Refactor docker-compose-ec2.ym l file with new vault agent containers

README.md

@@ -12,7 +12,7 @@ The **BYK-RAG Module** is part of the Burokratt ecosystem, designed to provide *
   - Models searchable via dropdown with cache-enabled indicators.
 
 - **Enhanced Security with RSA Encryption**  
-  - LLM credentials encrypted with RSA-2048 asymmetric encryption before storage.
+  - LLM credentials encrypted with RSA-2048 asymmetric encryption before storage.  
   - GUI encrypts using public key; CronManager decrypts with private key.  
   - Additional security layer beyond HashiCorp Vault's encryption.  
 

docker-compose-ec2.yml

@@ -128,7 +128,7 @@ services:
       - REACT_APP_RUUTER_API_URL=https://est-rag-rtc.rootcode.software/ruuter-public
       - REACT_APP_RUUTER_PRIVATE_API_URL=https://est-rag-rtc.rootcode.software/ruuter-private  
       - REACT_APP_CUSTOMER_SERVICE_LOGIN=https://est-rag-rtc.rootcode.software/authentication-layer/et/dev-auth
-      - REACT_APP_CSP=upgrade-insecure-requests; default-src 'self'; font-src 'self' data:; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; connect-src 'self' http://localhost:8086 http://localhost:8088 http://localhost:3004 http://localhost:3005 ws://localhost https://est-rag-rtc.rootcode.software;
+      - REACT_APP_CSP=upgrade-insecure-requests; default-src 'self'; font-src 'self' data:; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; connect-src 'self' http://localhost:8086 http://localhost:8088 http://localhost:3004 http://localhost:3005 ws://localhost https://vault-agent-gui:8202 https://est-rag-rtc.rootcode.software;
       - DEBUG_ENABLED=true
       - CHOKIDAR_USEPOLLING=true
       - PORT=3001
@@ -174,25 +174,25 @@ services:
   cron-manager:
     container_name: cron-manager
     image: cron-manager-python:latest
-    user: "root"
+    user: root
     volumes:
       - ./DSL/CronManager/DSL:/DSL
       - ./DSL/CronManager/script:/app/scripts
       - ./src/vector_indexer:/app/src/vector_indexer
+      - ./src/utils/decrypt_vault_secrets.py:/app/src/utils/decrypt_vault_secrets.py:ro  # Decryption utility (read-only)
       - cron_data:/app/data
       - shared-volume:/app/shared  # Access to shared resources for cross-container coordination
       - ./datasets:/app/datasets   # Direct access to datasets folder for diff identifier operations
       - ./grafana-configs/loki_logger.py:/app/src/vector_indexer/loki_logger.py
       - ./.env:/app/.env:ro
-      - vault-agent-token:/agent/out:ro  # Mount vault token for accessing vault secrets
     environment:
       - server.port=9010
       - PYTHONPATH=/app:/app/src/vector_indexer
-      - VAULT_ADDR=http://vault:8200
+      - VAULT_AGENT_URL=http://vault-agent-cron:8203
     ports:
       - 9010:8080
     depends_on:
-      - vault-agent-llm
+      - vault-agent-cron
     networks:
       - bykstack
 
@@ -496,10 +496,8 @@ services:
       - vault-data:/vault/file
       - ./vault/config:/vault/config:ro
       - ./vault/logs:/vault/logs
-    expose:
-      - "8200"
     networks:
-      - bykstack
+      - vault-network  # Only on vault-network for security
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "sh", "-c", "wget -q -O- http://127.0.0.1:8200/v1/sys/health || exit 0"]
@@ -520,14 +518,74 @@ services:
     volumes:
       - vault-data:/vault/data
       - vault-agent-creds:/agent/credentials
-      - vault-agent-token:/agent/out
+      - vault-agent-gui-token:/agent/gui-token
+      - vault-agent-cron-token:/agent/cron-token
+      - vault-agent-llm-token:/agent/llm-token
       - ./vault-init.sh:/vault-init.sh:ro
     networks:
-      - bykstack
+      - vault-network  # Access vault
+      - bykstack       # Access to write agent tokens
     entrypoint: ["/bin/sh"]
-    command: ["-c", "apk add --no-cache curl jq && chmod -R 755 /agent/credentials && chmod -R 770 /agent/out && chown -R vault:vault /agent/credentials /agent/out && su vault -s /bin/sh /vault-init.sh"]
+    command:
+      - -c
+      - |
+        apk add --no-cache curl jq uuidgen openssl
+        # Create and set permissions for all agent directories
+        mkdir -p /agent/credentials /agent/gui-token /agent/cron-token /agent/llm-token /agent/out
+        chown -R vault:vault /agent/credentials /agent/gui-token /agent/cron-token /agent/llm-token /agent/out
+        chmod 755 /agent/credentials /agent/gui-token /agent/cron-token /agent/llm-token /agent/out
+        # Run vault initialization as vault user
+        su vault -s /bin/sh /vault-init.sh
     restart: "no"
 
+  vault-agent-gui:
+    image: hashicorp/vault:1.20.3
+    container_name: vault-agent-gui
+    command: ["vault", "agent", "-config=/agent/config/gui-agent.hcl", "-log-level=info"]
+    depends_on:
+      vault-init:
+        condition: service_completed_successfully
+    cap_add:
+      - IPC_LOCK
+    volumes:
+      - ./vault/agents/gui/gui-agent.hcl:/agent/config/gui-agent.hcl:ro
+      - vault-agent-creds:/agent/credentials:ro
+      - vault-agent-gui-token:/agent/gui-token
+    networks:
+      - vault-network  # Access vault
+      - bykstack       # Accessible by GUI service
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "sh", "-c", "test -f /agent/gui-token/token && test -s /agent/gui-token/token"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
+  vault-agent-cron:
+    image: hashicorp/vault:1.20.3
+    container_name: vault-agent-cron
+    command: ["vault", "agent", "-config=/agent/config/cron-agent.hcl", "-log-level=info"]
+    depends_on:
+      vault-init:
+        condition: service_completed_successfully
+    cap_add:
+      - IPC_LOCK
+    volumes:
+      - ./vault/agents/cron/cron-agent.hcl:/agent/config/cron-agent.hcl:ro
+      - vault-agent-creds:/agent/credentials:ro
+      - vault-agent-cron-token:/agent/cron-token
+    networks:
+      - vault-network  # Access vault
+      - bykstack       # Accessible by CronManager service
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "sh", "-c", "test -f /agent/cron-token/token && test -s /agent/cron-token/token"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
   vault-agent-llm:
     image: hashicorp/vault:1.20.3
     container_name: vault-agent-llm
@@ -540,10 +598,17 @@ services:
     volumes:
       - ./vault/agents/llm/agent.hcl:/agent/config/agent.hcl:ro
       - vault-agent-creds:/agent/credentials:ro
-      - vault-agent-token:/agent/out
+      - vault-agent-llm-token:/agent/llm-token
     networks:
-      - bykstack
+      - vault-network  # Access vault
+      - bykstack       # Accessible by LLM service
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "sh", "-c", "test -f /agent/llm-token/token && test -s /agent/llm-token/token"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
 
   # LLM Orchestration Service
   llm-orchestration-service:
@@ -558,24 +623,22 @@ services:
       - .env
     environment:
       - ENVIRONMENT=production
-      - VAULT_ADDR=http://vault:8200
-      - VAULT_TOKEN=/agent/out/token
+      - VAULT_ADDR=http://vault-agent-llm:8201
+      # VAULT_TOKEN not set - vault-agent-llm proxy handles authentication
     volumes:
       - ./src/llm_config_module/config:/app/src/llm_config_module/config:ro
       - ./src/optimization/optimized_modules:/app/src/optimization/optimized_modules
       - llm_orchestration_logs:/app/logs
-      - vault-agent-token:/agent/out:ro
     networks:
       - bykstack
     depends_on:
-      - vault
       - vault-agent-llm
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://llm-orchestration-service:8100/health"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   start_period: 40s
-    #   retries: 3
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://llm-orchestration-service:8100/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 40s
+      retries: 3
 
 volumes:
   loki-data:
@@ -602,12 +665,20 @@ volumes:
     name: cron_data
   vault-agent-creds:
     name: vault-agent-creds
-  vault-agent-token:
-    name: vault-agent-token
+  vault-agent-gui-token:
+    name: vault-agent-gui-token
+  vault-agent-cron-token:
+    name: vault-agent-cron-token
+  vault-agent-llm-token:
+    name: vault-agent-llm-token
   opensearch-data:
     name: opensearch-data
 
 networks:
   bykstack:
     name: bykstack
     driver: bridge
+  vault-network:
+    name: vault-network
+    driver: bridge
+    internal: true  # No external access - isolated network