diff --git a/.gitignore b/.gitignore index c4a8450..da464ef 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,7 @@ secrets/** !secrets/ !secrets/**/ !secrets/**/*.example +!secrets/app/google-wif-config.json # Traefik ACME certificates (contains private keys) data/traefik/acme.json \ No newline at end of file diff --git a/docker-compose.blue-green.yml b/docker-compose.blue-green.yml index 4391fa9..3ab7e4b 100644 --- a/docker-compose.blue-green.yml +++ b/docker-compose.blue-green.yml @@ -199,6 +199,10 @@ services: # ======================================== mvp-ocr: image: ${OCR_IMAGE:-git.motovaultpro.com/egullickson/ocr:latest} + volumes: + - ./secrets/app/auth0-ocr-client-id.txt:/run/secrets/auth0-ocr-client-id:ro + - ./secrets/app/auth0-ocr-client-secret.txt:/run/secrets/auth0-ocr-client-secret:ro + - ./secrets/app/google-wif-config.json:/run/secrets/google-wif-config.json:ro # ======================================== # Override Traefik to add dynamic config diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 2006cbf..adb2a1a 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -49,10 +49,13 @@ services: REDIS_HOST: mvp-redis REDIS_PORT: 6379 REDIS_DB: 1 - OCR_PRIMARY_ENGINE: paddleocr - OCR_FALLBACK_ENGINE: ${OCR_FALLBACK_ENGINE:-none} - OCR_FALLBACK_THRESHOLD: ${OCR_FALLBACK_THRESHOLD:-0.6} - GOOGLE_VISION_KEY_PATH: /run/secrets/google-vision-key.json + # OCR engine configuration (Google Vision primary, PaddleOCR fallback) + OCR_PRIMARY_ENGINE: google_vision + OCR_FALLBACK_ENGINE: paddleocr + OCR_CONFIDENCE_THRESHOLD: "0.6" + OCR_FALLBACK_THRESHOLD: "0.6" + GOOGLE_VISION_KEY_PATH: /run/secrets/google-wif-config.json + VISION_MONTHLY_LIMIT: "1000" # PostgreSQL - Remove dev ports, production log level mvp-postgres: diff --git a/docker-compose.staging.yml b/docker-compose.staging.yml index cfebd25..666a4e2 100644 --- a/docker-compose.staging.yml +++ b/docker-compose.staging.yml @@ -69,10 +69,17 @@ services: REDIS_HOST: mvp-redis REDIS_PORT: 6379 REDIS_DB: 1 - OCR_PRIMARY_ENGINE: paddleocr - OCR_FALLBACK_ENGINE: ${OCR_FALLBACK_ENGINE:-none} - OCR_FALLBACK_THRESHOLD: ${OCR_FALLBACK_THRESHOLD:-0.6} - GOOGLE_VISION_KEY_PATH: /run/secrets/google-vision-key.json + # OCR engine configuration (Google Vision primary, PaddleOCR fallback) + OCR_PRIMARY_ENGINE: google_vision + OCR_FALLBACK_ENGINE: paddleocr + OCR_CONFIDENCE_THRESHOLD: "0.6" + OCR_FALLBACK_THRESHOLD: "0.6" + GOOGLE_VISION_KEY_PATH: /run/secrets/google-wif-config.json + VISION_MONTHLY_LIMIT: "1000" + volumes: + - ./secrets/app/auth0-ocr-client-id.txt:/run/secrets/auth0-ocr-client-id:ro + - ./secrets/app/auth0-ocr-client-secret.txt:/run/secrets/auth0-ocr-client-secret:ro + - ./secrets/app/google-wif-config.json:/run/secrets/google-wif-config.json:ro # ======================================== # PostgreSQL (Staging - Separate Database) diff --git a/docker-compose.yml b/docker-compose.yml index 32012c0..46d9f79 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -196,16 +196,18 @@ services: REDIS_HOST: mvp-redis REDIS_PORT: 6379 REDIS_DB: 1 - # OCR engine configuration (PaddleOCR primary, cloud fallback optional) - OCR_PRIMARY_ENGINE: paddleocr - OCR_FALLBACK_ENGINE: ${OCR_FALLBACK_ENGINE:-none} - OCR_FALLBACK_THRESHOLD: ${OCR_FALLBACK_THRESHOLD:-0.6} - GOOGLE_VISION_KEY_PATH: /run/secrets/google-vision-key.json + # OCR engine configuration (Google Vision primary, PaddleOCR fallback) + OCR_PRIMARY_ENGINE: google_vision + OCR_FALLBACK_ENGINE: paddleocr + OCR_CONFIDENCE_THRESHOLD: "0.6" + OCR_FALLBACK_THRESHOLD: "0.6" + GOOGLE_VISION_KEY_PATH: /run/secrets/google-wif-config.json + VISION_MONTHLY_LIMIT: "1000" volumes: - /tmp/vin-debug:/tmp/vin-debug - # Optional: Uncomment to enable Google Vision cloud fallback. - # Requires: secrets/app/google-vision-key.json and OCR_FALLBACK_ENGINE=google_vision - # - ./secrets/app/google-vision-key.json:/run/secrets/google-vision-key.json:ro + - ./secrets/app/auth0-ocr-client-id.txt:/run/secrets/auth0-ocr-client-id:ro + - ./secrets/app/auth0-ocr-client-secret.txt:/run/secrets/auth0-ocr-client-secret:ro + - ./secrets/app/google-wif-config.json:/run/secrets/google-wif-config.json:ro networks: - backend - database diff --git a/secrets/app/google-vision-key.json.example b/secrets/app/google-vision-key.json.example deleted file mode 100644 index 67ef039..0000000 --- a/secrets/app/google-vision-key.json.example +++ /dev/null @@ -1,18 +0,0 @@ -{ - "_comment": "Google Vision API service account key for OCR cloud fallback", - "_instructions": [ - "1. Create a Google Cloud service account with Vision API access", - "2. Download the JSON key file", - "3. Save it as secrets/app/google-vision-key.json (gitignored)", - "4. Uncomment the volume mount in docker-compose.yml", - "5. Set OCR_FALLBACK_ENGINE=google_vision" - ], - "type": "service_account", - "project_id": "your-project-id", - "private_key_id": "", - "private_key": "", - "client_email": "your-sa@your-project-id.iam.gserviceaccount.com", - "client_id": "", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://oauth2.googleapis.com/token" -} diff --git a/secrets/app/google-wif-config.json b/secrets/app/google-wif-config.json new file mode 100644 index 0000000..a1f4bd1 --- /dev/null +++ b/secrets/app/google-wif-config.json @@ -0,0 +1,14 @@ +{ + "universe_domain": "googleapis.com", + "type": "external_account", + "audience": "//iam.googleapis.com/projects/487954699429/locations/global/workloadIdentityPools/motovaultpro-pool/providers/auth0-provider", + "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", + "token_url": "https://sts.googleapis.com/v1/token", + "credential_source": { + "executable": { + "command": "/app/scripts/fetch-auth0-token.sh", + "timeout_millis": 30000 + } + }, + "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/mvp-svc-account@motovaultpro.iam.gserviceaccount.com:generateAccessToken" +} \ No newline at end of file