M8F-132 - Bugfix - Backend container issue on start up

[andrepestana-aot]

JIRA Ticket

https://aottech.atlassian.net/browse/M8F-132

Description

This PR fixes tenant-aware login and stabilizes Docker runtime configuration for the backend, Celery worker, and Flower.

It also makes tenant realm creation in Keycloak use runtime backend/frontend URLs instead of placeholder-only defaults, and adds test coverage for that behavior.

Bugs Fixed

• Fixed Celery worker startup so worker/flower do not run API-only database migration behavior on startup.
• Fixed backend/worker/flower role drift in Docker where services could inherit incorrect runtime flags from .env.
• Fixed tenant realm login failures in Keycloak caused by newly created realms keeping placeholder or incomplete client redirect/logout URLs.
• Fixed the tenant selection page so selecting a tenant actually starts the tenant-aware login flow instead of stopping after tenant verification.
• Fixed backend startup so uvicorn does not reload .env a second time and override container-provided environment values.

What Changed

• Made Docker Compose service-specific environment settings explicit for:
  • m8flow-celery-worker
  • m8flow-celery-flower
• Updated tenant realm template filling in keycloak_service.py to inject runtime backend/frontend redirect URIs, post-logout URIs, and web origins for generated clients.
• Added unit tests covering runtime URL injection for backend and frontend Keycloak clients.
• Updated TenantSelectPage.tsx to redirect directly into /login?tenant=...&authentication_identifier=... after tenant validation.
• Updated worker startup scripts to force worker-safe flags for scheduler and migrations.
• Removed the extra uvicorn --env-file usage from backend launch scripts.
• Updated sample configuration defaults/comments to reflect the intended backend vs worker behavior.

Type

• Feature
• Bug fix
• Documentation
• Other

Changes

• Backend
• Frontend
• Documentation

Testing

• Recreation of all Docker containers and volumes (WARNING: DESTRUCTIVE):
  • Remove all containers and volumes for m8flow: docker compose -f docker/m8flow-docker-compose.yml down --volumes --remove-orphans --rmi local
  • Copy sample.env to .env and replace all <LOCAL_IP> to your local IP. Turn multi tenant on: MULTI_TENANT_ON=true
  • Build (no cache): docker compose -f docker/m8flow-docker-compose.yml build --no-cache
  • Put all containers up: docker compose -f docker/m8flow-docker-compose.yml up -d
  • Create a tenant and set a user's password.
  • Log into the tenant with the selected user.
  • Create a process model and verify it's working with no errors.
• Added unit coverage for Keycloak tenant client URL injection.

Related Issues

Closes #

[auslin-aot]

Just verifying whether removing this could result in local runs silently missing the configuration?

[andrepestana-aot]

--env-file "$repo_root/.env" made uvicorn load .env again after the wrapper script had already loaded it.

In the current launcher, .env is read manually in extensions/m8flow-backend/bin/run_m8flow_backend.sh:11 , and it only exports a key if that key is not already set in the environment at extensions/m8flow-backend/bin/run_m8flow_backend.sh:32

When uvicorn also got --env-file, it did a second .env load inside the server startup path. That bypassed the script’s “only if unset” rule, so values from .env could overwrite values already provided by Docker or the parent shell.

[abilpraju-aot]

can you check the sonar issue here

[sonal-aot]

Make sure all possible Sonar findings have been resolved.

[sonarqubecloud]

Quality Gate failed

Failed conditions
21 Security Hotspots

See analysis details on SonarQube Cloud