Add deployment script guidance for monitoring and OAuth (#3168)

Co-authored-by: hhhhsc <name>

Author: hhhhsc701

doc/docs/en/quick-start/installation.md

@@ -173,6 +173,106 @@ For complete port mapping details, see our [Dev Container Guide](../deployment/d
 
 ## 🔧 Advanced Configuration
 
+### Monitoring Configuration
+
+Select the `monitoring` component in the deployment script UI to enable OpenTelemetry monitoring. The script synchronizes `ENABLE_TELEMETRY`, `MONITORING_PROVIDER`, and `MONITORING_DASHBOARD_URL` in `docker/.env`, then starts the matching observability services from `docker/docker-compose-monitoring.yml`.
+
+```bash
+cd nexent/docker
+bash deploy.sh
+```
+
+If `docker/deploy.options` already exists, the script asks whether to reuse local configuration. Choose to reconfigure/overwrite local configuration, then select `monitoring` in the component menu and manually choose `grafana`, `phoenix`, `langfuse`, `langsmith`, `zipkin`, or `otlp` in the provider menu.
+
+Supported providers:
+
+| Provider | Purpose | Default URL |
+|----------|---------|-------------|
+| `otlp` | OpenTelemetry Collector only, useful for forwarding to an external platform | No dashboard |
+| `phoenix` | Local Phoenix trace analysis | `http://localhost:6006` |
+| `langfuse` | Local Langfuse observability stack | `http://localhost:3001` |
+| `langsmith` | Forwarding to hosted LangSmith | `https://smith.langchain.com/` |
+| `grafana` | Local Grafana + Tempo | `http://localhost:3002/d/nexent-llm-agent/nexent-agent-trace-monitoring?orgId=1` |
+| `zipkin` | Local Zipkin | `http://localhost:9411` |
+
+To change ports, image versions, or local Langfuse bootstrap credentials, copy and edit the monitoring environment file first:
+
+```bash
+cp docker/monitoring/monitoring.env.example docker/monitoring/monitoring.env
+```
+
+Common variables:
+
+| Variable | Description |
+|----------|-------------|
+| `MONITORING_PROVIDER` | Default monitoring provider; updated when you choose a provider in the deployment script |
+| `OTEL_COLLECTOR_HTTP_PORT` / `OTEL_COLLECTOR_GRPC_PORT` | Published OTLP HTTP/gRPC ports |
+| `LANGSMITH_API_KEY` / `LANGSMITH_PROJECT` | LangSmith forwarding configuration |
+| `LANGFUSE_INIT_USER_EMAIL` / `LANGFUSE_INIT_USER_PASSWORD` | Local Langfuse bootstrap admin |
+| `GRAFANA_ADMIN_USER` / `GRAFANA_ADMIN_PASSWORD` | Local Grafana admin |
+
+Before choosing the `langsmith` provider, configure `LANGSMITH_API_KEY` in `docker/monitoring/monitoring.env`. If you only need to connect to an existing external Collector, adjust the OTLP target in `docker/.env`:
+
+```bash
+ENABLE_TELEMETRY=true
+MONITORING_PROVIDER=otlp
+OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4318
+OTEL_EXPORTER_OTLP_PROTOCOL=http
+MONITORING_DASHBOARD_URL=
+```
+
+> **Production note**: Replace default passwords, secrets, and the Langfuse `ENCRYPTION_KEY`. Restrict dashboard and Collector access with a reverse proxy or firewall.
+
+### OAuth Login Configuration
+
+OAuth login requires the `supabase` component. When enabling third-party login, deploy `supabase` and set `OAUTH_CALLBACK_BASE_URL` to the browser-accessible Nexent Web URL.
+
+```bash
+bash deploy.sh --components infrastructure,application,supabase
+```
+
+For Docker, configure OAuth in `docker/.env`:
+
+```bash
+# Web entry URL. The full callback path is generated as:
+# {OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=<provider>
+OAUTH_CALLBACK_BASE_URL=http://localhost:3000
+
+# GitHub OAuth
+GITHUB_OAUTH_CLIENT_ID=
+GITHUB_OAUTH_CLIENT_SECRET=
+
+# GDE OAuth
+GDE_URL=
+GDE_OAUTH_CLIENT_ID=
+GDE_OAUTH_CLIENT_SECRET=
+
+# Link App OAuth
+LINK_APP_URL=
+LINK_APP_OAUTH_CLIENT_ID=
+LINK_APP_OAUTH_CLIENT_SECRET=
+
+# WeChat OAuth
+ENABLE_WECHAT_OAUTH=false
+WECHAT_OAUTH_APP_ID=
+WECHAT_OAUTH_APP_SECRET=
+
+# TLS verification when contacting OAuth providers
+OAUTH_SSL_VERIFY=true
+OAUTH_CA_BUNDLE=
+```
+
+Provider enablement rules:
+
+| Provider | Required variables | Callback URL |
+|----------|--------------------|--------------|
+| GitHub | `GITHUB_OAUTH_CLIENT_ID`, `GITHUB_OAUTH_CLIENT_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=github` |
+| GDE | `GDE_URL`, `GDE_OAUTH_CLIENT_ID`, `GDE_OAUTH_CLIENT_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=gde` |
+| Link App | `LINK_APP_URL`, `LINK_APP_OAUTH_CLIENT_ID`, `LINK_APP_OAUTH_CLIENT_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=link_app` |
+| WeChat | `ENABLE_WECHAT_OAUTH=true`, `WECHAT_OAUTH_APP_ID`, `WECHAT_OAUTH_APP_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=wechat` |
+
+For local Docker, a GitHub callback example is `http://localhost:3000/api/user/oauth/callback?provider=github`. In production, use a public HTTPS domain such as `https://nexent.example.com/api/user/oauth/callback?provider=github` and register the exact same URL in the OAuth provider console.
+
 ### Northbound Interface Configuration (NORTHBOUND_EXTERNAL_URL)
 
 If you need to use any of the following features, configure the `NORTHBOUND_EXTERNAL_URL` environment variable:

doc/docs/en/quick-start/kubernetes-installation.md

@@ -195,6 +195,102 @@ Helm uninstall does not delete local hostPath data by default. Use `./uninstall.
 ./uninstall.sh delete-all --keep-local-data
 ```
 
+## 🔧 Advanced Configuration
+
+### Monitoring Configuration
+
+Kubernetes deployments enable monitoring through the `monitoring` component in the deployment script UI. The deployment script renders runtime Helm values for `global.monitoring.enabled`, `global.monitoring.provider`, and `global.monitoring.dashboardUrl`, and enables the `nexent-monitoring` subchart.
+
+```bash
+cd nexent/k8s/helm
+./deploy.sh
+```
+
+If `k8s/helm/deploy.options` already exists, the script asks whether to reuse local configuration. Choose to reconfigure/overwrite local configuration, then select `monitoring` in the component menu and manually choose `grafana`, `phoenix`, `langfuse`, `langsmith`, `zipkin`, or `otlp` in the provider menu.
+
+Supported providers:
+
+| Provider | Purpose | Default URL |
+|----------|---------|-------------|
+| `otlp` | OpenTelemetry Collector only, useful for forwarding to an external platform | No dashboard |
+| `phoenix` | Local Phoenix trace analysis | `http://localhost:30006` |
+| `langfuse` | Local Langfuse observability stack | `http://localhost:30001` |
+| `langsmith` | Forwarding to hosted LangSmith | `https://smith.langchain.com/` |
+| `grafana` | Local Grafana + Tempo | `http://localhost:30002/d/nexent-llm-agent/nexent-agent-trace-monitoring?orgId=1` |
+| `zipkin` | Local Zipkin | `http://localhost:30011` |
+
+Before choosing the `langsmith` provider, configure `global.monitoring.langsmithApiKey` and `global.monitoring.langsmithProject` in `k8s/helm/nexent/values.yaml`. To change local Grafana, Langfuse, or dashboard ports, adjust the values file first, then re-run the deployment script, choose to reconfigure, and manually select `monitoring`.
+
+Common Helm values:
+
+| Value | Description |
+|-------|-------------|
+| `global.monitoring.enabled` | Enables OpenTelemetry export in the Nexent backend |
+| `global.monitoring.provider` | Backend provider label: `otlp`, `phoenix`, `langfuse`, `langsmith`, `grafana`, `zipkin` |
+| `global.monitoring.otlpEndpoint` | Backend OTLP HTTP endpoint, default `http://nexent-otel-collector:4318` |
+| `global.monitoring.dashboardUrl` | Frontend monitoring entry URL; leave empty to hide the entry |
+| `global.monitoring.traceContentMode` | Trace content capture mode: `summary`, `metrics`, or `full` |
+| `nexent-monitoring.<provider>.service.nodePort` | NodePort override for provider dashboards |
+| `nexent-monitoring.langfuse.init.*` | Local Langfuse bootstrap organization, project, and admin account |
+| `nexent-monitoring.grafana.adminUser` / `adminPassword` | Local Grafana admin credentials |
+
+Check monitoring status:
+
+```bash
+kubectl get pods -n nexent | grep -E 'otel|phoenix|grafana|tempo|zipkin|langfuse'
+kubectl get svc -n nexent | grep -E 'otel|phoenix|grafana|zipkin|langfuse'
+```
+
+> **Production note**: Replace default passwords, secrets, and the Langfuse `encryptionKey`. Prefer ClusterIP services or a controlled Ingress for dashboards.
+
+### OAuth Login Configuration
+
+OAuth login requires the `supabase` component. When enabling third-party login, deploy `supabase` and set `config.oauth.callbackBaseUrl` to the browser-accessible Nexent Web URL.
+
+```bash
+./deploy.sh --components infrastructure,application,supabase
+```
+
+Kubernetes writes OAuth settings into backend environment variables through `nexent-common` `config.oauth.*` values:
+
+```bash
+helm upgrade --install nexent nexent \
+  --namespace nexent --create-namespace \
+  --set global.deploymentComponents.supabase=true \
+  --set nexent-supabase-kong.enabled=true \
+  --set nexent-supabase-auth.enabled=true \
+  --set nexent-supabase-db.enabled=true \
+  --set nexent-common.config.oauth.callbackBaseUrl=https://nexent.example.com \
+  --set nexent-common.config.oauth.githubClientId=your_github_client_id \
+  --set nexent-common.config.oauth.githubClientSecret=your_github_client_secret
+```
+
+Configurable OAuth values:
+
+| Value | Environment variable | Description |
+|-------|----------------------|-------------|
+| `nexent-common.config.oauth.callbackBaseUrl` | `OAUTH_CALLBACK_BASE_URL` | Web entry URL; the callback path is appended automatically |
+| `nexent-common.config.oauth.githubClientId` | `GITHUB_OAUTH_CLIENT_ID` | GitHub OAuth Client ID |
+| `nexent-common.config.oauth.githubClientSecret` | `GITHUB_OAUTH_CLIENT_SECRET` | GitHub OAuth Client Secret |
+| `nexent-common.config.oauth.gdeUrl` | `GDE_URL` | GDE OAuth service URL |
+| `nexent-common.config.oauth.gdeClientId` | `GDE_OAUTH_CLIENT_ID` | GDE OAuth Client ID |
+| `nexent-common.config.oauth.gdeClientSecret` | `GDE_OAUTH_CLIENT_SECRET` | GDE OAuth Client Secret |
+| `nexent-common.config.oauth.enableWechat` | `ENABLE_WECHAT_OAUTH` | Enables WeChat OAuth |
+| `nexent-common.config.oauth.wechatClientId` | `WECHAT_OAUTH_APP_ID` | WeChat App ID |
+| `nexent-common.config.oauth.wechatClientSecret` | `WECHAT_OAUTH_APP_SECRET` | WeChat App Secret |
+| `nexent-common.config.oauth.sslVerify` | `OAUTH_SSL_VERIFY` | Whether to verify provider TLS certificates |
+| `nexent-common.config.oauth.caBundle` | `OAUTH_CA_BUNDLE` | Custom CA bundle path |
+
+Provider callback URLs:
+
+| Provider | Callback URL |
+|----------|--------------|
+| GitHub | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=github` |
+| GDE | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=gde` |
+| WeChat | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=wechat` |
+
+For local NodePort, a GitHub callback example is `http://localhost:30000/api/user/oauth/callback?provider=github`. In production, use a public HTTPS domain and register the exact same URL in the OAuth provider console.
+
 ## 🔍 Troubleshooting
 
 ### Check Pod Status

doc/docs/zh/quick-start/installation.md

@@ -169,6 +169,106 @@ Nexent 使用 Docker volumes 进行数据持久化：
 
 ## 🔧 高级配置
 
+### 监控配置
+
+部署时在脚本交互界面中选择 `monitoring` 组件即可启用 OpenTelemetry 监控。脚本会同步更新 `docker/.env` 中的 `ENABLE_TELEMETRY`、`MONITORING_PROVIDER` 和 `MONITORING_DASHBOARD_URL`，并启动 `docker/docker-compose-monitoring.yml` 中对应的观测组件。
+
+```bash
+cd nexent/docker
+bash deploy.sh
+```
+
+如果本地已有 `docker/deploy.options`，脚本会询问是否复用本地配置。请选择重新配置/覆盖本地配置，然后在组件选择界面勾选 `monitoring`，再在 provider 选择界面手动选择 `grafana`、`phoenix`、`langfuse`、`langsmith`、`zipkin` 或 `otlp`。
+
+支持的 provider：
+
+| Provider | 用途 | 默认访问地址 |
+|----------|------|--------------|
+| `otlp` | 仅启动 OpenTelemetry Collector，适合转发到外部平台 | 无 Dashboard |
+| `phoenix` | 本地 Phoenix 追踪分析 | `http://localhost:6006` |
+| `langfuse` | 本地 Langfuse 观测栈 | `http://localhost:3001` |
+| `langsmith` | 转发到托管 LangSmith | `https://smith.langchain.com/` |
+| `grafana` | 本地 Grafana + Tempo | `http://localhost:3002/d/nexent-llm-agent/nexent-agent-trace-monitoring?orgId=1` |
+| `zipkin` | 本地 Zipkin | `http://localhost:9411` |
+
+如需调整端口、镜像版本或 Langfuse 初始账号，请先复制并编辑监控环境变量：
+
+```bash
+cp docker/monitoring/monitoring.env.example docker/monitoring/monitoring.env
+```
+
+常用变量：
+
+| 变量 | 说明 |
+|------|------|
+| `MONITORING_PROVIDER` | 默认监控 provider；部署脚本中手动选择 provider 后会同步更新 |
+| `OTEL_COLLECTOR_HTTP_PORT` / `OTEL_COLLECTOR_GRPC_PORT` | Collector 对外暴露的 OTLP HTTP/gRPC 端口 |
+| `LANGSMITH_API_KEY` / `LANGSMITH_PROJECT` | LangSmith 转发配置 |
+| `LANGFUSE_INIT_USER_EMAIL` / `LANGFUSE_INIT_USER_PASSWORD` | 本地 Langfuse 初始管理员账号 |
+| `GRAFANA_ADMIN_USER` / `GRAFANA_ADMIN_PASSWORD` | 本地 Grafana 管理员账号 |
+
+选择 `langsmith` provider 前，请先在 `docker/monitoring/monitoring.env` 中配置 `LANGSMITH_API_KEY`。如果只需要连接已有外部 Collector，也可以在 `docker/.env` 中调整 OTLP 目标地址：
+
+```bash
+ENABLE_TELEMETRY=true
+MONITORING_PROVIDER=otlp
+OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4318
+OTEL_EXPORTER_OTLP_PROTOCOL=http
+MONITORING_DASHBOARD_URL=
+```
+
+> **生产建议**：请替换示例中的默认密码、密钥和 Langfuse `ENCRYPTION_KEY`，并通过反向代理或防火墙限制 Dashboard、Collector 端口的访问范围。
+
+### OAuth 登录配置
+
+OAuth 登录依赖 `supabase` 组件。启用第三方登录时，请同时部署 `supabase`，并将 `OAUTH_CALLBACK_BASE_URL` 设置为浏览器可访问的 Nexent Web 地址。
+
+```bash
+bash deploy.sh --components infrastructure,application,supabase
+```
+
+Docker 部署在 `docker/.env` 中配置 OAuth：
+
+```bash
+# Web 入口地址。回调完整路径会自动拼接为：
+# {OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=<provider>
+OAUTH_CALLBACK_BASE_URL=http://localhost:3000
+
+# GitHub OAuth
+GITHUB_OAUTH_CLIENT_ID=
+GITHUB_OAUTH_CLIENT_SECRET=
+
+# GDE OAuth
+GDE_URL=
+GDE_OAUTH_CLIENT_ID=
+GDE_OAUTH_CLIENT_SECRET=
+
+# Link App OAuth
+LINK_APP_URL=
+LINK_APP_OAUTH_CLIENT_ID=
+LINK_APP_OAUTH_CLIENT_SECRET=
+
+# WeChat OAuth
+ENABLE_WECHAT_OAUTH=false
+WECHAT_OAUTH_APP_ID=
+WECHAT_OAUTH_APP_SECRET=
+
+# 访问 OAuth provider 时的 TLS 校验
+OAUTH_SSL_VERIFY=true
+OAUTH_CA_BUNDLE=
+```
+
+Provider 启用规则：
+
+| Provider | 必填变量 | 回调地址 |
+|----------|----------|----------|
+| GitHub | `GITHUB_OAUTH_CLIENT_ID`、`GITHUB_OAUTH_CLIENT_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=github` |
+| GDE | `GDE_URL`、`GDE_OAUTH_CLIENT_ID`、`GDE_OAUTH_CLIENT_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=gde` |
+| Link App | `LINK_APP_URL`、`LINK_APP_OAUTH_CLIENT_ID`、`LINK_APP_OAUTH_CLIENT_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=link_app` |
+| WeChat | `ENABLE_WECHAT_OAUTH=true`、`WECHAT_OAUTH_APP_ID`、`WECHAT_OAUTH_APP_SECRET` | `{OAUTH_CALLBACK_BASE_URL}/api/user/oauth/callback?provider=wechat` |
+
+本地默认回调示例为 `http://localhost:3000/api/user/oauth/callback?provider=github`。生产环境应改为公网 HTTPS 域名，例如 `https://nexent.example.com/api/user/oauth/callback?provider=github`，并在 OAuth provider 控制台中登记相同地址。
+
 ### 北向接口配置 (NORTHBOUND_EXTERNAL_URL)
 
 如果您需要使用以下功能，需要配置 `NORTHBOUND_EXTERNAL_URL` 环境变量：