -50,9 +54,50 @@ jobs:
      - name: Install dependencies
        run: npm ci

-      - name: Set backend URL from workflow input
+      - name: Compute backend URL for Vite
+        id: be
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }}
+          PR_TEMPLATE: ${{ vars.BACKEND_URL_PR_TEMPLATE }}
+          DEV_BASE_DOMAIN: ${{ secrets.BASE_DOMAIN }}
+          PROD_DOMAIN_VAR: ${{ vars.PROD_DOMAIN }}
+          PROD_DOMAIN_SECRET: ${{ secrets.PROD_DOMAIN }}
+          BACKEND_URL_OVERRIDE: ${{ vars.BACKEND_URL || secrets.BACKEND_URL }}
+          MODE: ${{ inputs.mode }}
        run: |
-          echo "VITE_BACKEND_URL=${{ inputs.backend_url_scheme }}" >> $GITHUB_ENV
+          set -euo pipefail
+          URL=""
+          # 1) Explicit override wins (from repo var or secret)
+          if [ -n "${BACKEND_URL_OVERRIDE:-}" ]; then
+            if echo "$BACKEND_URL_OVERRIDE" | grep -Eiq '^https?://'; then
+              URL="$BACKEND_URL_OVERRIDE"
+            else
+              URL="https://${BACKEND_URL_OVERRIDE}"
+            fi
+          else
+            # 2) PR-specific URL when building for PR
+            if [ "${MODE:-}" = "pr" ] || [ "${EVENT_NAME}" = "pull_request" ]; then
+              if [ -n "${PR_TEMPLATE:-}" ] && [ -n "${PR_NUMBER:-}" ] ; then
+                URL="${PR_TEMPLATE//\{PR\}/${PR_NUMBER}}"
+              elif [ -n "${DEV_BASE_DOMAIN:-}" ] && [ -n "${PR_NUMBER:-}" ]; then
+                URL="https://pr-${PR_NUMBER}.${DEV_BASE_DOMAIN}"
+              fi
+            fi
+            # 3) Fallback to PROD_DOMAIN (prefer repo var, then secret)
+            if [ -z "$URL" ]; then
+              PROD_DOMAIN="${PROD_DOMAIN_VAR:-${PROD_DOMAIN_SECRET:-}}"
+              if [ -n "$PROD_DOMAIN" ]; then
+                if echo "$PROD_DOMAIN" | grep -Eiq '^https?://'; then
+                  URL="$PROD_DOMAIN"
+                else
+                  URL="https://${PROD_DOMAIN}"
+                fi
+              fi
+            fi
+          fi
+          echo "Using backend URL: ${URL:-<empty>}"
+          echo "VITE_BACKEND_URL=${URL}" >> $GITHUB_ENV

      - name: Build
        run: npm run build
--- a/.github/workflows/url_generator.yml
+++ b/.github/workflows/url_generator.yml
@@ -1,74 +0,0 @@
-name: Generate Preview or Production URLs
-
-on:
-  workflow_call:
-    inputs:
-      mode:
-        description: "Build mode: 'prod' or 'pr'"
-        required: true
-        type: string
-      pr_number:
-        description: 'PR number (required when mode=pr)'
-        required: false
-        type: string
-      runner:
-        description: 'The runner to use for this job'
-        required: false
-        type: string
-        default: 'ubuntu-latest'
-      base_domain:
-        description: 'The base domain for production URLs (e.g., example.com)'
-        required: true
-        type: string
-
-    outputs:
-      backend_url:
-        description: "The backend URL without scheme (e.g., api.example.com)"
-        value: ${{ jobs.generate-urls.outputs.backend_url }}
-      frontend_url:
-        description: "The frontend URL without scheme (e.g., app.example.com)"
-        value: ${{ jobs.generate-urls.outputs.frontend_url }}
-      backend_url_scheme:
-        description: "The backend URL with scheme (e.g., https://api.example.com)"
-        value: ${{ jobs.generate-urls.outputs.backend_url_scheme }}
-      frontend_url_scheme:
-        description: "The frontend URL with scheme (e.g., https://app.example.com)"
-        value: ${{ jobs.generate-urls.outputs.frontend_url_scheme }}
-
-jobs:
-  generate-urls:
-    permissions:
-      contents: none
-    runs-on: ${{ inputs.runner }}
-
-    outputs:
-      backend_url: ${{ steps.set_urls.outputs.backend_url }}
-      frontend_url: ${{ steps.set_urls.outputs.frontend_url }}
-      backend_url_scheme: ${{ steps.set_urls.outputs.backend_url_scheme }}
-      frontend_url_scheme: ${{ steps.set_urls.outputs.frontend_url_scheme }}
-
-    steps:
-      - name: Generate URLs
-        id: set_urls
-        env:
-          BASE_DOMAIN: ${{ inputs.base_domain }}
-        run: |
-          set -euo pipefail
-          
-          if [ "${{ inputs.mode }}" = "prod" ]; then
-            BACKEND_URL="api.${BASE_DOMAIN}"
-            FRONTEND_URL="finance.${BASE_DOMAIN}"
-          else
-            # This is your current logic
-            FRONTEND_URL="pr-${{ inputs.pr_number }}.group-8-frontend.pages.dev"
-            BACKEND_URL="api-pr-${{ inputs.pr_number }}.${BASE_DOMAIN}"
-          fi
-
-          FRONTEND_URL_SCHEME="https://$FRONTEND_URL"
-          BACKEND_URL_SCHEME="https://$BACKEND_URL"
-          
-          # This part correctly writes to GITHUB_OUTPUT for the step
-          echo "backend_url_scheme=$BACKEND_URL_SCHEME" >> $GITHUB_OUTPUT
-          echo "frontend_url_scheme=$FRONTEND_URL_SCHEME" >> $GITHUB_OUTPUT
-          echo "backend_url=$BACKEND_URL" >> $GITHUB_OUTPUT
-          echo "frontend_url=$FRONTEND_URL" >> $GITHUB_OUTPUT
--- a/7project/backend/app/app.py
+++ b/7project/backend/app/app.py
@@ -1,10 +1,5 @@
-import logging
-import os
-from datetime import datetime
-
 from fastapi import Depends, FastAPI
 from fastapi.middleware.cors import CORSMiddleware
-from starlette.requests import Request

 from app.models.user import User

@@ -14,16 +9,6 @@ from app.api.categories import router as categories_router
 from app.api.transactions import router as transactions_router
 from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider

-
-from fastapi import FastAPI
-import sentry_sdk
-
-sentry_sdk.init(
-    dsn=os.getenv("SENTRY_DSN"),
-    send_default_pii=True,
-)
-
-app = FastAPI()
 fastApi = FastAPI()

 # CORS for frontend dev server
@@ -32,7 +17,6 @@ fastApi.add_middleware(
    allow_origins=[
        "http://localhost:5173",
        "http://127.0.0.1:5173",
-        os.getenv("FRONTEND_DOMAIN_SCHEME", "")
    ],
    allow_credentials=True,
    allow_methods=["*"],
@@ -43,27 +27,6 @@ fastApi.include_router(auth_router)
 fastApi.include_router(categories_router)
 fastApi.include_router(transactions_router)

-logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s %(message)s')
-@fastApi.middleware("http")
-async def log_traffic(request: Request, call_next):
-    start_time = datetime.now()
-    response = await call_next(request)
-    process_time = (datetime.now() - start_time).total_seconds()
-    client_host = request.client.host
-    log_params = {
-        "request_method": request.method,
-        "request_url": str(request.url),
-        "request_size": request.headers.get("content-length"),
-        "request_headers": dict(request.headers),
-        "response_status": response.status_code,
-        "response_size": response.headers.get("content-length"),
-        "response_headers": dict(response.headers),
-        "process_time": process_time,
-        "client_host": client_host
-    }
-    logging.info(str(log_params))
-    return response
-
 fastApi.include_router(
    fastapi_users.get_oauth_router(
        get_oauth_provider("MojeID"),
@@ -96,7 +59,3 @@ async def root():
@fastApi.get("/authenticated-route")
 async def authenticated_route(user: User = Depends(current_active_verified_user)):
    return {"message": f"Hello {user.email}!"}
-
-@fastApi.get("/sentry-debug")
-async def trigger_error():
-    division_by_zero = 1 / 0
--- a/7project/backend/requirements.txt
+++ b/7project/backend/requirements.txt
@@ -50,7 +50,6 @@ python-dateutil==2.9.0.post0
 python-dotenv==1.1.1
 python-multipart==0.0.20
 PyYAML==6.0.2
-sentry-sdk==2.42.0
 six==1.17.0
 sniffio==1.3.1
 SQLAlchemy==2.0.43
@@ -59,7 +58,6 @@ tomli==2.2.1
 typing-inspection==0.4.1
 typing_extensions==4.15.0
 tzdata==2025.2
-urllib3==2.5.0
 uvicorn==0.37.0
 uvloop==0.21.0
 vine==5.1.0
--- a/7project/charts/myapp-chart/templates/NOTES.txt
+++ b/7project/charts/myapp-chart/templates/NOTES.txt
@@ -0,0 +1,54 @@
+Thank you for installing myapp-chart.
+
+This chart packages all Kubernetes manifests from the original deployment directory and parameterizes environment, database name (with optional PR suffix), image, and domain for external access.
+
+Namespaces per developer (important):
+- Install each developer's environment into their own namespace using Helm's -n/--namespace flag.
+- No hardcoded namespace is used in templates; resources are created in .Release.Namespace.
+- Example namespaces: dev-alice, dev-bob, pr-123, etc.
+
+Key values:
+- deployment -> used as Database CR name and DB username (MARIADB_DB and MARIADB_USER)
+- image.repository/tag or image.digest -> container image
+- domain -> public FQDN used by TunnelBinding (required to expose app)
+- app/worker names, replicas, ports
+
+Examples:
+- Dev install (Alice):
+  helm upgrade --install myapp ./7project/charts/myapp-chart \
+    -n dev-alice --create-namespace \
+    -f values-dev.yaml \
+    --set domain=alice.demo.example.com \
+    --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
+    --set-string database.password="$DB_PASSWORD"
+
+- Dev install (Bob):
+  helm upgrade --install myapp ./7project/charts/myapp-chart \
+    -n dev-bob --create-namespace \
+    -f values-dev.yaml \
+    --set domain=bob.demo.example.com
+
+- Prod install (different cleanupPolicy):
+  helm upgrade --install myapp ./7project/charts/myapp-chart \
+    -n prod --create-namespace \
+    -f values-prod.yaml \
+    --set domain=app.example.com
+
+- PR (preview) install with DB name containing PR number (also its own namespace):
+  PR=123
+  helm upgrade --install myapp-pr-$PR ./7project/charts/myapp-chart \
+    -n pr-$PR --create-namespace \
+    -f values-dev.yaml \
+    --set prNumber=$PR \
+    --set deployment=preview-$PR \
+    --set domain=pr-$PR.example.com
+
+- Use a custom deployment identifier to suffix DB name, DB username and Secret name:
+  helm upgrade --install myapp ./7project/charts/myapp-chart \
+    -n dev-alice --create-namespace \
+    -f values-dev.yaml \
+    --set deployment=alice \
+    --set domain=alice.demo.example.com
+
+Render locally (dry run):
+  helm template ./7project/charts/myapp-chart -f values-dev.yaml --set prNumber=456 --set deployment=test --set domain=demo.example.com --namespace dev-test | sed -n '/kind: Database/,$p' | head -n 30
--- a/7project/charts/myapp-chart/templates/app-deployment.yaml
+++ b/7project/charts/myapp-chart/templates/app-deployment.yaml
@@ -20,7 +20,7 @@ spec:
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
-              drop: [ "ALL" ]
+              drop: ["ALL"]
          ports:
            - containerPort: {{ .Values.app.port }}
          env:
@@ -29,27 +29,21 @@ spec:
            - name: MARIADB_PORT
              value: '3306'
            - name: MARIADB_DB
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: MARIADB_DB
+              value: {{ required "Set .Values.deployment" .Values.deployment | quote }}
            - name: MARIADB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: MARIADB_USER
+              value: {{ required "Set .Values.deployment" .Values.deployment | quote }}
            - name: MARIADB_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: prod
-                  key: MARIADB_PASSWORD
+                  name: {{ required "Set .Values.database.secretName" .Values.database.secretName }}
+                  key: password
            - name: RABBITMQ_USERNAME
              value: {{ .Values.rabbitmq.username | quote }}
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: prod
-                  key: RABBITMQ_PASSWORD
+                  name: {{ printf "%s-user-credentials" (.Values.rabbitmq.username | default "app-user") }}
+                  key: password
            - name: RABBITMQ_HOST
              value: {{ printf "%s.%s.svc.cluster.local" "rabbitmq-cluster" .Release.Namespace | quote }}
            - name: RABBITMQ_PORT
@@ -58,39 +52,6 @@ spec:
              value: {{ .Values.rabbitmq.vhost | default "/" | quote }}
            - name: MAIL_QUEUE
              value: {{ .Values.worker.mailQueueName | default "mail_queue" | quote }}
-            - name: MOJEID_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: MOJEID_CLIENT_ID
-            - name: MOJEID_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: MOJEID_CLIENT_SECRET
-            - name: BANKID_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: BANKID_CLIENT_ID
-            - name: BANKID_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: BANKID_CLIENT_SECRET
-            - name: DOMAIN
-              value: {{ required "Set .Values.domain" .Values.domain | quote }}
-            - name: DOMAIN_SCHEME
-              value: {{ required "Set .Values.domain_scheme" .Values.domain_scheme | quote }}
-            - name: FRONTEND_DOMAIN
-              value: {{ required "Set .Values.frontend_domain" .Values.frontend_domain | quote }}
-            - name: FRONTEND_DOMAIN_SCHEME
-              value: {{ required "Set .Values.frontend_domain_scheme" .Values.frontend_domain_scheme | quote }}
-            - name: SENTRY_DSN
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: SENTRY_DSN
          livenessProbe:
            httpGet:
              path: /
--- a/7project/charts/myapp-chart/templates/prod.yaml
+++ b/7project/charts/myapp-chart/templates/prod.yaml
@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: prod
-type: Opaque
-stringData:
-  MOJEID_CLIENT_ID: {{ .Values.oauth.mojeid.clientId | quote }}
-  MOJEID_CLIENT_SECRET: {{ .Values.oauth.mojeid.clientSecret | quote }}
-  BANKID_CLIENT_ID: {{ .Values.oauth.bankid.clientId | quote }}
-  BANKID_CLIENT_SECRET: {{ .Values.oauth.bankid.clientSecret | quote }}
-  # Database credentials
-  MARIADB_DB: {{ required "Set .Values.deployment" .Values.deployment | quote }}
-  MARIADB_USER: {{ required "Set .Values.deployment" .Values.deployment | quote }}
-  MARIADB_PASSWORD: {{ .Values.database.password | default "" | quote }}
-  # RabbitMQ credentials
-  RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }}
-  RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }}
-  SENTRY_DSN: {{ .Values.sentry_dsn | quote }}
--- a/7project/charts/myapp-chart/templates/worker-deployment.yaml
+++ b/7project/charts/myapp-chart/templates/worker-deployment.yaml
@@ -31,32 +31,13 @@ spec:
            - --loglevel
            - INFO
          env:
-            - name: MARIADB_HOST
-              value: "mariadb-repl-maxscale-internal.mariadb-operator.svc.cluster.local"
-            - name: MARIADB_PORT
-              value: '3306'
-            - name: MARIADB_DB
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: MARIADB_DB
-            - name: MARIADB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: MARIADB_USER
-            - name: MARIADB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: MARIADB_PASSWORD
            - name: RABBITMQ_USERNAME
              value: {{ .Values.rabbitmq.username | quote }}
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: prod
-                  key: RABBITMQ_PASSWORD
+                  name: {{ printf "%s-user-credentials" (.Values.rabbitmq.username | default "app-user") }}
+                  key: password
            - name: RABBITMQ_HOST
              value: {{ printf "%s.%s.svc.cluster.local" "rabbitmq-cluster" .Release.Namespace | quote }}
            - name: RABBITMQ_PORT
@@ -65,8 +46,3 @@ spec:
              value: {{ .Values.rabbitmq.vhost | default "/" | quote }}
            - name: MAIL_QUEUE
              value: {{ .Values.worker.mailQueueName | default "mail_queue" | quote }}
-            - name: SENTRY_DSN
-              valueFrom:
-                secretKeyRef:
-                  name: prod
-                  key: SENTRY_DSN
--- a/7project/charts/myapp-chart/values.yaml
+++ b/7project/charts/myapp-chart/values.yaml
@@ -11,12 +11,6 @@ deployment: ""
 # Public domain to expose the app under (used by TunnelBinding fqdn)
 # Set at install time: --set domain=example.com
 domain: ""
-domain_scheme: ""
-
-frontend_domain: ""
-frontend_domain_scheme: ""
-
-sentry_dsn: ""

 image:
  repository: lukastrkan/cc-app-demo
@@ -39,14 +33,6 @@ worker:
 service:
  port: 80

-oauth:
-  bankid:
-    clientId: ""
-    clientSecret: ""
-  mojeid:
-    clientId: ""
-    clientSecret: ""
-
 rabbitmq:
  create: true
  replicas: 1
--- a/7project/deployment/app-demo-database-grant.yaml
+++ b/7project/deployment/app-demo-database-grant.yaml
@@ -0,0 +1,20 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: grant
+spec:
+  mariaDbRef:
+    name: mariadb-repl
+    namespace: mariadb-operator
+  privileges:
+    - "ALL PRIVILEGES"
+  database: "app-demo-database"
+  table: "*"
+  username: "app-demo-user"
+  grantOption: true
+  host: "%"
+  # Delete the resource in the database whenever the CR gets deleted.
+  # Alternatively, you can specify Skip in order to omit deletion.
+  cleanupPolicy: Skip
+  requeueInterval: 10h
+  retryInterval: 30s
--- a/7project/deployment/app-demo-database-secret.yaml
+++ b/7project/deployment/app-demo-database-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: app-demo-database-secret
+type: kubernetes.io/basic-auth
+stringData:
+  password: "strongpassword"
--- a/7project/deployment/app-demo-database-user.yaml
+++ b/7project/deployment/app-demo-database-user.yaml
@@ -0,0 +1,20 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: app-demo-user
+spec:
+  # If you want the user to be created with a different name than the resource name
+  # name: user-custom
+  mariaDbRef:
+    name: mariadb-repl
+    namespace: mariadb-operator
+  passwordSecretKeyRef:
+    name: app-demo-database-secret
+    key: password
+  maxUserConnections: 20
+  host: "%"
+  # Delete the resource in the database whenever the CR gets deleted.
+  # Alternatively, you can specify Skip in order to omit deletion.
+  cleanupPolicy: Skip
+  requeueInterval: 10h
+  retryInterval: 30s
--- a/7project/deployment/app-demo-database.yaml
+++ b/7project/deployment/app-demo-database.yaml
@@ -0,0 +1,15 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: app-demo-database
+spec:
+  mariaDbRef:
+    name: mariadb-repl
+    namespace: mariadb-operator
+  characterSet: utf8
+  collate: utf8_general_ci
+  # Delete the resource in the database whenever the CR gets deleted.
+  # Alternatively, you can specify Skip in order to omit deletion.
+  cleanupPolicy: Skip
+  requeueInterval: 10h
+  retryInterval: 30s
--- a/7project/deployment/app-demo-deployment.yaml
+++ b/7project/deployment/app-demo-deployment.yaml
@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app-demo
+spec:
+  replicas: 3
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: app-demo
+  template:
+    metadata:
+      labels:
+        app: app-demo
+    spec:
+      containers:
+        - image: lukastrkan/cc-app-demo@sha256:75634b4d97282b6b8424fe17767c81adf44af5f7359c1d25883073b5629b3e05
+          name: app-demo
+          ports:
+            - containerPort: 8000
+          env:
+            - name: MARIADB_HOST
+              value: mariadb-repl.mariadb-operator.svc.cluster.local
+            - name: MARIADB_PORT
+              value: '3306'
+            - name: MARIADB_DB
+              value: app-demo-database
+            - name: MARIADB_USER
+              value: app-demo-user
+            - name: MARIADB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: app-demo-database-secret
+                  key: password
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 3
--- a/7project/deployment/app-demo-svc.yaml
+++ b/7project/deployment/app-demo-svc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: app-demo
+spec:
+  ports:
+  - port: 80
+    targetPort: 8000
+  selector:
+    app: app-demo
--- a/7project/deployment/app-demo-worker-deployment.yaml
+++ b/7project/deployment/app-demo-worker-deployment.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app-demo-worker
+spec:
+  replicas: 3
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: app-demo-worker
+  template:
+    metadata:
+      labels:
+        app: app-demo-worker
+    spec:
+      containers:
+        - image: lukastrkan/cc-app-demo@sha256:75634b4d97282b6b8424fe17767c81adf44af5f7359c1d25883073b5629b3e05
+          name: app-demo-worker
+          command:
+            - celery
+            - -A
+            - app.celery_app
+            - worker
+            - -Q
+            - $(MAIL_QUEUE)
+            - --loglevel
+            - INFO
+          env:
+            - name: RABBITMQ_USERNAME
+              value: demo-app
+            - name: RABBITMQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: demo-app-user-credentials
+                  key: password
+            - name: RABBITMQ_HOST
+              value: rabbitmq.rabbitmq.svc.cluster.local
+            - name: RABBITMQ_PORT
+              value: '5672'
+            - name: RABBITMQ_VHOST
+              value: "/"
--- a/7project/deployment/tunnel.yaml
+++ b/7project/deployment/tunnel.yaml
@@ -0,0 +1,14 @@
+apiVersion: networking.cfargotunnel.com/v1alpha1
+kind: TunnelBinding
+metadata:
+  name: guestbook-tunnel-binding
+  namespace: group-project
+subjects:
+  - name: app-server
+    spec:
+      target: http://app-demo.group-project.svc.cluster.local
+      fqdn: demo.ltrk.cz
+      noTlsVerify: true
+tunnelRef:
+  kind: ClusterTunnel
+  name: cluster-tunnel