Adjusted SMTP

2026-04-11 12:21:34 +02:00
parent 9a96d74f5c
commit 97b483c121
9 changed files with 339 additions and 24 deletions
--- a/deploy/setup-smtp.sh
+++ b/deploy/setup-smtp.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# Session 6.4 — SMTP secret setup for PieCed Portal
+#
+# 1. Store SMTP credentials in OpenBao
+# 2. Apply the ExternalSecret
+# 3. Patch the portal deployment to mount the secret
+#
+# Prerequisites: bao CLI authenticated, kubectl context set
+
+set -e
+
+# ─── Step 1: Store SMTP creds in OpenBao ───────────────────────────────────────
+echo "==> Storing SMTP credentials in OpenBao..."
+bao kv put pieced/portal/smtp \
+  host="smtp.gmail.com" \
+  port="587" \
+  user="noreply@pieced.ch" \
+  password="REPLACE_WITH_APP_PASSWORD" \
+  from="PieCed <noreply@pieced.ch>" \
+  admin_email="admin@pieced.ch"
+
+echo "==> Verifying..."
+bao kv get pieced/portal/smtp
+
+# ─── Step 2: Apply ExternalSecret ──────────────────────────────────────────────
+echo "==> Applying ExternalSecret..."
+kubectl apply -f deploy/portal-smtp-externalsecret.yaml
+
+echo "==> Waiting for ExternalSecret to sync..."
+kubectl wait --for=condition=Ready externalsecret/portal-smtp -n pieced-system --timeout=60s
+
+echo "==> Verifying K8s secret created..."
+kubectl get secret portal-smtp -n pieced-system
+
+# ─── Step 3: Patch portal deployment to mount SMTP secret ──────────────────────
+echo "==> Patching portal deployment..."
+# Add envFrom entry for portal-smtp secret
+# If your deployment already uses a patch file, add this to the containers[0].envFrom array instead.
+kubectl patch deployment pieced-portal -n pieced-system --type=json -p='[
+  {
+    "op": "add",
+    "path": "/spec/template/spec/containers/0/envFrom/-",
+    "value": {
+      "secretRef": {
+        "name": "portal-smtp"
+      }
+    }
+  }
+]'
+
+echo "==> Restarting portal..."
+kubectl rollout restart deployment pieced-portal -n pieced-system
+kubectl rollout status deployment pieced-portal -n pieced-system
+
+echo "==> Done! SMTP credentials are now available to the portal."
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,10 +9,12 @@
      "version": "0.1.0",
      "dependencies": {
        "@kubernetes/client-node": "^1.4.0",
+        "@types/nodemailer": "^8.0.0",
        "@types/pg": "^8.20.0",
        "next": "^15.5.15",
        "next-auth": "^5.0.0-beta.30",
        "next-intl": "^4.9.0",
+        "nodemailer": "^7.0.13",
        "pg": "^8.20.0",
        "react": "^19.1.0",
        "react-dom": "^19.1.0",
@@ -2015,6 +2017,15 @@
        "form-data": "^4.0.4"
      }
    },
+    "node_modules/@types/nodemailer": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/@types/nodemailer/-/nodemailer-8.0.0.tgz",
+      "integrity": "sha512-fyf8jWULsCo0d0BuoQ75i6IeoHs47qcqxWc7yUdUcV0pOZGjUTTOvwdG1PRXUDqN/8A64yQdQdnA2pZgcdi+cA==",
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
    "node_modules/@types/pg": {
      "version": "8.20.0",
      "resolved": "https://registry.npmjs.org/@types/pg/-/pg-8.20.0.tgz",
@@ -5824,6 +5835,15 @@
        }
      }
    },
+    "node_modules/nodemailer": {
+      "version": "7.0.13",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.13.tgz",
+      "integrity": "sha512-PNDFSJdP+KFgdsG3ZzMXCgquO7I6McjY2vlqILjtJd0hy8wEvtugS9xKRF2NWlPNGxvLCXlTNIae4serI7dinw==",
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
    "node_modules/oauth4webapi": {
      "version": "3.8.5",
      "resolved": "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-3.8.5.tgz",
--- a/package.json
+++ b/package.json
@@ -11,10 +11,12 @@
  },
  "dependencies": {
    "@kubernetes/client-node": "^1.4.0",
+    "@types/nodemailer": "^8.0.0",
    "@types/pg": "^8.20.0",
    "next": "^15.5.15",
    "next-auth": "^5.0.0-beta.30",
    "next-intl": "^4.9.0",
+    "nodemailer": "^7.0.13",
    "pg": "^8.20.0",
    "react": "^19.1.0",
    "react-dom": "^19.1.0",
--- a/src/app/api/admin/requests/[id]/approve/route.ts
+++ b/src/app/api/admin/requests/[id]/approve/route.ts
@@ -2,11 +2,12 @@ import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
 import { createTenant } from "@/lib/k8s";
+import { sendApprovalEmail } from "@/lib/email";

 /**
 * POST /api/admin/requests/[id]/approve
- * Approve a tenant request: create the PiecedTenant CR and update status.
- * Also supports re-approving a previously rejected request.
+ * Approve a tenant request: create the PiecedTenant CR, update status, notify customer.
+ * Also supports re-approving a previously rejected request (clears admin notes).
 */
 export async function POST(
  request: Request,
@@ -37,6 +38,8 @@ export async function POST(
    );
  }

+  const isReApproval = tenantRequest.status === "rejected";
+
  // Derive tenant name from company name: lowercase, alphanumeric + hyphens
  const tenantName = tenantRequest.companyName
    .toLowerCase()
@@ -61,12 +64,20 @@ export async function POST(
      }
    );

-    // Update request status
+    // Update request status — clear admin notes on re-approval
    const updated = await updateTenantRequestStatus(id, "provisioning", {
-      adminNotes,
+      adminNotes: isReApproval ? null : adminNotes,
      tenantName,
+      clearAdminNotes: isReApproval,
    });

+    // Notify customer
+    await sendApprovalEmail(
+      tenantRequest.contactEmail,
+      tenantRequest.contactName,
+      tenantRequest.companyName
+    );
+
    return NextResponse.json({
      message: "Tenant approved and provisioning started.",
      request: updated,
--- a/src/app/api/admin/requests/[id]/reject/route.ts
+++ b/src/app/api/admin/requests/[id]/reject/route.ts
@@ -1,10 +1,11 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
 import { getTenantRequestById, updateTenantRequestStatus } from "@/lib/db";
+import { sendRejectionEmail } from "@/lib/email";

 /**
 * POST /api/admin/requests/[id]/reject
- * Reject a tenant request.
+ * Reject a tenant request and notify the customer.
 */
 export async function POST(
  request: Request,
@@ -36,6 +37,14 @@ export async function POST(
    adminNotes,
  });

+  // Notify customer
+  await sendRejectionEmail(
+    tenantRequest.contactEmail,
+    tenantRequest.contactName,
+    tenantRequest.companyName,
+    adminNotes
+  );
+
  return NextResponse.json({
    message: "Request rejected.",
    request: updated,
--- a/src/app/api/admin/requests/route.ts
+++ b/src/app/api/admin/requests/route.ts
@@ -1,10 +1,12 @@
 import { NextResponse } from "next/server";
 import { requirePlatformRole } from "@/lib/session";
-import { listTenantRequests } from "@/lib/db";
+import { listTenantRequests, syncProvisioningStatuses } from "@/lib/db";
+import { getTenant } from "@/lib/k8s";

 /**
 * GET /api/admin/requests
 * List all tenant requests. Optionally filter by ?status=pending
+ * Auto-syncs "provisioning" → "active" when the PiecedTenant CR is Ready.
 */
 export async function GET(request: Request) {
  try {
@@ -13,6 +15,12 @@ export async function GET(request: Request) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

+  // Sync provisioning statuses before listing
+  await syncProvisioningStatuses(async (tenantName: string) => {
+    const tenant = await getTenant(tenantName);
+    return tenant?.status?.phase ?? null;
+  });
+
  const { searchParams } = new URL(request.url);
  const status = searchParams.get("status") as any;

--- a/src/app/api/onboarding/route.ts
+++ b/src/app/api/onboarding/route.ts
@@ -5,6 +5,7 @@ import {
  getTenantRequestByOrgId,
 } from "@/lib/db";
 import { getTenant, listTenants } from "@/lib/k8s";
+import { sendAdminNotificationEmail } from "@/lib/email";
 import type { OnboardingInput } from "@/types";
 import { z } from "zod";

@@ -87,6 +88,7 @@ export async function GET() {
 * POST /api/onboarding
 * Submit the onboarding wizard. Creates a tenant_request with status "pending".
 * The actual PiecedTenant CR is NOT created yet — admin approval required.
+ * Sends a notification email to the admin.
 */
 export async function POST(request: Request) {
  const user = await getSessionUser();
@@ -138,6 +140,13 @@ export async function POST(request: Request) {
    billingNotes: input.billingNotes,
  });

+  // Notify admin about the new request
+  await sendAdminNotificationEmail(
+    user.orgName,
+    user.name || user.email,
+    user.email
+  );
+
  return NextResponse.json(
    { message: "Onboarding request submitted.", request: tenantRequest },
    { status: 201 }
--- a/src/lib/db.ts
+++ b/src/lib/db.ts
@@ -132,12 +132,19 @@ export async function listTenantRequests(
 export async function updateTenantRequestStatus(
  id: string,
  status: TenantRequestStatus,
-  extra?: { adminNotes?: string; tenantName?: string }
+  extra?: { adminNotes?: string | null; tenantName?: string; clearAdminNotes?: boolean }
 ): Promise<TenantRequest> {
  await ensureSchema();
+
+  // If clearAdminNotes is true, explicitly set admin_notes to NULL
+  // Otherwise use COALESCE to preserve existing value when not provided
+  const adminNotesExpr = extra?.clearAdminNotes
+    ? "$2"
+    : "COALESCE($2, admin_notes)";
+
  const result = await getPool().query(
    `UPDATE tenant_requests
-     SET status = $1, admin_notes = COALESCE($2, admin_notes),
+     SET status = $1, admin_notes = ${adminNotesExpr},
         tenant_name = COALESCE($3, tenant_name), updated_at = now()
     WHERE id = $4
     RETURNING *`,
@@ -147,6 +154,35 @@ export async function updateTenantRequestStatus(
  return mapRow(result.rows[0]);
 }

+/**
+ * Sync provisioning statuses: for all requests with status "provisioning",
+ * check if the PiecedTenant CR has reached "Ready" and update to "active".
+ * Called from the admin requests list endpoint.
+ */
+export async function syncProvisioningStatuses(
+  checkTenantPhase: (tenantName: string) => Promise<string | null>
+): Promise<void> {
+  await ensureSchema();
+  const pool = getPool();
+  const result = await pool.query(
+    "SELECT id, tenant_name FROM tenant_requests WHERE status = 'provisioning' AND tenant_name IS NOT NULL"
+  );
+
+  for (const row of result.rows) {
+    try {
+      const phase = await checkTenantPhase(row.tenant_name);
+      if (phase === "Ready" || phase === "Running") {
+        await pool.query(
+          "UPDATE tenant_requests SET status = 'active', updated_at = now() WHERE id = $1",
+          [row.id]
+        );
+      }
+    } catch (e) {
+      console.error(`Failed to sync status for request ${row.id}:`, e);
+    }
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Row mapping (snake_case → camelCase)
 // ---------------------------------------------------------------------------
--- a/src/lib/email.ts
+++ b/src/lib/email.ts
@@ -0,0 +1,165 @@
+/**
+ * Email sending utility for the PieCed portal.
+ *
+ * Uses nodemailer with SMTP credentials from environment variables
+ * (populated via ExternalSecret from OpenBao at pieced/portal/smtp).
+ *
+ * Env vars (from portal-smtp K8s secret):
+ *   SMTP_HOST                  — e.g. smtp.gmail.com
+ *   SMTP_PORT                  — e.g. 587 (default)
+ *   SMTP_USER                  — e.g. noreply@pieced.ch
+ *   SMTP_PASS                  — App Password
+ *   SMTP_FROM                  — e.g. "PieCed <noreply@pieced.ch>"
+ *   ADMIN_NOTIFICATION_EMAIL   — e.g. admin@pieced.ch (optional)
+ */
+
+import nodemailer from "nodemailer";
+
+let _transporter: nodemailer.Transporter | null = null;
+
+function getTransporter(): nodemailer.Transporter {
+  if (!_transporter) {
+    const host = process.env.SMTP_HOST;
+    const user = process.env.SMTP_USER;
+    const pass = process.env.SMTP_PASS;
+    if (!host || !user || !pass) {
+      throw new Error("SMTP_HOST, SMTP_USER, and SMTP_PASS must be set");
+    }
+    _transporter = nodemailer.createTransport({
+      host,
+      port: parseInt(process.env.SMTP_PORT || "587", 10),
+      secure: process.env.SMTP_SECURE === "true",
+      auth: { user, pass },
+    });
+  }
+  return _transporter;
+}
+
+function getFrom(): string {
+  return (
+    process.env.SMTP_FROM ||
+    `PieCed <${process.env.SMTP_USER}>`
+  );
+}
+
+export async function sendApprovalEmail(
+  to: string,
+  contactName: string,
+  companyName: string
+): Promise<void> {
+  try {
+    await getTransporter().sendMail({
+      from: getFrom(),
+      to,
+      subject: `Your PieCed AI assistant is being set up — ${companyName}`,
+      text: [
+        `Hello ${contactName},`,
+        "",
+        `Great news! Your onboarding request for ${companyName} has been approved.`,
+        "",
+        "Your AI assistant instance is now being provisioned. This usually takes a few minutes.",
+        "You can check the status in your dashboard at https://app.pieced.ch",
+        "",
+        "Once your instance is ready, you'll see it on your dashboard and can start configuring it.",
+        "",
+        "Best regards,",
+        "PieCed IT",
+      ].join("\n"),
+      html: `
+        <div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 560px; margin: 0 auto; color: #e0e0e0; background: #1a1a1a; padding: 32px; border-radius: 12px;">
+          <h2 style="color: #ffffff; margin-top: 0;">Your AI assistant is being set up</h2>
+          <p>Hello ${contactName},</p>
+          <p>Great news! Your onboarding request for <strong>${companyName}</strong> has been approved.</p>
+          <p>Your AI assistant instance is now being provisioned. This usually takes a few minutes.</p>
+          <p>
+            <a href="https://app.pieced.ch" style="display: inline-block; padding: 10px 24px; background: #3b82f6; color: #ffffff; text-decoration: none; border-radius: 8px; font-weight: 500;">
+              Go to Dashboard
+            </a>
+          </p>
+          <p style="color: #888; font-size: 13px; margin-top: 24px;">
+            Once your instance is ready, you'll see it on your dashboard and can start configuring it.
+          </p>
+          <hr style="border: none; border-top: 1px solid #333; margin: 24px 0;" />
+          <p style="color: #666; font-size: 12px;">PieCed IT — Hosted on-premises in Switzerland</p>
+        </div>
+      `,
+    });
+  } catch (err) {
+    console.error("Failed to send approval email:", err);
+  }
+}
+
+export async function sendRejectionEmail(
+  to: string,
+  contactName: string,
+  companyName: string,
+  adminNotes?: string
+): Promise<void> {
+  try {
+    const notesBlock = adminNotes
+      ? `\nNote from our team:\n${adminNotes}\n`
+      : "";
+    const notesHtml = adminNotes
+      ? `<div style="background: #2a2a2a; border-left: 3px solid #ef4444; padding: 12px 16px; border-radius: 6px; margin: 16px 0;">
+           <p style="color: #ccc; font-size: 13px; margin: 0;"><strong>Note from our team:</strong></p>
+           <p style="color: #aaa; font-size: 13px; margin: 8px 0 0 0;">${adminNotes}</p>
+         </div>`
+      : "";
+
+    await getTransporter().sendMail({
+      from: getFrom(),
+      to,
+      subject: `Update on your PieCed onboarding request — ${companyName}`,
+      text: [
+        `Hello ${contactName},`,
+        "",
+        `Thank you for your interest in PieCed IT. Unfortunately, we were unable to approve your onboarding request for ${companyName} at this time.`,
+        notesBlock,
+        "If you have questions or would like to discuss this further, please reply to this email.",
+        "",
+        "Best regards,",
+        "PieCed IT",
+      ].join("\n"),
+      html: `
+        <div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 560px; margin: 0 auto; color: #e0e0e0; background: #1a1a1a; padding: 32px; border-radius: 12px;">
+          <h2 style="color: #ffffff; margin-top: 0;">Update on your onboarding request</h2>
+          <p>Hello ${contactName},</p>
+          <p>Thank you for your interest in PieCed IT. Unfortunately, we were unable to approve your onboarding request for <strong>${companyName}</strong> at this time.</p>
+          ${notesHtml}
+          <p>If you have questions or would like to discuss this further, please reply to this email.</p>
+          <hr style="border: none; border-top: 1px solid #333; margin: 24px 0;" />
+          <p style="color: #666; font-size: 12px;">PieCed IT — Hosted on-premises in Switzerland</p>
+        </div>
+      `,
+    });
+  } catch (err) {
+    console.error("Failed to send rejection email:", err);
+  }
+}
+
+export async function sendAdminNotificationEmail(
+  companyName: string,
+  contactName: string,
+  contactEmail: string
+): Promise<void> {
+  const adminEmail = process.env.ADMIN_NOTIFICATION_EMAIL;
+  if (!adminEmail) return;
+
+  try {
+    await getTransporter().sendMail({
+      from: getFrom(),
+      to: adminEmail,
+      subject: `New onboarding request: ${companyName}`,
+      text: [
+        `A new onboarding request has been submitted.`,
+        "",
+        `Company: ${companyName}`,
+        `Contact: ${contactName} (${contactEmail})`,
+        "",
+        `Review it at https://app.pieced.ch/admin`,
+      ].join("\n"),
+    });
+  } catch (err) {
+    console.error("Failed to send admin notification email:", err);
+  }
+}