Improve self-hosting experience with Docker refactor and auth fixes

[vklimontovich]

This PR significantly improves the self-hosting experience by overhauling the Docker setup,
fixing authentication flows, and adding database seeding capabilities. The changes make it
easier to deploy and maintain self-hosted Jitsu instances.
Self-hosting Jitsu had several friction points: the Docker setup was split between devenv/ and
docker/ directories causing confusion, the change password flow didn't work for initial password
setup or resets, there was no automated way to seed initial admin users, and Docker documentation
was scattered across multiple files with duplication.

Docker Infrastructure Overhaul

• Migrated from devenv/ to a consolidated docker/ directory structure
• Completely refactored docker-compose.yml with proper service dependencies and health checks
• Added support for both production and development profiles (with hot reload)
• Replaced Kafka with Redpanda for better resource efficiency
• Added comprehensive admin tools (PgWeb, Mongo Express, Redpanda Console, Keycloak)

Authentication Improvements

• Fixed change password API to support changeAtNextLogin flag, allowing password resets
  without requiring the current password
• Added ChangePassword component for better UX
• Added optional demo configuration seeding via SEED_DEMO_CONFIGURATION

Documentation and Maintenance

• Consolidated all Docker usage instructions into docker/README.md
• Removed redundant documentation from docker-compose.yml, keeping only implementation notes
• Added health check endpoints for better container orchestration
• Updated dependencies and improved build proc

[github-actions]

Code Quality: Ineffective error handling

The || echo "Seed failed or skipped..." pattern will always return exit code 0, even if seeding actually fails with a critical error. This masks failures and makes debugging harder.

Consider:

1. Checking the actual exit code
2. Logging the error properly
3. Deciding if seeding failure should be fatal or just a warning

Suggested change

	# Run seed if SEED_DEMO_CONFIGURATION is set
	if [ ! -z "$SEED_DEMO_CONFIGURATION" ]; then
	echo "SEED_DEMO_CONFIGURATION is set, seeding demo configuration..."
	node /app/webapps/console/build/manage.js seed || echo "Seed failed or skipped (this is ok if already seeded)"
	if [ ! -z "$SEED_DEMO_CONFIGURATION" ]; then
	echo "SEED_DEMO_CONFIGURATION is set, seeding demo configuration..."
	if ! node /app/webapps/console/build/manage.js seed; then
	echo "WARNING: Seed failed, but continuing startup"
	fi
	fi

[github-actions]

Architecture Issue: Side effects in healthcheck endpoint

Performing database seeding as a side effect in the healthcheck endpoint is problematic:

1. Race conditions: Multiple healthcheck calls could trigger duplicate seeding attempts
2. Timeout risk: Seeding might be slow and cause healthcheck timeouts
3. Observability: Healthcheck endpoints should be idempotent and fast
4. Container orchestration: This could interfere with Kubernetes liveness/readiness probes

Recommendation: Move seeding to a dedicated initialization step in the startup script (docker-start-console.sh) which you've already added at line 93-96. Remove this seeding logic from the healthcheck entirely.

Suggested change

	// Seed demo connections after successful healthcheck (only once)
	if (!hasErrors && !seedAttempted) {
	seedAttempted = true;
	// Run seed in background, don't block healthcheck response
	seedDemoConnections().catch(err => {
	log.atError().withCause(err).log("Background seed failed");
	});
	}
	// Removed: Seeding should happen during container initialization, not in healthcheck
	res.status(hasErrors ? 503 : 200).send({ status: hasErrors ? "error" : "ok", ...result });

[github-actions]

Security Issue: Missing validation for optional current password

When changeAtNextLogin is true, the current password is optional, but there's no explicit validation that ensures body.currentPassword is provided when changeAtNextLogin is false.

If someone sends a request with an empty currentPassword and changeAtNextLogin is false, checkHash() will be called with undefined, which might have unexpected behavior.

Suggested change

	}
	if (!checkHash(password.hash, body.currentPassword)) {
	//If changeAtNextLogin set to true, do not check current password
	//If changeAtNextLogin set to true, do not check current password
	if (!password.changeAtNextLogin) {
	if (!body.currentPassword) {
	throw new Error("Current password is required");
	}
	if (!checkHash(password.hash, body.currentPassword)) {
	throw new Error("Current password is invalid");
	}
	}

[github-actions]

Configuration Issue: Shared authentication tokens across services

Using the same token (${BULKER_TOKEN:-dev-auth-key}) for multiple different services (Bulker, Rotor, Ingest, Console) reduces security isolation. If one service is compromised, all services are at risk.

Recommendation: Use separate tokens for each service:

• BULKER_AUTH_KEY for Bulker
• ROTOR_AUTH_KEY for Rotor
• INGEST_AUTH_KEY for Ingest
• CONSOLE_AUTH_KEY for Console

This follows the principle of least privilege and improves security boundaries.

[github-actions]

Security Issue: Weak default passwords

The default passwords like postgres-mqf3nzx, clickhouse-pass, and mongodb-pass are predictable and easily guessable. While they can be overridden, many users will run with defaults in production.

Recommendations:

1. Generate random passwords on first run (store in a secrets file)
2. Add prominent warnings in documentation about changing defaults
3. Consider requiring explicit password setting (no defaults) for production profile
4. Add a Docker Compose profile for "production" that requires all passwords to be set

[absorbb]

@vklimontovich
scripts/manage.ts file is not pushed to the repo