MetaCell · filippomc · Feb 27, 2026 · Feb 28, 2026 · Feb 28, 2026 · Feb 28, 2026
diff --git a/.github/instructions/copilot-instructions.md b/.github/instructions/copilot-instructions.md
@@ -20,4 +20,10 @@ Verify which application/components is in scope and read specific prompt instruc
 
 Check best practices in every instruction file in scope and docs and apply them when writing code or performing code reviews.
 Use reference for any questions regarding project structure, development workflow, and best practices. 
-If you have any doubts about where to find information, ask for clarification before proceeding.
+If you have any doubts about where to find information, ask for clarification before proceeding.
+
+### Development principles
+- Follow the best practices and coding style guidelines outlined in the documentation and instruction files.
+- Configuration is set on values.yaml files and injected into the application via Helm templates and Kubernetes manifests. Do not hardcode configuration values directly into the application code or templates.
+- Structured configuration can be injected via resources, that are process by helm templates and loaded as ConfigMaps automatically. See for instance `applications/accounts/deploy/resources/realm.json`
+- The cloud harness configuration API is handled by the models library and defined as [openapi spec](../../libraries/models/api/openapi.yaml). Use `harness-generate models` to generate the models library after making changes to the spec.
diff --git a/applications/samples/api/openapi.yaml b/applications/samples/api/openapi.yaml
@@ -83,6 +83,22 @@ paths:
       description: |
         Check if the token is valid
       x-openapi-router-controller: samples.controllers.auth_controller
+  /db-connect-string:
+    get:
+      tags:
+        - database
+      summary: Get database connection string
+      operationId: get_db_connect_string
+      description: Returns the database connection string for the current application.
+      responses:
+        "200":
+          description: Database connection string returned successfully
+          content:
+            application/json:
+              schema:
+                type: string
+        "500":
+          description: Error retrieving database connection string
   /sampleresources:
     summary: Path used to manage the list of sampleresources.
     description: >-

diff --git a/applications/samples/backend/requirements.txt b/applications/samples/backend/requirements.txt
@@ -1,9 +1,13 @@
-connexion[swagger-ui,flask,uvicorn]>=3.0.0,<4.0.0
-swagger-ui-bundle>=1.1.0
-python_dateutil>=2.9.0
-setuptools>=21.0.0
-uvicorn
-# Following some unnecessary requirements to make sure they can be installed
-psycopg2-binary
-sqlalchemy<2.0.0
-scipy
+connexion[swagger-ui] >= 2.6.0; python_version>="3.6"
+# 2.3 is the last version that supports python 3.4-3.5
+connexion[swagger-ui] <= 2.3.0; python_version=="3.5" or python_version=="3.4"
+# prevent breaking dependencies from advent of connexion>=3.0
+connexion[swagger-ui] <= 2.14.2; python_version>"3.4"
+# connexion requires werkzeug but connexion < 2.4.0 does not install werkzeug
+# we must peg werkzeug versions below to fix connexion
+# https://github.com/zalando/connexion/pull/1044
+werkzeug == 0.16.1; python_version=="3.5" or python_version=="3.4"
+swagger-ui-bundle >= 0.0.2
+python_dateutil >= 2.6.0
+setuptools >= 21.0.0
+Flask == 2.1.1
diff --git a/applications/samples/backend/samples/controllers/database_controller.py b/applications/samples/backend/samples/controllers/database_controller.py
@@ -0,0 +1,20 @@
+import connexion
+from typing import Dict
+from typing import Tuple
+from typing import Union
+
+from samples.models.get_db_connect_string200_response import GetDbConnectString200Response  # noqa: E501
+from samples import util
+
+
+def get_db_connect_string():  # noqa: E501
+    """Get database connection string
+
+    Returns the database connection string for the current application. # noqa: E501
+
+
+    :rtype: Union[GetDbConnectString200Response, Tuple[GetDbConnectString200Response, int], Tuple[GetDbConnectString200Response, int, Dict[str, str]]
+    """
+    from cloudharness.applications import get_current_configuration
+    config = get_current_configuration()
+    return config.get_db_connection_string()
diff --git a/applications/samples/backend/samples/controllers/security_controller.py b/applications/samples/backend/samples/controllers/security_controller.py
@@ -0,0 +1,31 @@
+from typing import List
+
+
+def info_from_bearerAuth(token):
+    """
+    Check and retrieve authentication information from custom bearer token.
+    Returned value will be passed in 'token_info' parameter of your operation function, if there is one.
+    'sub' or 'uid' will be set in 'user' parameter of your operation function, if there is one.
+
+    :param token Token provided by Authorization header
+    :type token: str
+    :return: Decoded token information or None if token is invalid
+    :rtype: dict | None
+    """
+    return {'uid': 'user_id'}
+
+
+def info_from_cookieAuth(api_key, required_scopes):
+    """
+    Check and retrieve authentication information from api_key.
+    Returned value will be passed in 'token_info' parameter of your operation function, if there is one.
+    'sub' or 'uid' will be set in 'user' parameter of your operation function, if there is one.
+
+    :param api_key API key provided by Authorization header
+    :type api_key: str
+    :param required_scopes Always None. Used for other authentication method
+    :type required_scopes: None
+    :return: Information attached to provided api_key or None if api_key is invalid or does not allow access to called API
+    :rtype: dict | None
+    """
+    return {'uid': 'user_id'}
diff --git a/applications/samples/backend/samples/models/get_db_connect_string200_response.py b/applications/samples/backend/samples/models/get_db_connect_string200_response.py
@@ -0,0 +1,61 @@
+from datetime import date, datetime  # noqa: F401
+
+from typing import List, Dict  # noqa: F401
+
+from samples.models.base_model import Model
+from samples import util
+
+
+class GetDbConnectString200Response(Model):
+    """NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+
+    Do not edit the class manually.
+    """
+
+    def __init__(self, connect_string=None):  # noqa: E501
+        """GetDbConnectString200Response - a model defined in OpenAPI
+
+        :param connect_string: The connect_string of this GetDbConnectString200Response.  # noqa: E501
+        :type connect_string: str
+        """
+        self.openapi_types = {
+            'connect_string': str
+        }
+
+        self.attribute_map = {
+            'connect_string': 'connect_string'
+        }
+
+        self._connect_string = connect_string
+
+    @classmethod
+    def from_dict(cls, dikt) -> 'GetDbConnectString200Response':
+        """Returns the dict as a model
+
+        :param dikt: A dict.
+        :type: dict
+        :return: The get_db_connect_string_200_response of this GetDbConnectString200Response.  # noqa: E501
+        :rtype: GetDbConnectString200Response
+        """
+        return util.deserialize_model(dikt, cls)
+
+    @property
+    def connect_string(self) -> str:
+        """Gets the connect_string of this GetDbConnectString200Response.
+
+
+        :return: The connect_string of this GetDbConnectString200Response.
+        :rtype: str
+        """
+        return self._connect_string
+
+    @connect_string.setter
+    def connect_string(self, connect_string: str):
+        """Sets the connect_string of this GetDbConnectString200Response.
+
+
+        :param connect_string: The connect_string of this GetDbConnectString200Response.
+        :type connect_string: str
+        """
+
+        self._connect_string = connect_string
diff --git a/applications/samples/backend/samples/openapi/openapi.yaml b/applications/samples/backend/samples/openapi/openapi.yaml
@@ -15,6 +15,23 @@ tags:
 - description: ""
   name: resource
 paths:
+  /db-connect-string:
+    get:
+      description: Returns the database connection string for the current application.
+      operationId: get_db_connect_string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: Database connection string returned successfully
+        "500":
+          description: Error retrieving database connection string
+      summary: Get database connection string
+      tags:
+      - database
+      x-openapi-router-controller: samples.controllers.database_controller
   /error:
     get:
       operationId: error
@@ -336,4 +353,4 @@ components:
       in: cookie
       name: kc-access
       type: apiKey
-      x-apikeyInfoFunc: samples.controllers.security_controller_.info_from_cookieAuth
+      x-apikeyInfoFunc: cloudharness.auth.decode_token
diff --git a/applications/samples/deploy/values.yaml b/applications/samples/deploy/values.yaml
@@ -17,7 +17,10 @@ harness:
       size: 10Mi
       usenfs: false
     auto: true
-    port: 8080
+    port: 8080 
+  gateway:
+    path: /
+    pathType: Prefix
   proxy:
     gatekeeper:
       replicas: 1
@@ -96,4 +99,7 @@ harness:
 
   dockerfile:
     buildArgs:
-      TEST_ARGUMENT: example value
+      TEST_ARGUMENT: example value
+  database:
+    type: postgres
+    connect_string: "test connection string"
diff --git a/deployment-configuration/compose/templates/auto-gatekeepers.yaml b/deployment-configuration/compose/templates/auto-gatekeepers.yaml
@@ -6,7 +6,7 @@
   networks:
   - ch
   restart: always
-  image: quay.io/gogatekeeper/gatekeeper:2.14.3
+  image: quay.io/gogatekeeper/gatekeeper:4.6.0
   expose:
     - '8080'
     - '8443'

diff --git a/deployment-configuration/helm/templates/auto-deployments.yaml b/deployment-configuration/helm/templates/auto-deployments.yaml
@@ -140,6 +140,13 @@ spec:
             mountPath: "/opt/cloudharness/resources/secrets/{{ .app.harness.name }}"
             readOnly: true
           {{- end }}
+          {{- if kindIs "map" .app.harness.database }}
+            {{- if and (hasKey .app.harness.database "connect_string") .app.harness.database.connect_string }}
+          - name: db-external
+            mountPath: "/opt/cloudharness/resources/db"
+            readOnly: true
+            {{- end }}
+          {{- end }}
       volumes:
         - name: cloudharness-allvalues
           configMap:
@@ -169,6 +176,13 @@ spec:
           secret:
             secretName: {{ .app.harness.deployment.name }}
         {{- end }}
+        {{- if kindIs "map" .app.harness.database }}
+          {{- if and (hasKey .app.harness.database "connect_string") .app.harness.database.connect_string }}
+        - name: db-external
+          secret:
+            secretName: {{ printf "%s-db" .app.harness.deployment.name }}
+          {{- end }}
+        {{- end }}
 ---
 {{- end }}
 

diff --git a/deployment-configuration/helm/templates/auto-gatekeepers.yaml b/deployment-configuration/helm/templates/auto-gatekeepers.yaml
@@ -27,6 +27,7 @@ data:
     forbidden-page: /templates/access-denied.html.tmpl
     enable-default-deny: {{ $noWildcards }}
     listen: 0.0.0.0:8080
+    enable-encrypted-token: false
     enable-refresh-tokens: true
     server-write-timeout: {{ .app.harness.proxy.timeout.send | default .root.Values.proxy.timeout.send | default 180 }}s
     upstream-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
@@ -38,7 +39,6 @@ data:
     tls-cert:
     tls-private-key:
     redirection-url: {{ ternary "https" "http" $tls }}://{{ .subdomain }}.{{ .root.Values.domain }}
-    encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
     upstream-url: http://{{ .app.harness.service.name }}.{{ .app.namespace | default .root.Release.Namespace }}:{{ .app.harness.service.port | default 80}}
     {{ if .app.harness.secured }}
       {{ with .app.harness.uri_role_mapping }}
@@ -100,6 +100,34 @@ data:
     </body>
     </html>
 ---
+{{- $gkSecretName := printf "%s-gk" .subdomain }}
+{{- $existingGkSecret := (lookup "v1" "Secret" .root.Values.namespace $gkSecretName) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $gkSecretName }}
+  namespace: {{ .root.Values.namespace }}
+  labels:
+    app: {{ $gkSecretName }}
+type: Opaque
+stringData:
+  updated: {{ now | quote }}
+  {{- if .root.Values.proxy.gatekeeper.secret }}
+  encryption-key: {{ .root.Values.proxy.gatekeeper.secret | quote }}
+  {{- else }}
+    {{- $hasExisting := false }}
+    {{- if $existingGkSecret }}
+      {{- if eq (typeOf $existingGkSecret.data) (typeOf dict) }}
+        {{- if hasKey $existingGkSecret.data "encryption-key" }}
+          {{- $hasExisting = true }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if not $hasExisting }}
+  encryption-key: {{ randAlphaNum 32 | quote }}
+    {{- end }}
+  {{- end }}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -135,7 +163,7 @@ spec:
 {{ include "deploy_utils.etcHosts" .root | indent 6 }}
       containers:
       - name: {{ .app.harness.service.name | quote }}
-        image: {{ .app.harness.proxy.gatekeeper.image | default .root.Values.proxy.gatekeeper.image | default "quay.io/gogatekeeper/gatekeeper:2.14.3" }}
+        image: {{ .app.harness.proxy.gatekeeper.image | default .root.Values.proxy.gatekeeper.image | default "quay.io/gogatekeeper/gatekeeper:4.6.0" }}
         imagePullPolicy: IfNotPresent
         {{ if .root.Values.local }}
         securityContext:
@@ -147,6 +175,11 @@ spec:
           value: /opt/proxy.yml
         - name: PROXY_ENABLE_METRICS
           value: "true"
+        - name: PROXY_ENCRYPTION_KEY
+          valueFrom:
+            secretKeyRef:
+              name: "{{ .subdomain }}-gk"
+              key: encryption-key
         volumeMounts:
         - name: "{{ .subdomain  }}-gk-proxy-config"
           mountPath: /opt/proxy.yml

diff --git a/deployment-configuration/helm/templates/auto-secrets.yaml b/deployment-configuration/helm/templates/auto-secrets.yaml
@@ -57,4 +57,25 @@ stringData:
     {{- end }}{{- end }}{{- end }}
   {{- end }}
   {{- end }}
+{{- end }}
+{{- define "deploy_utils.db_secret" }}
+{{- $secret_name := printf "%s-db" .app.harness.deployment.name }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secret_name }}
+  namespace: {{ .root.Values.namespace }}
+  labels:
+    app: {{ .app.harness.deployment.name }}
+type: Opaque
+stringData:
+  connect_string: {{ .app.harness.database.connect_string | quote }}
+---
+{{- end }}
+{{- range $app := .Values.apps }}
+  {{- if kindIs "map" $app.harness.database }}
+    {{- if and (hasKey $app.harness.database "connect_string") $app.harness.database.connect_string }}
+  {{- include "deploy_utils.db_secret" (dict "root" $ "app" $app) }}
+    {{- end }}
+  {{- end }}
 {{- end }}
diff --git a/deployment-configuration/helm/templates/certs/letsencrypt.yaml b/deployment-configuration/helm/templates/certs/letsencrypt.yaml
@@ -12,5 +12,5 @@ spec:
     solvers:
     - http01:
         ingress:
-          class: nginx
+          class: {{ .Values.ingress.ingressClass }}
 {{ end }}
diff --git a/deployment-configuration/helm/templates/configmap.yaml b/deployment-configuration/helm/templates/configmap.yaml
@@ -20,5 +20,8 @@ data:
 {{- range $key, $val := .Values.apps }}
   {{- $app := get $values_copy.apps $key }}
   {{- $tmp := set $app.harness "secrets" dict }}
+  {{- if kindIs "map" $app.harness.database }}
+    {{- $tmp := unset $app.harness.database "connect_string" }}
+  {{- end }}
 {{- end }}
 {{ $values_copy | toYaml | indent 4 }}