Traefik forwards /api/auth/login to the backend verbatim, causing 404.
Nginx already strips the /api prefix correctly via proxy_pass with trailing
slash. Routing everything through frontend/nginx avoids the double-routing
and the need for a StripPrefix middleware.
Dockerfiles use COPY requirements.txt . and COPY package*.json ./ which
expect the build context to be their own subdirectory, not the repo root.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix trigger/env path: Helm/ -> helm/ (was wrong case)
- Add image_yq_path and dockerfile to matrix so each container uses its
own values.yaml key and Dockerfile path
- Fix yq paths: .django.image.* -> .frontend.image/.backend.image for
repo, .containers.version for tag (single source of truth)
- Add file: param to docker/build-push-action (Dockerfiles are in
frontend/ and backend/, not repo root)
- values.yaml: add registry prefix to image fields so k8s pulls from
git.baumann.gr; quote containers.version; drop per-component tag
fields (containers.version is now the single tag source)
- Deployment templates: use .containers.version for image tag
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove the secrets: block from values.yaml so no plaintext credentials
live in the chart or git history. Update values-prod.yaml to replace the
--set secrets.* instructions with a pointer to the create-secrets.sh script.
passlib 1.7.4 (unmaintained since 2020) is incompatible with bcrypt>=4.0:
- bcrypt 4.x removed bcrypt.__about__ (passlib version probe fails)
- bcrypt 4.x enforces 72-byte password limit strictly, crashing
passlib's detect_wrap_bug() compatibility test during context init
Pinning bcrypt<4.0.0 is the standard workaround until passlib is replaced.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When the alembic console-script entry point runs, Python sets sys.path[0]
to the entry point directory (/usr/local/bin/), not the WORKDIR. Without
PYTHONPATH=/app, `from app.models import Base` in alembic/env.py fails
with ModuleNotFoundError. uvicorn is unaffected as it adds CWD to
sys.path itself.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Named interfaces without index signatures cannot be directly cast to
Record<string, unknown>. Use `as unknown as` double-cast to satisfy
TypeScript strict mode for the AnyEntity[] and Dispatch casts in
ConfigDetail.tsx, and the Config -> Record<string, unknown> cast in
ConfigList.tsx.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
