fix(infra): harden AI service — graceful shutdown, rate limiting, API key auth, pinned deps, Grafana secrets

- Add dumb-init + --timeout-graceful-shutdown 30 to AI service Dockerfile - Add slowapi rate limiting (configurable via AI_RATE_LIMIT) and X-API-Key auth middleware - Pin all Python dependencies to exact versions for reproducible builds - Move Grafana admin credentials from env vars to Docker secrets in production compose Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:13:29 +07:00
parent e89c8f5810
commit e60b95cdec
5 changed files with 69 additions and 22 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -18,6 +18,7 @@ services:
      MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
      MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
      AI_SERVICES_URL: http://ai-services:8000
+      AI_SERVICES_API_KEY: ${AI_API_KEY}
    depends_on:
      postgres:
        condition: service_healthy
@@ -136,6 +137,8 @@ services:
    environment:
      AI_DEBUG: 'false'
      AI_LOG_LEVEL: info
+      AI_API_KEY: ${AI_API_KEY}
+      AI_RATE_LIMIT: ${AI_RATE_LIMIT:-60/minute}
    healthcheck:
      test: ['CMD', 'python', '-c', 'import httpx; httpx.get("http://localhost:8000/health").raise_for_status()']
      interval: 30s
@@ -172,10 +175,13 @@ services:
    ports:
      - '${GRAFANA_PORT:-3002}:3000'
    environment:
-      GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER}
-      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD}
+      GF_SECURITY_ADMIN_USER__FILE: /run/secrets/grafana_admin_user
+      GF_SECURITY_ADMIN_PASSWORD__FILE: /run/secrets/grafana_admin_password
      GF_USERS_ALLOW_SIGN_UP: 'false'
      GF_SERVER_ROOT_URL: ${GRAFANA_ROOT_URL:-http://localhost:3002}
+    secrets:
+      - grafana_admin_user
+      - grafana_admin_password
    volumes:
      - ./monitoring/grafana/provisioning:/etc/grafana/provisioning:ro
      - ./monitoring/grafana/dashboards:/var/lib/grafana/dashboards:ro
@@ -206,6 +212,12 @@ volumes:
  grafana_data:
    driver: local

+secrets:
+  grafana_admin_user:
+    environment: GRAFANA_ADMIN_USER
+  grafana_admin_password:
+    environment: GRAFANA_ADMIN_PASSWORD
+
 networks:
  goodgo-net:
    driver: bridge