Add landscaping-assistant.app to Rails config.hosts and Keycloak redirect URIs #224

New issue

Closed

opened 2026-06-14 17:27:47 +00:00 by ldraney · 2 comments

ldraney commented 2026-06-14 17:27:47 +00:00

Owner

Copy link

Type

Feature

Lineage

Related to ldraney/pal-e-platform #435 (public domain ingress). Mirrors ldraney/palinks #51 for the landscaping-assistant domain.

Repo

ldraney/landscaping-assistant + ldraney/pal-e-services

User Story

As a user visiting landscaping-assistant.app
I want the app to accept requests and handle OAuth login on the public domain
So that I can access the app without using the Tailscale hostname

Context

Once DNS records point landscaping-assistant.app to the Hetzner edge proxy and Caddy is configured, Rails will reject requests from the new hostname unless config.hosts is updated. Additionally, Keycloak OAuth redirects will fail unless the client's redirect URI list includes the new domain. Unlike palinks, landscaping-assistant already has a Keycloak client, so the Keycloak scope is valid and required. This is a 2-repo ticket: Rails config changes in landscaping-assistant, Keycloak client config changes in pal-e-services.

File Targets

Files the agent should modify or create:

• config/environments/production.rb (landscaping-assistant) -- add landscaping-assistant.app to config.hosts
• terraform/k3s.tfvars (pal-e-services) -- add https://landscaping-assistant.app/* to the landscaping-assistant Keycloak client's valid_redirect_uris, post_logout_redirect_uris, and web_origins arrays

Files the agent should NOT touch:

• config/environments/development.rb -- public domain is production-only
• Other Keycloak clients in k3s.tfvars -- only modify the landscaping-assistant client

Feature Flag

none

Acceptance Criteria

• Rails accepts requests with Host: landscaping-assistant.app in production
• Keycloak login redirects correctly to https://landscaping-assistant.app/*
• Keycloak logout redirects correctly to https://landscaping-assistant.app/*
• Tailscale hostname access remains unaffected
• tofu apply in pal-e-services completes without error after tfvars update

Test Expectations

• Request spec: requests with Host: landscaping-assistant.app header return 200 (not 403)
• OAuth login flow: Keycloak redirects to https://landscaping-assistant.app/... after authentication
• OAuth logout flow: post-logout redirect lands on https://landscaping-assistant.app
• Run command: bundle exec rspec spec/requests/ -t host_header or equivalent

Constraints

• Keycloak client config is managed via Terraform in ldraney/pal-e-services (NOT pal-e-platform) -- changes go in terraform/k3s.tfvars
• Follow the same pattern used in palinks #51 for config.hosts
• Requires separate PRs: one in landscaping-assistant, one in pal-e-services

Checklist

• PR opened (landscaping-assistant -- config.hosts)
• PR opened (pal-e-services -- Keycloak tfvars)
• tofu apply run in pal-e-services after tfvars merge
• Tests pass
• No unrelated changes

Related

• ldraney/palinks #51 -- same pattern for palinks.app
• ldraney/pal-e-platform #435 -- parent public domain ingress work

### Type Feature ### Lineage Related to `ldraney/pal-e-platform #435` (public domain ingress). Mirrors `ldraney/palinks #51` for the landscaping-assistant domain. ### Repo `ldraney/landscaping-assistant` + `ldraney/pal-e-services` ### User Story As a user visiting landscaping-assistant.app I want the app to accept requests and handle OAuth login on the public domain So that I can access the app without using the Tailscale hostname ### Context Once DNS records point landscaping-assistant.app to the Hetzner edge proxy and Caddy is configured, Rails will reject requests from the new hostname unless `config.hosts` is updated. Additionally, Keycloak OAuth redirects will fail unless the client's redirect URI list includes the new domain. Unlike palinks, landscaping-assistant already has a Keycloak client, so the Keycloak scope is valid and required. This is a 2-repo ticket: Rails config changes in landscaping-assistant, Keycloak client config changes in pal-e-services. ### File Targets Files the agent should modify or create: - `config/environments/production.rb` (landscaping-assistant) -- add `landscaping-assistant.app` to `config.hosts` - `terraform/k3s.tfvars` (pal-e-services) -- add `https://landscaping-assistant.app/*` to the landscaping-assistant Keycloak client's `valid_redirect_uris`, `post_logout_redirect_uris`, and `web_origins` arrays Files the agent should NOT touch: - `config/environments/development.rb` -- public domain is production-only - Other Keycloak clients in `k3s.tfvars` -- only modify the landscaping-assistant client ### Feature Flag none ### Acceptance Criteria - [ ] Rails accepts requests with `Host: landscaping-assistant.app` in production - [ ] Keycloak login redirects correctly to `https://landscaping-assistant.app/*` - [ ] Keycloak logout redirects correctly to `https://landscaping-assistant.app/*` - [ ] Tailscale hostname access remains unaffected - [ ] `tofu apply` in pal-e-services completes without error after tfvars update ### Test Expectations - [ ] Request spec: requests with `Host: landscaping-assistant.app` header return 200 (not 403) - [ ] OAuth login flow: Keycloak redirects to `https://landscaping-assistant.app/...` after authentication - [ ] OAuth logout flow: post-logout redirect lands on `https://landscaping-assistant.app` - Run command: `bundle exec rspec spec/requests/ -t host_header` or equivalent ### Constraints - Keycloak client config is managed via Terraform in `ldraney/pal-e-services` (NOT pal-e-platform) -- changes go in `terraform/k3s.tfvars` - Follow the same pattern used in palinks #51 for `config.hosts` - Requires separate PRs: one in landscaping-assistant, one in pal-e-services ### Checklist - [ ] PR opened (landscaping-assistant -- `config.hosts`) - [ ] PR opened (pal-e-services -- Keycloak tfvars) - [ ] `tofu apply` run in pal-e-services after tfvars merge - [ ] Tests pass - [ ] No unrelated changes ### Related - `ldraney/palinks #51` -- same pattern for palinks.app - `ldraney/pal-e-platform #435` -- parent public domain ingress work

ldraney commented 2026-06-14 20:23:12 +00:00

Author

Owner

Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-1461-2026-06-14
Keycloak client config lives in pal-e-services, not pal-e-platform as stated. Repo and file targets need correction.

Issues found:

• Constraints section incorrectly references pal-e-platform for Keycloak config — actual client redirect URIs are in pal-e-services/terraform/k3s.tfvars
• Repo section lists only landscaping-assistant but the Keycloak changes require pal-e-services (second repo)
• Missing File Target: pal-e-services/terraform/k3s.tfvars for redirect URI updates
• Missing AC: Keycloak logout redirect verification (palinks#51 includes this)
• Missing Checklist item: tofu apply in pal-e-services
• Traceability: custom-domain story missing from project-landscaping-assistant user-stories table
• Traceability: No arch-rails-app architecture note in pal-e-docs

## Scope Review: NEEDS_REFINEMENT Review note: `review-1461-2026-06-14` Keycloak client config lives in pal-e-services, not pal-e-platform as stated. Repo and file targets need correction. **Issues found:** - Constraints section incorrectly references pal-e-platform for Keycloak config — actual client redirect URIs are in `pal-e-services/terraform/k3s.tfvars` - Repo section lists only landscaping-assistant but the Keycloak changes require pal-e-services (second repo) - Missing File Target: `pal-e-services/terraform/k3s.tfvars` for redirect URI updates - Missing AC: Keycloak logout redirect verification (palinks#51 includes this) - Missing Checklist item: `tofu apply` in pal-e-services - Traceability: `custom-domain` story missing from project-landscaping-assistant user-stories table - Traceability: No `arch-rails-app` architecture note in pal-e-docs

ldraney commented 2026-06-14 20:30:21 +00:00

Author

Owner

Copy link

Scope Review: APPROVED

Review note: review-1461-2026-06-14-r2

Re-review after NEEDS_REFINEMENT (review-1461-2026-06-14). All 5 body-level fixes have been verified:

• Keycloak repo reference corrected to pal-e-services
• Repo section lists both repos (landscaping-assistant + pal-e-services)
• File target added: terraform/k3s.tfvars (pal-e-services) with specific URIs
• Logout redirect AC added
• tofu apply checklist item added

File targets verified: config/environments/production.rb exists (config.hosts commented out, ready for update); k3s.tfvars gitignored but landscaping-assistant client block confirmed in example file with Tailscale-only URIs.

Two [SCOPE] items remain (missing custom-domain story on project page, missing arch-rails-app note) -- being addressed separately, not blocking.

Ticket is ready for implementation.

## Scope Review: APPROVED Review note: `review-1461-2026-06-14-r2` Re-review after NEEDS_REFINEMENT (review-1461-2026-06-14). All 5 body-level fixes have been verified: - Keycloak repo reference corrected to pal-e-services - Repo section lists both repos (landscaping-assistant + pal-e-services) - File target added: `terraform/k3s.tfvars` (pal-e-services) with specific URIs - Logout redirect AC added - `tofu apply` checklist item added File targets verified: `config/environments/production.rb` exists (config.hosts commented out, ready for update); `k3s.tfvars` gitignored but landscaping-assistant client block confirmed in example file with Tailscale-only URIs. Two [SCOPE] items remain (missing `custom-domain` story on project page, missing `arch-rails-app` note) -- being addressed separately, not blocking. Ticket is ready for implementation.

ldraney referenced this issue from a commit 2026-06-16 00:45:09 +00:00

feat: add landscaping-assistant.app to Rails config.hosts

ldraney referenced this issue from a pull request that will close it, 2026-06-16 00:45:25 +00:00

feat: add landscaping-assistant.app to Rails config.hosts (#224) #230

ldraney referenced this issue from a pull request that will close it, 2026-06-16 00:47:11 +00:00

feat: add landscaping-assistant.app to Rails config.hosts (#224) #230

ldraney referenced this issue 2026-06-16 01:00:31 +00:00

feat: add landscaping-assistant.app to Rails config.hosts (#224) #230

ldraney closed this issue 2026-06-16 01:15:56 +00:00

ldraney referenced this issue from a commit 2026-06-16 01:16:05 +00:00

feat: add landscaping-assistant.app to Rails config.hosts (#224) (#230)

ldraney referenced this issue 2026-06-16 01:46:12 +00:00

Fix HostAuthorization blocking k8s health probes and Tailscale hostname #231

ldraney referenced this issue 2026-06-16 01:52:33 +00:00

Fix HostAuthorization blocking k8s probes and Tailscale hostname #232

ldraney referenced this issue 2026-06-16 01:54:21 +00:00

Fix HostAuthorization blocking k8s probes and Tailscale hostname #232

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs/update-app-architecture

revert-213

move-other-crew-bottom-remove-schedule

feature/today-view-improvements

154-enable-assume-ssl

revert-145-person-icon

docs/user-stories-auth

docs/update-infra-pipeline-post-incident

fix-cache-step-blocking-deploy

fix-kaniko-registry-pull

deactivate-from-today

feature/quick-address-entry

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/landscaping-assistant#224

No description provided.