MetaCell · filippomc · Mar 19, 2026 · Feb 27, 2026 · Feb 28, 2026 · Feb 28, 2026
diff --git a/.github/instructions/copilot-instructions.md b/.github/instructions/copilot-instructions.md
@@ -20,4 +20,10 @@ Verify which application/components is in scope and read specific prompt instruc
 
 Check best practices in every instruction file in scope and docs and apply them when writing code or performing code reviews.
 Use reference for any questions regarding project structure, development workflow, and best practices. 
-If you have any doubts about where to find information, ask for clarification before proceeding.
+If you have any doubts about where to find information, ask for clarification before proceeding.
+
+### Development principles
+- Follow the best practices and coding style guidelines outlined in the documentation and instruction files.
+- Configuration is set on values.yaml files and injected into the application via Helm templates and Kubernetes manifests. Do not hardcode configuration values directly into the application code or templates.
+- Structured configuration can be injected via resources, that are process by helm templates and loaded as ConfigMaps automatically. See for instance `applications/accounts/deploy/resources/realm.json`
+- The cloud harness configuration API is handled by the models library and defined as [openapi spec](../../libraries/models/api/openapi.yaml). Use `harness-generate models` to generate the models library after making changes to the spec.
diff --git a/.github/instructions/tools.instructions.md b/.github/instructions/tools.instructions.md
@@ -49,6 +49,7 @@ Take the following best practices into account when writing code for the project
 - Handle exceptions only at the higher level; let lower layers raise. NEVER catch exceptions in helpers or services unless you are adding context and re-raising.
 - Cover critical logic with unit tests, especially in helpers and services. Use mocks to isolate units under test.
 - Prefer models classes for helpers and services to ensure data validation and clear interfaces. Use typed dicts for structured data that isn't covered by Schema classes. Use plain dicts only to represent real unstructured data. Avoid returning tuples.
+- Bubble up exceptions to the highest level possible, where they can be handled. Avoid return values to reflect success or failure. Embed library exceptions and untyped exceptions in custom exceptions with clear meaning and context. This allows for better error handling and debugging.
 
 
 ## Important Constraints

diff --git a/applications/accounts/deploy/resources/realm.json b/applications/accounts/deploy/resources/realm.json
@@ -12,6 +12,7 @@
         "rememberMe": true,
         "verifyEmail": false,
         "loginWithEmailAllowed": true,
+        "organizationsEnabled": {{ .Values.apps.accounts.realm.organizationsEnabled | default false }},
         "duplicateEmailsAllowed": false,
         "resetPasswordAllowed": true,
         "editUsernameAllowed": {{ .Values.apps.accounts.editUsernameAllowed }},

diff --git a/applications/accounts/deploy/values.yaml b/applications/accounts/deploy/values.yaml
@@ -7,44 +7,29 @@ harness:
     port: 8080
     resources:
       requests:
-        memory: "512Mi"
+        memory: "800Mi"
         cpu: "10m"
       limits:
-        memory: "1024Mi"
+        memory: "1Gi"
   service:
     auto: true
     port: 8080
-  env:
-    - name: KC_BOOTSTRAP_ADMIN_USERNAME
-      value: "admin"
-    - name: KC_BOOTSTRAP_ADMIN_PASSWORD
-      value: "metacell"
-    - name: KC_PROXY_HEADERS
-      value: xforwarded
-    - name: KC_DB
-      value: "postgres"
-    - name: KC_DB_URL_HOST
-      value: "keycloak-postgres"
-    - name: KC_DB_URL_DATABASE
-      value: "auth_db"
-    - name: KC_DB_USERNAME
-      value: "user"
-    - name: KC_DB_PASSWORD
-      value: "password"
-    - name: KC_HTTP_ENABLED
-      value: "true"
-    - name: KC_PROXY
-      value: "edge"
-    - name: KC_HOSTNAME_STRICT
-      value: "false"
-    - name: KC_HOSTNAME_STRICT_HTTPS
-      value: "false"
-    - name: KC_HEALTH_ENABLED
-      value: "true"
-    - name: KC_METRICS_ENABLED
-      value: "true"
-    - name: JAVA_OPTS
-      value: -server -Xms64m -Xmx896m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
+  envmap:
+    KC_BOOTSTRAP_ADMIN_USERNAME: "admin"
+    KC_BOOTSTRAP_ADMIN_PASSWORD: "metacell"
+    KC_PROXY_HEADERS: xforwarded
+    KC_DB: "postgres"
+    KC_DB_URL_HOST: "keycloak-postgres"
+    KC_DB_URL_DATABASE: "auth_db"
+    KC_DB_USERNAME: "user"
+    KC_DB_PASSWORD: "password"
+    KC_HTTP_ENABLED: "true"
+    KC_PROXY: "edge"
+    KC_HOSTNAME_STRICT: "false"
+    KC_HOSTNAME_STRICT_HTTPS: "false"
+    KC_HEALTH_ENABLED: "true"
+    KC_METRICS_ENABLED: "true"
+    JAVA_OPTS: "-server -Xms64m -Xmx896m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED"
   database:
     auto: true
     name: keycloak-postgres
@@ -87,10 +72,12 @@ admin:
 editUsernameAllowed: true
 useEvents: true
 identityProviders:
-- github
-- google
+  - github
+  - google
 theme:
   login: "keycloak"
   account: "keycloak"
   admin: "keycloak"
   email: "keycloak"
+realm:
+  organizationsEnabled: false
diff --git a/applications/samples/api/openapi.yaml b/applications/samples/api/openapi.yaml
@@ -83,6 +83,22 @@ paths:
       description: |
         Check if the token is valid
       x-openapi-router-controller: samples.controllers.auth_controller
+  /db-connect-string:
+    get:
+      tags:
+        - database
+      summary: Get database connection string
+      operationId: get_db_connect_string
+      description: Returns the database connection string for the current application.
+      responses:
+        "200":
+          description: Database connection string returned successfully
+          content:
+            application/json:
+              schema:
+                type: string
+        "500":
+          description: Error retrieving database connection string
   /sampleresources:
     summary: Path used to manage the list of sampleresources.
     description: >-

diff --git a/applications/samples/backend/requirements.txt b/applications/samples/backend/requirements.txt
@@ -1,9 +1,13 @@
-connexion[swagger-ui,flask,uvicorn]>=3.0.0,<4.0.0
-swagger-ui-bundle>=1.1.0
-python_dateutil>=2.9.0
-setuptools>=21.0.0
-uvicorn
-# Following some unnecessary requirements to make sure they can be installed
-psycopg2-binary
-sqlalchemy<2.0.0
-scipy
+connexion[swagger-ui] >= 2.6.0; python_version>="3.6"
+# 2.3 is the last version that supports python 3.4-3.5
+connexion[swagger-ui] <= 2.3.0; python_version=="3.5" or python_version=="3.4"
+# prevent breaking dependencies from advent of connexion>=3.0
+connexion[swagger-ui] <= 2.14.2; python_version>"3.4"
+# connexion requires werkzeug but connexion < 2.4.0 does not install werkzeug
+# we must peg werkzeug versions below to fix connexion
+# https://github.com/zalando/connexion/pull/1044
+werkzeug == 0.16.1; python_version=="3.5" or python_version=="3.4"
+swagger-ui-bundle >= 0.0.2
+python_dateutil >= 2.6.0
+setuptools >= 21.0.0
+Flask == 2.1.1
diff --git a/applications/samples/backend/samples/controllers/database_controller.py b/applications/samples/backend/samples/controllers/database_controller.py
@@ -0,0 +1,20 @@
+import connexion
+from typing import Dict
+from typing import Tuple
+from typing import Union
+
+from samples.models.get_db_connect_string200_response import GetDbConnectString200Response  # noqa: E501
+from samples import util
+
+
+def get_db_connect_string():  # noqa: E501
+    """Get database connection string
+
+    Returns the database connection string for the current application. # noqa: E501
+
+
+    :rtype: Union[GetDbConnectString200Response, Tuple[GetDbConnectString200Response, int], Tuple[GetDbConnectString200Response, int, Dict[str, str]]
+    """
+    from cloudharness.applications import get_current_configuration
+    config = get_current_configuration()
+    return config.get_db_connection_string()
diff --git a/applications/samples/backend/samples/controllers/security_controller.py b/applications/samples/backend/samples/controllers/security_controller.py
@@ -0,0 +1,31 @@
+from typing import List
+
+
+def info_from_bearerAuth(token):
+    """
+    Check and retrieve authentication information from custom bearer token.
+    Returned value will be passed in 'token_info' parameter of your operation function, if there is one.
+    'sub' or 'uid' will be set in 'user' parameter of your operation function, if there is one.
+
+    :param token Token provided by Authorization header
+    :type token: str
+    :return: Decoded token information or None if token is invalid
+    :rtype: dict | None
+    """
+    return {'uid': 'user_id'}
+
+
+def info_from_cookieAuth(api_key, required_scopes):
+    """
+    Check and retrieve authentication information from api_key.
+    Returned value will be passed in 'token_info' parameter of your operation function, if there is one.
+    'sub' or 'uid' will be set in 'user' parameter of your operation function, if there is one.
+
+    :param api_key API key provided by Authorization header
+    :type api_key: str
+    :param required_scopes Always None. Used for other authentication method
+    :type required_scopes: None
+    :return: Information attached to provided api_key or None if api_key is invalid or does not allow access to called API
+    :rtype: dict | None
+    """
+    return {'uid': 'user_id'}
diff --git a/applications/samples/backend/samples/models/get_db_connect_string200_response.py b/applications/samples/backend/samples/models/get_db_connect_string200_response.py
@@ -0,0 +1,61 @@
+from datetime import date, datetime  # noqa: F401
+
+from typing import List, Dict  # noqa: F401
+
+from samples.models.base_model import Model
+from samples import util
+
+
+class GetDbConnectString200Response(Model):
+    """NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+
+    Do not edit the class manually.
+    """
+
+    def __init__(self, connect_string=None):  # noqa: E501
+        """GetDbConnectString200Response - a model defined in OpenAPI
+
+        :param connect_string: The connect_string of this GetDbConnectString200Response.  # noqa: E501
+        :type connect_string: str
+        """
+        self.openapi_types = {
+            'connect_string': str
+        }
+
+        self.attribute_map = {
+            'connect_string': 'connect_string'
+        }
+
+        self._connect_string = connect_string
+
+    @classmethod
+    def from_dict(cls, dikt) -> 'GetDbConnectString200Response':
+        """Returns the dict as a model
+
+        :param dikt: A dict.
+        :type: dict
+        :return: The get_db_connect_string_200_response of this GetDbConnectString200Response.  # noqa: E501
+        :rtype: GetDbConnectString200Response
+        """
+        return util.deserialize_model(dikt, cls)
+
+    @property
+    def connect_string(self) -> str:
+        """Gets the connect_string of this GetDbConnectString200Response.
+
+
+        :return: The connect_string of this GetDbConnectString200Response.
+        :rtype: str
+        """
+        return self._connect_string
+
+    @connect_string.setter
+    def connect_string(self, connect_string: str):
+        """Sets the connect_string of this GetDbConnectString200Response.
+
+
+        :param connect_string: The connect_string of this GetDbConnectString200Response.
+        :type connect_string: str
+        """
+
+        self._connect_string = connect_string
diff --git a/applications/samples/backend/samples/openapi/openapi.yaml b/applications/samples/backend/samples/openapi/openapi.yaml
@@ -15,6 +15,23 @@ tags:
 - description: ""
   name: resource
 paths:
+  /db-connect-string:
+    get:
+      description: Returns the database connection string for the current application.
+      operationId: get_db_connect_string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: Database connection string returned successfully
+        "500":
+          description: Error retrieving database connection string
+      summary: Get database connection string
+      tags:
+      - database
+      x-openapi-router-controller: samples.controllers.database_controller
   /error:
     get:
       operationId: error
@@ -336,4 +353,4 @@ components:
       in: cookie
       name: kc-access
       type: apiKey
-      x-apikeyInfoFunc: samples.controllers.security_controller_.info_from_cookieAuth
+      x-apikeyInfoFunc: cloudharness.auth.decode_token
diff --git a/applications/samples/deploy/values.yaml b/applications/samples/deploy/values.yaml
@@ -17,7 +17,10 @@ harness:
       size: 10Mi
       usenfs: false
     auto: true
-    port: 8080
+    port: 8080 
+  gateway:
+    path: /
+    pathType: Prefix
   proxy:
     gatekeeper:
       replicas: 1
@@ -96,4 +99,7 @@ harness:
 
   dockerfile:
     buildArgs:
-      TEST_ARGUMENT: example value
+      TEST_ARGUMENT: example value
+  database:
+    type: postgres
+    connect_string: "test connection string"
diff --git a/applications/samples/test.Dockerfile b/applications/samples/test.Dockerfile
@@ -0,0 +1,35 @@
+ARG CLOUDHARNESS_FRONTEND_BUILD
+ARG CLOUDHARNESS_FLASK
+
+FROM $CLOUDHARNESS_FRONTEND_BUILD as frontend
+
+ARG TEST_ARGUMENT=default
+RUN echo $TEST_ARGUMENT
+
+ENV APP_DIR=/app
+
+WORKDIR ${APP_DIR}
+COPY frontend/package.json ${APP_DIR}
+COPY frontend/yarn.lock ${APP_DIR}
+RUN yarn install --frozen-lockfile --timeout 60000
+
+COPY frontend ${APP_DIR}
+RUN yarn build
+
+#####
+FROM $CLOUDHARNESS_FLASK
+ENV MODULE_NAME=samples
+
+ENV WORKERS=2
+ENV PORT=8080
+
+COPY backend/requirements.txt /usr/src/app/
+
+RUN --mount=type=cache,target=/root/.cache python -m pip install --upgrade pip &&\
+    pip3 install -r requirements.txt  --prefer-binary
+
+COPY backend/ /usr/src/app
+
+COPY --from=frontend app/dist/ /usr/src/app/www
+
+RUN pip3 install -e .
diff --git a/deployment-configuration/compose/templates/auto-gatekeepers.yaml b/deployment-configuration/compose/templates/auto-gatekeepers.yaml
@@ -6,7 +6,7 @@
   networks:
   - ch
   restart: always
-  image: quay.io/gogatekeeper/gatekeeper:2.14.3
+  image: quay.io/gogatekeeper/gatekeeper:4.6.0
   expose:
     - '8080'
     - '8443'

diff --git a/deployment-configuration/helm/templates/auto-database-postgres.yaml b/deployment-configuration/helm/templates/auto-database-postgres.yaml
@@ -13,4 +13,26 @@
             value: {{ .app.harness.database.pass | quote }}
           - name: PGDATA
             value: /data/db/pgdata
+        livenessProbe:
+          exec:
+            command:
+              - pg_isready
+              - -U
+              - {{ .app.harness.database.user | quote }}
+              - -d
+              - {{ .app.harness.database.postgres.initialdb | quote }}
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 6
+        readinessProbe:
+          exec:
+            command:
+              - pg_isready
+              - -U
+              - {{ .app.harness.database.user | quote }}
+              - -d
+              - {{ .app.harness.database.postgres.initialdb | quote }}
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+          failureThreshold: 6
 {{- end }}